Galvanized by recent cyber attacks against corporations, boards of directors are pushing their companies’ risk managers as well as the insurance industry to quantify cyber risks. The push for better predictive data on computer breaches stems from directors’ desire for clarity on how to either self-fund or transfer the risk to insurance companies.
Seeing disclosure as a way to exert downward pressure on their organizations to do a better job of predicting and managing cyber risks, at least one board has also pressed its company’s management to report and quantify the threat. Meanwhile, the insurance industry, in its infancy in terms of quantifying its clients’ risk, is merely pushing commodified products that cover only a fraction of the potential risks.
Those are key takeaways for CFOs from presentations by insurers, insurance brokers, corporate risk managers, and chief information security officers who spoke last week at the Cyber Risk Insights Conference held by Advisen, a risk management data firm, in New York. Especially striking for a conference involving the nascent cyber insurance industry was the attendance, with the spacious Grand Hyatt New York ballroom packed solid.
Part of the attendance could be attributed to the intense interest corporations are taking in preparing for looming, though ill-defined cyber risks. Indeed, two conference panelists, the risk managers of Merck & Co. and Time Inc., both classified cyber-risk exposures as one of the top perils in the hierarchy of risks their corporations face.
“Cyber is absolutely a top risk in the organization. In fact, we’ve actually begun disclosing it as such in our public filings, our 10-Ks, alongside our business and operations risks,” said Eric Dobkin, the director of insurance and risk management at Merck. “It’s gotten attention from all levels of the company.”
Similarly, Laura Winn, the director of risk management and treasury at Time, said the media giant’s board considers attacks on the company’s computer systems a “top three risk,” with lawsuits against its directors and officers another one she mentioned. Prompted by the board, the company’s risk management department is working to quantify the company’s exposure to cyber attacks so that it can transfer some of the risks to insurers, she added.
Culling all the media company’s cyber-risk-management information together in a meaningfully predictive way is a tough task, however. That’s because “our organization is pretty siloed,” she said. “One thing we need to do is bring everybody together, outside of the crisis management team,” to gather the data needed to underlie a corporate-wide strategy to prevent cyber losses before they happen.
Merck is embarked on a similar path. “Within our organization, we have challenges and questions about how to quantify the risk,” said Dobkin. While he works on quantification in conjunction with the chief information security officer on that effort, he works “with everyone else too,” the risk manager said.
“I struggle to think what part of the organization isn’t touched by the risk,” he added, noting that the company’s manufacturing, research, and distribution functions are all exposed to cyber attacks.
Both risk managers suggested that making cyber risk disclosure part of corporate financial reporting could have preventative effects. But their companies only report the existence of the risks, not the extent of them. Within its report of its technology risks in its most recent 10-K, Merck reported that its could “experience a business interruption, intentional theft of confidential information, or reputational damage from espionage attacks, malware or other cyber-attacks, or insider threat attacks….”
Yet its quantitative reporting on the risks remained threadbare. “Although the aggregate impact on the Company’s operations and financial condition has not been material to date, the Company has been the target of events of this nature and expects them to continue,” Merck reported, without giving numbers.
In its most recent annual report, Time disclosed: “Like other companies, we have on occasion experienced, and will continue to experience, threats to our data and systems, including malicious codes and viruses, and other cyber-attacks. The number and complexity of these threats continue to increase over time.” Again, there was no actual quantification of the risk.
“It’s difficult to quantify what the exposure is to our organization,” said Winn, noting that it’s hard “just getting the right payroll [data] for workers’ compensation insurance and risk management purposes.”
A large retailer she previously worked for also disclosed cyber risk in its 10-K but didn’t quantify it, Winn recalled. As a result, that company’s board began to press for more details on the extent of the risk. “Disclosure does push the board to push down” on the rest of the organization to get better risk information, she said.
For its part, Merck’s risk management department gets “questions about how to quantify risk” from the finance department, which it reports to, said Dobkin.
But one of the prime sources corporations would go to for information and advice about how to manage risk exposures, the property-casualty insurance industry, is only just getting started on gaining a true understanding of how to forecast cyber losses. To the industry, “the role of the insurance market is shrouded in clouds,” said Dominic Casserley, the president and deputy chief executive officer of Willis Towers Watson, the big insurance broker and consultancy. Insurers “have no idea where it will go.”
Indeed, the past year has shown the industry “that we’ve only just gotten started to address this problem [of how to quantify the risk]. 2016 was the year when we became aware of the fact that the consequences may be much broader than just the costs associated with handling a company’s personal data,” potentially involving attacks on the internet of things, said Ben Beeson, cyber risk practice leader for insurance broker Lockton Cos. “Not just the data but the physical assets may be at risk, and [cyber criminals] just might attack you physically.”
Rather than just trying to push products, insurers should seek to tailor coverage to the needs of each individual corporate client, according to Beeson. “While it is good news that the insurance industry’s awareness has grown, it is not, at least in the short term, making life any easier for our clients,” he said. “When it comes to trying to understand how to transfer cyber risk from the balance sheet … [corporate insurance buyers are] facing ambiguity, a jigsaw puzzle of insurance products that overlap in some areas and exclude in others.”
While the insurance industry may be progressing in terms of its grasp of cyber risks, “the risk is evolving incredibly dynamically, and the industry is very deliberative,” observed Merck’s Dobkin.