Insuranceciooutlook

Cyber Security takes Center Stage

By Tracey Vispoli, President, Berkley Cyber Risk Solutions, a Berkley Company

Tracey Vispoli, President, Berkley Cyber Risk Solutions, a Berkley Company

At first the situation didn’t seem like a big deal until the client called. I remember it like it was yesterday. I just arrived home from work as a cyber insurance underwriter and was settling into my other role as a mom of two high energy boys who were patiently (impatiently) waiting to finish dinner so they could have the rest of the night to wreak havoc on the neighborhood kids in a competitive game of soccer shootouts.The first call was a colleague who confessed to passing along my mobile number to a client “but”, he said, “there was a situation involving a possible security breach and they don’t know who to call.” My immediate thought was–why in heavens name are they calling me about a security breach, I just sell cyber insurance to help insureds protect against the financial loss resulting from security breaches, I don’t actually prevent them from happening in the first instance! But I was concerned about our client’s wellbeing and let’s face it; I was intrigued so I agreed to take the call. It wasn’t until the actual client call when my maternal instincts kicked in with a desire to put a warm blanket over them and tell them everything’s going to be ok. But I knew they needed much more than a warm blanket and words of encouragement, they needed a disaster recovery plan, a crisis management plan, a resiliency plan, a breach response roadmap, and an established telephone tree that included law enforcement, legal counsel, digital forensics, and a public relations firm. They needed to be prepared. They needed much more than I was able to provide. The panicked call from the client made me realize at that moment that the sophistication of companies often times dissipates in the face of a real time crisis. Emotions run high, corporate reputations are on the line, logical commonsense evaporates, and finger pointing becomes a means for survival. Rather than enacting a well-tested, well thought plan to respond to a crisis, they spend valuable time paralyzed by the events unfolding upon their most precious assets–their data. The company president, CFO, and CIO were all huddled in an office when they made the call to me, “Hello, is this Tracey? We need your help…. We can see the hackers in our system. We can see their trail, we are watching which files they are opening but we can’t stop them! What do we do?” I was hundreds of miles away but I could hear loud and clear the fear and desperation in their voices.

“Today boardrooms are discussing cyber exposures with greater in depth knowledge, risk managers are insuring against cyber perils”

In full disclosure, that story took place many years ago. In fact, it occurred years before the plethora of well-known breaches began to populate headline news stories and years before we calculated the value of critical data assets and took all measures necessary to deploy defenses to protect those assets. That event also took place before the insurance industry went above and beyond the insurance contract of protecting insureds against financial loss and began to offer services to help the insured both pre and post breach. As an industry, we are criticized as slow to adopt change, slow to embrace future perils, but when it comes to cyber insurance, I disagree. Over the past 15 years, the cyber insurance industry has evolved from a limited peril cover to a multi-peril, cross disciplined product that also offers clients both pre-breach consultative advice as well as post-breach response strategies. OK, this sounds a bit self-serving coming from an insurance representative but look how far we have come from the day I received the desperate SOS call from my client. In the early 2000s only a limited number of insurance companies offered cyber insurance and in just a few years, privacy notification laws began to sweep the nation and the industry responded with new insurance coverage and breach response services. As new exposures arose, such as PCI standards, regulatory requirements, and frequent ransomware attempts, so did cyber insurance coverage. Simultaneous to the evolution of insurance products and risk management services was an investment in education and awareness. The insurance industry invested heavily in education and awareness as cyber-crime propagated, regulation evolved, and legislation was enacted.

Today boardrooms are discussing cyber exposures with greater in depth knowledge, risk managers are insuring against cyber perils, CISOs are increasingly holding prominent positions with budgets and power to enact best practice standards, enterprise risk management teams are popping up to evaluate the cyber risk frontier, and all of these key stakeholders have something in common: they are all in a race to put a warm blanket over their company and protect them from the cyber war that exists beyond their virtual borders. However, as resources are increasingly thrown at this problem, cyber criminals are moving faster to find other ways to dupe us out of our critical information, sensitive data, money and even corporate reputations. The technological changes that enable cyber criminals success is the inspiration for the cyber insurance market to continue to underwrite cyber exposures, evaluate best practice standards, and provide robust risk management services and insurance products that are complementary to the multiple strategies a company applies toward cyber defenses.

I would like to believe that we are no longer responding to data breaches on an emotional level or with an untested breach response plan and instead companies are taking a proactive approach with vetted and tested breach plans and data classification exercises. Furthermore, data security and privacy protection protocols as well as employee training are mission critical exercises that are now woven into the fabric of almost every company. But then again, as I prepare this note to you with confidence that cyber insurance has contributed to this increased awareness, I read the news of yet another company announcing a “potential” data breach. Unfortunately this retail-food chain happens to be one of my son’s favorite chains. I better dust off my breach response plan.

Read Also

Unique Approach to Mitigate External Threats

Unique Approach to Mitigate External Threats

Curt Overpeck, CIO, Citizens
Usage Based Insurance: The Five Must-Haves

Usage Based Insurance: The Five Must-Haves

Jake Diner, Co-founder and CEO, Driveway Software
Digital Transformation Technology Implications for Insurance Companies

Digital Transformation Technology Implications for Insurance Companies

Alan Royal, Head of Technology Innovation and Business Transformation, Strategy CIO