The need for a security leader revealed through cyber insurance

Companies that worry about cyber security tend to have security leaders. What about companies that don’t know or aren’t sure?

Turns out in one case, the process of exploring their insurance coverage prompted a lot of learning – and the creation of an entire cyber security team, CISO, and a new set of processes.

Part of the Leading Security Change on Cyber Insurance series, this perspective is from a real risk manager. Based on the nature of their business, they asked to cloak their identity and industry. Their experience, however, is remarkable. Their job is to manage risk across the organization – everything from safety through catastrophic events. This means spending a lot of time working with commercial insurance to match the unique needs of the organization with solutions available to help them manage risks that might be hard to otherwise control.

As you’ll read in this interview, an exclusion in a policy after a business change caused this risk manager to dig deeper. And in the process, created a new market outside the company while driving successful change inside the company.

It’s an interesting twist – using cyber insurance to drive the creation and promote the importance of security leadership.

Here’s how it happened.

How did a notice of exclusion in your insurance policies thrust you into the world of cyber insurance?

The concept of “cyber” isn’t new. It would periodically come up over the years, but in most of those discussions, we quickly assessed little “cyber” risk to our operations. Almost overnight, the nature of our business changed. And with it, our exposure changed, too.

We took note of global events where “cyber” was less of a buzz word and more something we needed to address. That kicked off a deliberate evaluation of our insurance portfolio. Initially, cyber terrorism was excluded from our “All Risk” property policy. That meant it was risk management’s responsibility to understand the exclusion to evaluate its potential effect in order to make a decision on the path forward.

In conjunction with our insurance broker, who explored how they were handling this with other (similar) clients, we started to establish our own cyber risk strategy.

And that’s where the journey began.

We quickly realized that we needed to explore cyber risk coverage as this had become a real exposure that could affect our organization … but our risks are different than what most people think about with cyber (liability) insurance.

Lots of companies are interested in cyber liability. But in your business, you needed something different. How did you approach the situation?

When the discussion of cyber risk came up in the insurance world, it generally meant “cyber liability” coverage that offers financial protection for someone’s responsibility to a third party in the event of a cyber breach of some sort. Most of us have experienced some type of exposure to “cyber risk” in our personal and professional lives. It’s in the headlines.

But that is not the biggest concern for our business.

We’re not as worried about our liability to a third party in the event of a network breach, simply because we don’t store that kind of information about our customers or vendors. At that time, we were about to embark on a high-profile construction project. We needed to insure our facilities against the potential property damage and the resulting interruption caused by a third party who somehow gained access to our business network or control systems.

This is in fact our primary cyber exposure.

Our needs were not typical; they still aren’t. And we couldn’t just delete the exclusion in our existing policy. At the time, our insurance broker was developing a more comprehensive “cyber product,” but no one had actually used it yet. That required learning more about it and working with our broker to customize a solution to fit our organization.

To convince the insurance carriers to offer what you needed, you had to quantify the risk. How did that work?

Our total insurance coverage is sourced across multiple carriers. As we worked with our broker to negotiate with our existing carriers, I realized that I couldn’t answer all their questions. That lead me to engage our IT and operations teams to help complete the questionnaire, and more fully understand our exposure so that we could better communicate with the markets.

That process revealed an interesting dynamic: many of the questions didn’t apply to our situation. And we didn’t feel comfortable just answering the questions on a piece of paper. We wanted a higher level of confidence, and so did the insurers.

We needed some help to get that level of confidence. We were guided towards industry cyber experts and we coordinated a “boots on the ground” site visit.

I learned more about cyber risk and security in that one day than all my previous years in the industry combined!

It’s eye-opening to work with an experienced third party to really walk through – and quantify – the risks and damages that apply to your organization. It’s daunting to realize that you work in a place that could potentially be a big target for cyber terrorism.

The workshop also revealed that our IT department was aware of the exposure, but needed support to make a formal request with our executive management to address some of the risks. I wasn’t aware of this, because we had never discussed it. Until then, IT hadn’t really been included in the insurance aspect of our risk management program.

So the quantification effort and resulting findings led to establishing a cyber security program?

Risk management is made up of different parts, and most people think of the financial implications. In our organization, safety is our top priority. From a risk management perspective, we generally consider that “loss prevention.” By taking the loss prevention approach for the considerations of a cyber threat, we needed three different departments to work together to combine our knowledge to start managing the risk.

One of the recommendations from the onsite workshop was to establish a dedicated position to focus on the security of our information and technology, a Chief Information Security Officer.

The report also suggested other improvements that we addressed, too. As a result, we built a cyber security practice, we established a cyber security committee. We started communicating better across the entire company, improving our overall protection.

This is good for our organization, and it helps with our insurance, too. We realize that no matter what you do to prevent or control a loss, you still need a backup plan to assist with your financial needs. Going through this process would enable us to get better coverage and more favorable terms.

What happened because of all these efforts?

We addressed the financial impact of our risk by securing a significant limit of insurance for our property damage and business interruption concerns. In fact, most of our carriers offered the product for the first time because of our demand. We effectively worked together to create a new market!

It is interesting that an exclusion in our policy actually led us to work with a series of existing and new partners to better understand our own risk. I know there are others that feel that the market should include the coverage in the standard policies. This time, I might argue against that point. Regardless, we now feel more confident that we are addressing the risk of cyber terrorism on all sides, and so we are more protected.