Companies that worry about cyber security tend to have security leaders. What about companies that don\u2019t know or aren\u2019t sure?Turns out in one case, the process of exploring their insurance coverage prompted a lot of learning \u2013 and the creation of an entire cyber security team, CISO, and a new set of processes.Part of the Leading Security Change on Cyber Insurance series, this perspective is from a real risk manager. Based on the nature of their business, they asked to cloak their identity and industry. Their experience, however, is remarkable. Their job is to manage risk across the organization \u2013 everything from safety through catastrophic events. This means spending a lot of time working with commercial insurance to match the unique needs of the organization with solutions available to help them manage risks that might be hard to otherwise control.As you\u2019ll read in this interview, an exclusion in a policy after a business change caused this risk manager to dig deeper. And in the process, created a new market outside the company while driving successful change inside the company.It\u2019s an interesting twist \u2013 using cyber insurance to drive the creation and promote the importance of security leadership.Here\u2019s how it happened.How did a notice of exclusion in your insurance policies thrust you into the world of cyber insurance?The concept of \u201ccyber\u201d isn\u2019t new. It would periodically come up over the years, but in most of those discussions, we quickly assessed little \u201ccyber\u201d risk to our operations. Almost overnight, the nature of our business changed. And with it, our exposure changed, too.We took note of global events where \u201ccyber\u201d was less of a buzz word and more something we needed to address. That kicked off a deliberate evaluation of our insurance portfolio. Initially, cyber terrorism was excluded from our \u201cAll Risk\u201d property policy. That meant it was risk management\u2019s responsibility to understand the exclusion to evaluate its potential effect in order to make a decision on the path forward.In conjunction with our insurance broker, who explored how they were handling this with other (similar) clients, we started to establish our own cyber risk strategy.And that\u2019s where the journey began.We quickly realized that we needed to explore cyber risk coverage as this had become a real exposure that could affect our organization \u2026 but our risks are different than what most people think about with cyber (liability) insurance.Lots of companies are interested in cyber liability. But in your business, you needed something different. How did you approach the situation?When the discussion of cyber risk came up in the insurance world, it generally meant \u201ccyber liability\u201d coverage that offers financial protection for someone\u2019s responsibility to a third party in the event of a cyber breach of some sort. Most of us have experienced some type of exposure to \u201ccyber risk\u201d in our personal and professional lives. It\u2019s in the headlines.But that is not the biggest concern for our business.We\u2019re not as worried about our liability to a third party in the event of a network breach, simply because we don\u2019t store that kind of information about our customers or vendors. At that time, we were about to embark on a high-profile construction project. We needed to insure our facilities against the potential property damage and the resulting interruption caused by a third party who somehow gained access to our business network or control systems.This is in fact our primary cyber exposure.Our needs were not typical; they still aren't. And we couldn\u2019t just delete the exclusion in our existing policy. At the time, our insurance broker was developing a more comprehensive \u201ccyber product,\u201d but no one had actually used it yet. That required learning more about it and working with our broker to customize a solution to fit our organization.To convince the insurance carriers to offer what you needed, you had to quantify the risk. How did that work?Our total insurance coverage is sourced across multiple carriers. As we worked with our broker to negotiate with our existing carriers, I realized that I couldn\u2019t answer all their questions. That lead me to engage our IT and operations teams to help complete the questionnaire, and more fully understand our exposure so that we could better communicate with the markets.That process revealed an interesting dynamic: many of the questions didn\u2019t apply to our situation. And we didn\u2019t feel comfortable just answering the questions on a piece of paper. We wanted a higher level of confidence, and so did the insurers.We needed some help to get that level of confidence. We were guided towards industry cyber experts and we coordinated a \u201cboots on the ground\u201d site visit.I learned more about cyber risk and security in that one day than all my previous years in the industry combined!It\u2019s eye-opening to work with an experienced third party to really walk through \u2013 and quantify \u2013 the risks and damages that apply to your organization. It\u2019s daunting to realize that you work in a place that could potentially be a big target for cyber terrorism.The workshop also revealed that our IT department was aware of the exposure, but needed support to make a formal request with our executive management to address some of the risks. I wasn\u2019t aware of this, because we had never discussed it. Until then, IT hadn\u2019t really been included in the insurance aspect of our risk management program.So the quantification effort and resulting findings led to establishing a cyber security program?Risk management is made up of different parts, and most people think of the financial implications. In our organization, safety is our top priority. From a risk management perspective, we generally consider that \u201closs prevention.\u201d By taking the loss prevention approach for the considerations of a cyber threat, we needed three different departments to work together to combine our knowledge to start managing the risk.One of the recommendations from the onsite workshop was to establish a dedicated position to focus on the security of our information and technology, a Chief Information Security Officer.The report also suggested other improvements that we addressed, too. As a result, we built a cyber security practice, we established a cyber security committee. We started communicating better across the entire company, improving our overall protection.This is good for our organization, and it helps with our insurance, too. We realize that no matter what you do to prevent or control a loss, you still need a backup plan to assist with your financial needs. Going through this process would enable us to get better coverage and more favorable terms.What happened because of all these efforts?We addressed the financial impact of our risk by securing a significant limit of insurance for our property damage and business interruption concerns. In fact, most of our carriers offered the product for the first time because of our demand. We effectively worked together to create a new market!It is interesting that an exclusion in our policy actually led us to work with a series of existing and new partners to better understand our own risk. I know there are others that feel that the market should include the coverage in the standard policies. This time, I might argue against that point. Regardless, we now feel more confident that we are addressing the risk of cyber terrorism on all sides, and so we are more protected.