Recently, the White House unveiled the national plan to Secure Cyberspace, an initiative urging insurers and companies to assess and manage exposures to cyber risk. Among other things, the plan calls for developing new best practices and standards for this area, as well as for carriers to provide stand-alone cyber risk policies and loss assessment services for corporate clients. The task force is led by Richard Clark, who works with members of the insurance industry to develop the plan.
“AIG has been working with the White House and the President’s Critical Infrastructure Protection Board really for almost a year now on the national strategy, along with, of course, a number of other companies in the insurance and other private sectors,” said Ty Sagalow, COO for AIG eBusiness Risk Solutions. “I think that it is an incredibly important work by the federal government. A lot of energy by a lot of folks has been put into it. It sends a very important message, which is: ‘With 85 percent of our critical infrastructure in private hands, the way to successfully respond to the needs of this nation in terms of cyber protection is a partnership between the private sector and the public sector.”
Chubb’s Mary Lu Korkuch, vice president and director of federal affairs, said, “I think the property/casualty industry has a unique role to play, and an overarching goal in this process. We’re concerned not just with the vulnerability of our own cyber assets—we’re also concerned with the vulnerabilities our customers face. Fundamentally, our job as insurers is to keep our customers’ assets and manage their risks, and help them prevent losses on a day-to-day basis.
“For several years, we’ve been particularly concerned about the ripple effect of a cyber loss to a customer on the rest of its enterprise,” she continued. “It’s an outgrowth, ironically, of the benefits of being so interconnected. If you remember all the buzz and the concern about Y2K, and the potential chaos that could result if something in cyberspace shut down, and as a result of that, the physical world shut down as well. This is kind of like contemplating an open-ended Y2K scenario. So it’s more important than ever that critical infrastructure industries look at their cyber vulnerabilities holistically, and consider the effect of a cyber failure on the rest of the operation. We the insurance industry understand the ramifications of how a loss on one area can impact another. So it’s great that the national plan considers a number of critical infrastructure industries simultaneously and provides a coordinated, comprehensive road map for them all to follow. And we as insurers have provided and will continue to refine over the next 60 days—since this draft document is now out for public comment—advice and insight not just for our own sector, but every other sector that’s identified in that plan.”
Cyber risk: more than an IT problem
Sagalow applauded the report’s emphasis on the problem of cyber liability as one not just for a company’s IT group to address; rather, it deserves the attention of executive management.
“The national plan also calls for the creation of a Cyber Security Council,” Sagalow said. “The people that are on that include not only the COO and CIO and CTO and CSO—in other words, the security folks—but also what the plan calls the chief risk officer. And so there’s an immediate understanding that this process has a technology component and a risk management component.
“The national strategy also has its list of questions for the board of directors … one of the questions … is, who on the board has responsibility for and admits to two things: IT security and risk management? Again, that is an incredibly important and powerful statement—that on a board level, we must work at this from a security angle and from a risk management angle.”
He continued, “On the risk management side, we were quite pleased that the draft report includes Recommendation 2.5—’Corporations should consider working with the insurance industry on ways to expand the availability and utilization of insurance for managing cyber risk.’ There are four or so specific references to what Richard Clark has said is the pivotal role that insurance plays in managing cyberspace … After using people, process, and technology to mitigate the risk, you are not going to eliminate the risk. It is foolish to retain all risk that can’t be eliminated … So you want to combine some of that risk retention with risk transfer. The statement from the White House is, you must manage the cyber world the way you do it in the physical world, which is a combination of risk mitigation, risk transfer, and risk retention.”
Myriad exposures, little awareness
Korkuch noted that the lack of cyber liability coverage leaves many companies seriously vulnerable—not just in their IT departments, either. “Ironically, I think, the insurance community is often thought of as the industry that others turn to last,” she said. “We’re the folks who step in after a loss occurs to assess damage and pay claims. But I think often overlooked is the proactive contribution that insurance professionals can make—how to avoid or minimize future losses through loss prevention planning. That Mr. Clark recognizes the pivotal role of the insurance industry in helping particularly critical infrastructure industries understand their myriad vulnerabilities and offer guidance about how to protect them, I think not only underscores his vision, but also his commitment to what is really a very daunting challenge that he and his colleagues in the administration have undertaken with this project.”
Korkuch went further, “Our motivation for being involved in the creation of this, essentially, loss prevention and awareness document—it is not about selling product or mining new marketing opportunities. It’s really about something Chubb particularly has believed in for many, many years, which is the importance of public sector/private sector partnering for, in this instance, the protection of the United States.”
Safe now, or sorry later
Sagalow asserted that even now, as hard markets make it difficult to find carriers for virtually any sort of P/C coverage, the risks of continued cyber exposures outweigh those difficulties. He said, “[The national plan] is gonna give [cyber insurance] more than a little push. The national plan doesn’t really give a lot of alternatives. It says flat out, ‘Technology is not the answer in total.’ It says flat out that viruses and cyber attacks… are real existing threats. It cites that in 2001, the total loss across the country from viruses was over $13 billion. It cites an FBI report saying over 90 percent of companies have had unauthorized access. So it’s a real problem—it’s a problem that is not going to go away, that many people think will get worse.
“Companies can put their head in the sand and say, ‘Well, I just don’t have the money or the time to do that.’ And there will be companies that might take that approach. Certainly not the smart ones,” he continued.
“Is it easier to sell a new insurance policy in a so-called soft market, where the risk manager is getting money back, so to speak, or having his premium reduced,” Sagalow said. “Of course. Are there challenges associated with selling a new insurance product in a market where premiums are going up on traditional lines? Yes. But the reality of it—and this is where the national strategy helps—is, you can’t put your head in the sand. You have an obligation to manage a risk. This is a risk that is substantial, that is real, that is severe.”
Topics Cyber Carriers Market Risk Management
Was this article valuable?
Here are more articles you may enjoy.
Carnival Puts Miami Headquarters Up for Sale as Florida Real Estate Soars 
JPMorgan Client Who Lost $50 Million Fortune Faces Court Setback 
US Dog-Related Injury Claims Hit $1.12 Billion in 2023: Triple-I, State Farm Report 
Harvard Study Again Stirs the Pot on Demotech Ratings of Florida Carriers From This Issue
