Interview with a Risk Manager: Why the concern about cyber risk?

Posted by Mark Greisiger

A Q&A with Emily Cummins, Risk Manager and Chair of the Technology Advisory Council (TAC) of the Risk and Insurance Management Society (RIMS)
Though it may have only captured the public’s attention recently, cyber risk has been an emerging risk management concern for decades. To find out more about what keeps risk managers up at night, I spoke to Emily Cummins, CPA, CPCU, ARM, ARe, risk manager and current chair of the Technology Advisory Council (TAC) of the Risk and Insurance Management Society (RIMS), which has chosen cyber risk as an area of focus for 2012.

“Cyber risk” includes both first-party liability (business interruption; crisis costs) and third-party liability (privacy class action; IP infringements). As a risk manager, what are some of your concerns?
What we see as “cyber risk” is probably only the tip of the iceberg. We are always concerned about the capture of confidential data including PII, PHI and financial information, no matter the cause of the loss or breach (hactivists; malware; rogue employees; or mistakes). For the risk manager, the regulatory burden increases all the time. For example, as of a few months ago, publicly traded companies must now disclose any cybercrime incident that has a financial impact on the company. . Above all, risk managers want to protect customers and members, both ethically and legally. There’s a lot at stake and that’s why it’s critical to have a loss-control plan in place.

Can you speak to any specific threat or risk exposure that’s more of an ongoing or emerging concern? I’m thinking, for instance, of third-party partner and SP mishaps; lack of budgets for IT security; hackers accessing corporate databases; the loss of laptops; and new state or federal regulations such as California’s Song-Beverly Consumer Protection Act that create duties and legal liability.
All of the above are concerns. But in addition, it’s worth pointing out that multichannel retailing is a risky area. On the RIMS TAC, we try to educate members,. Many institutions think they might not have an exposure, but any organization that runs a virtual shop or a retail website, offers smart phone apps or mail order or has any other channels to market products, is carrying more risk. I’d also say in general that social media presents us with great opportunities along with more risks, as does the fact that as a society we have become more dependent on virtual devices.

Can you tell me about the RIMS TAC group?
The RIMS TAC group includes volunteers—risk managers as well as industry partners— and we hope to deliver value in thought leadership. I have been involved in RIMS for six years. As risk managers, we are always looking for good information and we support the NetDiligence® Cyber Liability & Data Breach Insurance Claims study as a valuable resource.

Is there anything else a peer risk manager just beginning to delve into cyber risk issues might want to hear from a pro?
It’s all about education, seeking out resources, taking a holistic view, developing teamwork among departments. Cyber risk is a component of enterprise risk management and it encompasses multiple silos. Part of managing that is breaking down silos and building up partnerships.

In conclusion …
For a CFO or risk manager just starting to study their own cyber risk exposures, one of the best things to do is sit down with the IT team and have a straightforward discussion about safeguards, detailing where the IT staff feels they have reasonable security and privacy practices in place—and where might they have some known weakness. It’s also important to include in this conversation any third-party service providers or contractors who might touch the network or data in any manner as often they are the cause of data breach incidents. In closing, here are a few questions to get the conversation going:

  • Has our organization ever experienced a data breach or system attack event?
    Some studies have shown that 80-100% of executives admit to a recent breach incident—each year.
  • Does our organization collect, store or transact any personal, or financial or health data?
  • Do we outsource any part of computer network operations to a third-party service provider?
    Your security is only as good as their practices and you are still responsible to your customers.
  • Do we use outside contractors to manage our data or network in any way?
    The contractor, service provider or business partner is often the responsible party for data breach events.
  • Do we share data with partners, or do we handle a partner’s data?
    You may be liable for a future breach of their network and business partners often require cyber risk insurance as part of their requirements.
  • Does our posted Privacy Policy actually align with our internal data management and sharing practices?
    If not, you may be facing a deceptive trade practice allegation.
  • Has our organization had a recent cyber risk assessment of security/privacy practices to ensure that they are reasonable and prudent and measure up to our peers?
    Doing nothing is a plaintiff lawyer’s dream. It is vital for the risk manager to know if the company’s practices are reasonable and in line both with peers’ practices and the many regulations concerning data safety.