Technology risks are not new to the corporate world, yet the dynamic nature of cybersecurity presents unique challenges to CEOs, who are expected, increasingly, to exert the same supervision of their firms’ cyberattack readiness as they do of financial matters. Clearly, ‘cyber’ is no longer a risk that can be left largely to subordinates. CEOs need to become conversant in cyber-risk and develop the ability to discuss its impact with their boards, shareholders, regulators and others, says Bob Parisi, cyber product leader at Marsh.
Rapid advancements in technology create a host of opportunities for companies to become more efficient and grow. But they also create new avenues for operational disruptions, cybercriminals and other dangers. As recent high-profile incidents have demonstrated, breaches and attacks can quickly accumulate significant costs, inflict reputational damage and produce long-term ramifications for companies, including lawsuits against their directors and officers.
One of the difficulties for a CEO or any executive is to know what is topical at a given moment in 'cyber': There simply is not a single area to focus on. With that caveat in mind, here are three issues we have seen come to the fore in recent months.
First, cyber-risk is now a focal point of your company's board of directors. The spate of high-profile breaches in late 2013 was the straw that broke the camel's back, and the steady drumbeat of bad news has continued throughout 2014. Boards are watching as the US Securities and Exchange Commission (SEC) opens investigations into multiple companies, examining whether they properly handled and disclosed the growing number of cyberattacks. Senior executives and board members are seeing lots of chatter on why they aren't just responsible for sales and the bottom line. Thus, cyber-events are coming as a rude awakening for CEOs, boards and 'C-level' executives as they see first-hand how data breaches and attacks can negatively impact sales and customer loyalty - not to mention their own job retention.
Second, we have seen privacy and security concerns start to share the spotlight with the operational risk side of 'cyber'. Companies are now looking hard at how resilient they are, and not just in terms of fending off and surviving a hack or a privacy breach, but as to how vulnerable they are to unplanned disruptions of their technology. Business continuity is now being viewed through a technology lens, and we have seen several surveys show that the most potentially disruptive force to a company's operations isn't adverse weather but a failure of its technology infrastructure.
The third issue is related to that operational risk concern. With insurers now mandating 'cyber' exclusions on traditional lines of insurance, companies face very real gaps in coverage, where either coverage didn't exist previously or was mired in the ambiguity of silence. CEOs need to be aware that their risk professionals are looking for solutions to fill the gaps between what is covered under traditional property and casualty insurance policies and under a cyberpolicy. We have seen the insurance marketplace start to respond to this concern by excluding coverage via 'clarification' endorsements, while at the same time offering speciality products to bridge these gaps. It is, however, still early in this evolution, and the issue of coverage certainty is likely to gain urgency as more organisations come to grips with their current insurance programmes and the evolving nature of their risk.
It's not just a data breach that CEOs should be concerned about. Technology outages and software failures can cause supply chain and operational disruptions, resulting in significant loss of income, increased operating expenses, and damage to an organisation's reputation. Unplanned information technology (IT) or telecoms outages are already the most debilitating source of supply chain disruption, affecting 55% of companies, according to the Business Continuity Institute's (BCI) 'Supply Chain Resilience 2013' report.
IT disruptions can be costly; the average business loses 545 person-hours each year in employee productivity due to IT downtime, according to a 2011 survey published by CA Technologies. Additionally, a March 2012 report published by Aberdeen Group found that data-centre downtime cost businesses $138,000 an hour, up from $98,000 an hour in 2010. Businesses can also suffer loss of revenue and reputational damage from extended or repeated outages.
There is no question that the number of cyberattacks and breaches has increased in frequency and severity. Widely publicised retail-sector data breaches provide a stark reminder of how these events can quickly inflict costs, spawn class-action lawsuits, and trigger directors and officers (D&O) coverage. Such massive breaches can be so large that they trigger customer and shareholder lawsuits that name directors and officers for alleged negligence, breach of duty, or other causes. In one example, a company saw its share price plummet more than 80% following a data breach that had been ongoing for more than a year, and resulted in the theft of data from an estimated 130 million records. In the aftermath of that data theft, the company and its board were criticised for making material misrepresentations and omissions regarding its security and information systems.
Of course, some cyber-events will be beyond a company's control. CEOs need to remain vigilant in ensuring that their companies are properly addressing and mitigating their network security and privacy risks. This includes ensuring that network security and privacy breaches and failures are included in the company's risk-management programmes, including business continuity plans, and that all material cyber-risks and incidents are disclosed to key stakeholders.
Before an IT outage occurs, businesses can take several steps to prepare for disruptions and mitigate their potential business impact, such as:
- determining the criticality of various IT systems to ongoing operations, and whether alternatives are available or enhanced protection is possible
- developing and testing business continuity and crisis management plans
- evaluating claims preparation and management plans.
No business can inoculate itself against all risk of technology failure. But with effective planning inside a comprehensive risk-management programme, businesses can better prepare for IT outages, and minimise their impact on business operations, revenues and reputations.
The evolution of cyberinsurance
Given the increased SEC scrutiny related to cyber-risks over the past two years, CEOs need to be prepared to answer questions about whether the firm's insurance coverage provides adequate protection in the event of an incident occurring. And any explanation should be grounded in an understanding that the rapid evolution of privacy and security risks means that many traditional forms of insurance may not be able to adequately respond to these exposures. For example:
- General liability policies often do not provide coverage for damage to electronic data, criminal or intentional acts of insureds or their employees, or pre-claim expenses. This includes the recent clarification endorsements released by the Insurance Services Office that add express exclusionary language for cyber-related risks and coverage litigation where the courts found that absent unique facts and otherwise ambiguous language, there was no coverage for cyber-risks to be found in a general liability policy.
- Property policies typically limit coverage to damage to, and/or loss of use of, tangible physical property resulting from a physical peril, and
to damage to tangible property only at specific locations. Several insurers expressly exclude coverage for any damage to data.
- Fidelity/crime policies generally limit coverage to direct loss from employee theft of money, securities or other tangible property. Even broadened coverage under a computer crime extension often limits coverage to the cost of recollecting or restoring the damaged or corrupted data. Often these policies will expressly exclude coverage for actual theft of data or information.
- Errors and omissions policies often limit coverage to claims arising from negligence in performing specifically defined services and exclude coverage for criminal or intentional acts of insureds or their employees and preclaim expenses associated with a privacy breach.
Cyberinsurance policies can fill many of these gaps in traditional insurance and provide direct loss and liability protection for risks created by the use of technology and data in an organisation's day-to-day operations. Current cyberinsurance policies can provide reimbursement for lost revenue, including forensic costs and extra expense, as a result of a failure of technology, computer system outage, or a cyberattack. In many cases, this coverage can be expanded to include contingent business interruption due to a failure of a vendor, such as a cloud computing service provider. Policies can also be customised to fund public relations and crisis management services in connection with an IT failure.
Policies can be customised to include any or all of the following coverages:
- privacy and computer security liability
- event response and crisis management
- regulatory defence inclusive of fines and penalties
- information asset loss
- business interruption, including extra expense
- criminal reward fund
- crisis management.
Any business that assumes its technology is impervious to failure - especially as they increasingly rely on it - is ignoring a critical risk. Cyberinsurance can help but, alone, it is not an alternative to solid risk management.
Increased role of analytics
As time passes and more cyber-events have occurred, the industry has amassed a large amount of data that can be used as predictive and loss modelling. And it's not just about privacy, although much of the data centres around information loss and the ensuing regulatory and legal consequences. We now have data to look at the probability and severity of technology risk as they relate, for example, to supply chain disruption and other areas. This allow us to move beyond peer purchasing benchmarking to provide loss modelling and risk mapping that allows a company to get a clearer sense of the scope and breadth of the risk rather than just a sense of what a policy will cost.
The result is that CEOs can have increased confidence that the process of understanding cyber-risk is grounded in analytics instead of in the kind of alchemy that presided when cyberinsurance first debuted nearly two decades ago. Whether it is reporting to boards, shareholders, regulators, or others, organisations now can now demonstrate that they have taken a reasoned approached to evaluating and understanding the risks - just presenting stakeholders with a quote for insurance coverage doesn't cut it anymore.
The board wants to understand the nature and scope of the risk in addition to the financial aspects. Helping the board understand where the company is, relative to a common information security standard; mapping out the key risks; modelling the financial impact of loss scenarios; and, finally, placing those scenarios and risks in the context of the company's risk transfer portfolio enables the board to make an informed decision on how to move forward in addressing these risks.
Stay in touch
So how can a busy CEO best keep an eye on important cyber-risks? It's a tough, but essential question. Information comes at us so quickly these days and in so many formats that it's easy to get overwhelmed. CEOs - and anyone with a responsibility related to cyber-risk - can look to several key sources for information.
One place to start is with law firms and news sources that cater to them. 'Cyber' has a rapidly evolving regulatory environment, and one that is borderless. For example, the EU is implementing new standards and regulations around privacy and security, some of which have real teeth in the form of fines and penalties tied not to the harm caused but to a company's annual revenue. There is also a growing body of case law on cyber-issues that is expanding the scope of the peril as courts in recent years have, among other things:
- lowered the threshold of proof required in establishing standing in domestic federal courts;
- found for the government in regards to the scope of their mandate to regulate security
- sided with insurers in several cases in finding that cyber-risks aren't covered in traditional property/casualty policies.
A second way to stay informed is through the host of consultants that now focus on translating the often hyper-technical cyberlanguage into plain English. With the growing recognition that 'cyber' is a board-level concern comes the need to communicate in terms that are more readily understood. Some consultants are geared specifically to the risk-management community, while others provide information about privacy risks and put out regular updates on cyber-risk.
One last area to mention is rooted within your own organisation. If don't have a dialogue already with your CISO or CIO, it's time to open one up. These are your people on the front line. They are probably the best sources of information you can find on your specific needs and vulnerabilities, and should be able to deepen your understanding of the risk your company faces.
This information is not intended to be taken as advice regarding any individual situation or as legal, tax, or accounting advice and should not be relied upon as such.