Mitigating Cyber Risk: Strategies to Reduce Exposure
By Tyler Gerking of Farella Braun + Martel and Mark Massey of Deloitte Financial Advisory Service
It’s official—cybersecurity is now a top-ranked risk at the board level, according to the “Lloyds Risk Index 2013.” This should make digital risk a focus of senior corporate management.
Those managing corporate risk should leverage the emerging cyber insurance market, which is rapidly growing and evolving. But they should do so methodically, after gaining an understanding of the company’s security controls and individual risk profile. In the rush to buy cyber insurance, companies may too often fail to appreciate the strengths and weaknesses in their security controls, their risks and exposures, and the coverage they need.
While a variety of potential approaches exist for assessing cybersecurity requirements, this article discusses one method to help you understand your company’s risks and exposures, and how that knowledge can be used to choose the security and risk transfer strategy that most appropriately fits your needs.
Identify High-Value Data and Systems Subject to Disruption
Start with an evaluation of the company’s high-value data and IT system risks. First, talk with the business unit leaders—in plain English—about “The Rules and The Jewels” that exist in their respective business lines:
- The Rules: What regulated data does the company store, which if stolen or lost could require consumer notification (i.e., health information, personally identifiable information and payment card information)?
- The Jewels: What data might a hacker try to steal (e.g., customer lists, strategy documents, contact databases or secret formulas)?
Second, identify threats to the IT system that are not necessarily motivated by financial gain, but seek to disrupt the operations of the company or its customers. To do so, talk with the company’s IT department, along with security, privacy and other network professionals.
Prepare Probable Loss Estimates for Potential Events
Next, quantify the probable losses that the company could suffer because of a high-value data loss or system disruption. Through discussions with the relevant company personnel (IT, security and privacy, business unit leaders, risk management, legal and finance), record the following for each potential event:
- The data or systems it likely will affect.
- The costs associated with actions the company will be required to take in response.
- The value of any assets that could be lost or damaged.
- The value of any business relationships that could be harmed or destroyed.
- Any indemnification obligations the company has to third parties.
- Any indemnification rights the company has against third parties.
- The potential cost of resulting litigation.
Then calculate the probable loss that each potential event may cause the company.
Link Identified Risks to the Company’s Security Controls
Once you know the company’s risks and exposures, analyze its existing security controls and make informed decisions about allocation of scarce investment dollars. If high-value data presents a particularly high exposure—as credit card and personally identifiable information does to a national retail chain—the company can invest in additional security controls to protect that high-value data. If a network disruption would cause large business interruption losses to the company or its customers, the company can focus its investments in that direction.
This process also can allow you to identify the strengths and weaknesses of the company’s security controls, which you can use to adjust the probable loss estimates.
Armed with the knowledge about the company’s systems and risks, you will be able to develop the company’s risk-transfer strategy. Consider the company’s two basic risk-transfer options—indemnity agreements and insurance.
Consider whether the company can require its vendors to indemnify it against cyber exposures. If it is possible, closely scrutinize the protection any such agreement actually will give the company. While the indemnitor might be able to protect the company against a small-scale event, the indemnitor might not be able to do so if many of its customers are affected by a large event. Consider whether the indemnitor has:
- The balance sheet to back up the indemnification obligation.
- Sufficient insurance to secure its indemnification obligation.
- The processes in place to respond as required.
Cyber insurance policies offer a variety of coverages, some of which can provide the company more useful protection than others. Now that you understand the company’s risks and exposures in light of the analysis above, identify those coverages that are vital to the company and evaluate the proposed policy language to help ensure that the coverage is as broad as necessary.
The cyber insurance market is growing—currently there is no one standard policy form, and there is virtually no case law interpreting the various insurers’ forms. Ambiguities abound, but insurers often are willing to negotiate over and modify the policy’s terms.
Several examples of language issues:
- Policies often cover losses arising out of a disruption of the company’s “computer system” or “network.” Policies might not define these terms or, if they do, the definition might narrowly include only hardware in the possession, custody or control of the insured. This potentially leaves no coverage for losses caused by the disruption of a third party’s system that supports the company’s network. The company should seek to negotiate a broad definition of “computer system” or “network.”
- Policies do not always cover events relating to unencrypted mobile devices, such as a phone or tablet. Employees’ phones and tablets are often soft targets for hackers and easily lost. A company that allows employees to use personal phones or tablets for work should seek to ensure that coverage for such events is available.
- Insurers may seek to exclude coverage for losses relating to the insured’s failure to maintain the security of its system in accordance with industry standards, internal policies or regulations. These exclusions can leave much room for dispute about the standards with which the insured must comply and, if applicable, potentially defeat the purpose of the cyber insurance policy, which is to cover cyber losses regardless of fault. The company should seek to persuade the insurer to eliminate any such exclusion.
Finally, consider the coverage limits that the company needs. Insureds commonly select limits based on a rudimentary “benchmarking” basis, comparing the limits that their peers have purchased in the past. This may not necessarily yield the limits that fit the company’s unique risk profile. Instead, consider using the information gleaned from the analysis above to evaluate the size of potential losses and claims that could be associated with any one event and select limits that sufficiently protect the company.
Incident Response Plan
The analysis described above can lead directly into the preparation of an incident response plan. This plan should define—before an event—who will be responsible for the response, as well as processes for insurance reporting, consumer notification, containment and recovery, root cause analysis, communications and litigation defense.
When Losses Occur
Your pre-loss work can prepare the company to respond to future loss events. When a loss occurs, the company already will have developed an incident response plan, as well as a clear understanding of its IT system and security controls, its personnel’s capabilities and responsibilities, its vendors and customers, its exposures and its insurance coverage. It should be prepared to effectively and efficiently respond to a cyber event.
Tyler Gerking is an insurance coverage partner in Farella Braun + Martel’s San Francisco office. Mark Massey is a principal in Deloitte Financial Advisory Service’s San Jose office. They can be reached at [email protected] and [email protected].
Reprinted with permission from the March 13, 2014 issue of Corporate Counsel. © 2014 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.