Galvanized by recent cyber attacks against corporations, boards of directors are pushing risk managers and the insurance industry to quantify cyber risks. The demand for better predictive data on computer breaches stems from directors’ desire for clarity on how to either self-fund or transfer the risk to insurance companies.
Seeing disclosure as a way to exert downward pressure on an organization to do a better job of predicting and managing cyber risks, at least one board has also pressed its company’s management to report and quantify the threat.
Meanwhile, the insurance industry, in its infancy in terms of quantifying cyber liabilities, is being accused of peddling commoditized products that cover only a fraction of the potential risks. (Although a large number of companies have purchased stand-alone cybersecurity policies in 2016.)
Those are key takeaways for CFOs from the presentations by insurers, insurance brokers, corporate risk managers, and chief information security officers at the Cyber Risk Insights Conference held by Advisen, a risk management data firm, in October. High attendance at the event attested to the intense interest corporations are taking in preparing for looming, though ill-defined, cyber risks. Indeed, two panelists, the risk managers of Merck and Time, both classified cyber-risk exposure as one of the top perils in the hierarchy of risks their corporations face.
“Cyber is absolutely a top risk in the organization. In fact, we’ve actually begun disclosing it as such in our public filings, alongside our business and operations risks,” said Eric Dobkin, the director of insurance and risk management at Merck. “It’s gotten attention from all levels.”
Similarly, Laura Winn, the director of risk management and treasury at Time, said the media giant’s board considers attacks on the company’s computer systems a “top-three risk.” Prompted by the board, the company’s risk management department is working to quantify the company’s exposure to cyber attacks so that it can transfer some of the risks to insurers, she added.
Culling the media company’s cyber-risk-management information together in a meaningfully predictive way is a tough task, however. That’s because “our organization is siloed,” she said. “One thing we need to do is bring everyone together, outside of the crisis management team,” to gather the data needed to underlie a corporate-wide strategy to prevent cyber losses before they happen.
Merck has embarked on a similar path. “Within our organization, we have challenges and questions about how to quantify the risk,” said Dobkin. He works on quantification in conjunction with the chief information security officer, but said he works on the issue with others as well.
“I struggle to think what part of the organization isn’t touched by the risk,” he added, noting that the company’s manufacturing, research, and distribution functions are all exposed to cyber attacks.
Both risk managers suggested that making cyber-risk disclosure part of corporate financial reporting could have preventative effects. But their companies only report the existence of the risks, not the extent of them. In its most recent 10-K, Merck reported that it could “experience a business interruption, intentional theft of confidential information, or reputational damage from espionage attacks, malware or other cyber-attacks, or insider threat attacks….”
Yet Merck’s quantitative reporting on the risks remained threadbare. “Although the aggregate impact on the company’s operations and financial condition has not been material to date, the company has been the target of events of this nature and expects them to continue,” Merck reported, without giving numbers.
In its most recent annual report, Time disclosed: “Like other companies, we have on occasion experienced, and will continue to experience, threats to our data and systems, including malicious codes and viruses and other cyber attacks. The number and complexity of these threats continue to increase over time.” Again, there was no actual quantification of the risk.
“It’s difficult to quantify what the exposure is to our organization,” said Winn, noting that it’s hard “just getting the right payroll [data] for workers’ compensation insurance and risk management purposes.”
A large retailer she previously worked for also disclosed cyber risk in its 10-K but didn’t quantify it, Winn recalled. As a result, that company’s board began to press for more details on the extent of the risk. “Disclosure does push the board to push down” on the rest of the organization to get better risk information, she said.
For its part, Merck’s risk management department gets questions about how to quantify risk from the finance department, which it reports to, said Dobkin.
Looking for Answers
One of the prime sources corporations would go to for information and advice about how to manage risk exposures, the property-casualty insurance industry, is only just starting to gain a true understanding of how to forecast cyber losses. To the industry, “the role of the insurance market is shrouded in clouds,” said Dominic Casserley, the president and deputy chief executive officer of Willis Towers Watson, the big insurance broker and consultancy. Insurers “have no idea where it will go.”
Said Ben Beeson, cyber risk practice leader for insurance broker Lockton Cos.: “Two-thousand sixteen was the year when we became aware of the fact that the consequences may be much broader than just the costs associated with handling a company’s personal data,” potentially involving attacks on the internet of things, he said. “Not just the data but the physical assets may be at risk, and [cyber criminals] just might attack you physically.”
A September survey by the Risk and Insurance Management Society found that 80% of responding companies bought a stand-alone cybersecurity policy in 2016. The annual RIMS cyber survey polled 272 respondents on issues ranging from exposure concerns and first- and third-party risk to issues surrounding government regulations. (The majority of respondents work for companies with more than 1,000 employees and annual revenue of more than $1 billion.)
Almost 70% of companies now transfer risk of cyber exposure to a third party, RIMS found. The purchase of stand-alone cybersecurity policies increased 29% from the previous year. That’s thanks, in part, to more-versatile insurance packages, said Emily Cummins, a member of the RIMS board of directors.
“The take-up rate increases as more people are educated in the space,” Cummins said. “As insurance suites become increasingly available, more companies want to procure a plan that can fit their own unique needs.”
Indeed, rather than just trying to push products, insurers should seek to tailor coverage to the needs of each individual corporate client, according to Beeson. “When it comes to trying to understand how to transfer cyber risk from the balance sheet … [corporate insurance buyers are] facing ambiguity, a jigsaw puzzle of insurance products that overlap in some areas and exclude in others,” he said.