Helping identify and make sense of potential threats—and finding ways to prevent them—is an increasingly vital consideration for today’s directors
Written by Bob Parisi
The past several years have seen a cascading set of circumstances that have placed cyber risks squarely in the crosshairs of a company’s board of directors. The cyber risks facing today’s industries include the perils of collecting and handling data and the vulnerability of dependence upon technology in nearly every aspect of their operations.
While cyber risks are not new to corporate America, the dynamic nature of technology, and by extension cyber security, presents unique challenges to modern boards, who are increasingly expected to exert the same oversight of their firms’ cyber resilience as they do of financial matters. For the board, cyber is no longer a risk that can be swept aside as a “techie” issue. Boards need to become conversant in cyber risk and develop the ability to discuss its impact with their shareholders, regulators, and others.
Cyber risk is now clearly an operational risk. Boards are watching as the US Securities and Exchange Commission (SEC) issues guidance elevating cyber risk to one of inherent materiality and opens investigations into multiple companies, examining whether they properly handled and disclosed the growing number of cyber attacks. Cyber events are coming as a rude awakening for boards and C-level executives as they see firsthand how technology failures, data breaches, and attacks can negatively impact reputation, sales, and customer loyalty—not to mention share price.
Privacy and security concerns have come to share the spotlight with other operational risks. Companies now are looking hard at how resilient they are, not just in terms of fending off and surviving a hack or privacy breach, but also how vulnerable they are to unplanned disruptions of their technology. Business continuity is now being viewed through a technology lens, and we have seen several surveys show that the most potentially disruptive force to a company’s operations isn’t adverse weather but a failure of its technology infrastructure.
With insurers now mandating “cyber” exclusions on traditional lines of insurance, companies face very real gaps in coverage, where either coverage didn’t exist previously or was mired in the ambiguity of silence. The insurance marketplace has also begun excluding coverage via newly minted “clarification” endorsements, which remove any hint of coverage for cyber perils and aggressive pushback from carriers when policyholders seek to squeeze cyber losses into traditional lines of coverage. At the same time, the marketplace offers specialty products to bridge these gaps. As cyber risk continues to evolve and permeate the board’s awareness, the issue of coverage availability has gained urgency as more organizations come to grips with their current insurance programs and the evolving nature of their risk.
Beyond Cyber Breaches
It’s not just a data breach that boards should be concerned about. Technology outages and software failures can cause supply chain and operational disruptions, resulting in a significant loss of income, increased operating expenses, and damage to an organization’s reputation. Unplanned information technology (IT) or telecom outages are already the most debilitating source of supply chain disruption, affecting 52.9 percent of companies, according to the Business Continuity Institute’s 2014 Supply Chain Resilience Report.
There is no question that the number of cyber attacks and breaches has increased in both frequency and severity. Widely publicized retail sector data breaches provide a stark reminder of how these events can quickly inflict costs, spawn class-action lawsuits, and trigger directors and officer’s coverage. Such massive breaches can be so large that they trigger customer and shareholder lawsuits that name directors and officers for alleged negligence, breach of duty, or other causes.
To be sure, some cyber events will be beyond a company’s control. Boards need to remain vigilant in ensuring that their companies are properly addressing and mitigating their network security and privacy risks. This includes ensuring that network security and privacy breaches and failures are included in the company’s risk management programs, including business continuity plans, and that all material cyber risks and incidents are disclosed to key stakeholders.
The Evolution of Cyber Insurance
Given the increased SEC scrutiny related to cyber risks over the past two years, boards need to be prepared to answer questions about whether the firm’s insurance coverage provides adequate protection in the event an incident occurs. And any explanation should be grounded in an understanding that the rapid evolution of privacy and security risks means that many traditional forms of insurance may not be able to adequately respond to these exposures. Gaps have arisen through the changing ways that companies do business, through “clarification” endorsements.
Cyber insurance policies can fill many of these gaps in traditional insurance and provide direct loss and liability protection for risks created by the use of technology and data in an organization’s day-to-day operations. And we have seen an accelerating uptake of cyber insurance by companies. Over the past three years, the purchase of cyber insurance by companies in all industries and revenue bands has increased dramatically.
Increased Role of Analytics
Boards can have increased confidence that the process of understanding cyber risk is grounded in analytics instead of in the kind of alchemy that presided when cyber insurance first debuted nearly two decades ago. Whether reporting to boards, shareholders, regulators, or others, organizations can now demonstrate that they have taken a reasoned approached to evaluating and understanding the risks. Just presenting stakeholders with a quote for insurance coverage doesn’t cut it anymore. The board wants to understand the nature and scope of the risk in addition to the financial aspects.
Helping the board understand where the company is relative to a common information security standard, mapping out the key risks, modeling the financial impact of loss scenarios and, finally, placing those scenarios and risks in the context of the company’s risk transfer portfolio enables the board to make an informed decision on how to move forward in addressing these risks.
Staying in Touch
So how can an overworked board best keep an eye on important cyber risks? It’s a tough but essential question. Information comes at us so quickly these days and in so many formats that it’s easy to get overwhelmed. Boards—and anyone with a responsibility related to cyber risk—can look to several key sources for information:
- Law firms and news sources that cater to them;
- The host of consultants that now focus on translating the often hyper-technical cyber language into plain English; and
- Your own organization: open a dialog with your CISO or CIO.
This information is not intended to be taken as advice regarding any individual situation or as legal, tax, or accounting advice and should not be relied upon as such. You should contact your legal and other advisors regarding specific risk issues. The information contained in this publication is based on sources we believe reliable but we make no representation or warranty as to its accuracy. All insurance coverage is subject to the terms, conditions, and exclusions of the applicable individual policies. Marsh cannot provide any assurance that insurance can be obtained for any particular client or for any particular risk. Marsh makes no representations or warranties, expressed or implied, concerning the application of policy wordings or of the financial condition or solvency of insurers or reinsurers.
