In this series, Grace Crickette provides C-Level executives a comprehensive overview of cyber insurance, while addressing business impacts and offering best practices for implementing a risk-management strategy that includes a cyber-liability policy.

Part One

Part Two

Part Three: Risk Management and Insurance Basics

Insurance and Risk Management Basics

Insurance is just one tool in the Risk Managers belt, but sometimes it is their favorite tool. Why?  It is the easiest to wield when all the rest of risk management is quite difficult. The identification, understanding, and management of risk requires people to change their behavior, which is challenging.  Also, people are not very good at understanding or talking about risk.  When asked what a risk is, a lawyer might say it is a lawsuit filed against the company – wrong, that is an impact.  A CFO might say receiving a downgrade from a rating agency – wrong, that is a long term consequence.  A CISO might say that the management cares more about system availability than downtime for security – right, we just identified a risk.

In Chinese it takes two symbols to represent risk

Danger and Opportunity

Risk is an uncertainty which is neither good nor bad, just unknown.  In western culture if all fails, we label the event or action leading to the undesired outcome as a “risk.”  If all goes well, we don’t refer to the event or action as a “risk,” even though creating any opportunity always requires risk taking. We generally think of risk as a major bummer, but risk is really a good thing as long as our judgment is sound.

Risk Management Basics:

Risk management should allow us to take more risk.  As Risk Managers, we want to have people be risk aware, meaning that they are not risk adverse, but are willing to take greater risks because they have a better understanding of the risk and how to manage it.  We want to be able to anticipate that a risk event might occur, prepare for it and understand what is at risk, meaning what assets are at stake.

Thinking about what could go wrong, we can understand and anticipate, and in some circumstances even calculate what the risk impact might be.  In addition to the immediate impact, we want to understand what the longer term risk consequences might be.  By institutionalizing and formalizing the identification of risks through risk assessments, audits, hot-line reporting, surveys, and other methodologies, we can develop an inventory of risks and evaluate their impact, frequency, the quality of our controls, and our ability to monitor the risks. Based on that evaluation, we can develop risk mitigation strategies including effective risk responses.

The word “Risk” alone is confusing – Risk should never be a lonely word…. try matching up…the pictures to the terms to the right…

After all of this risk management effort…. unwanted and unplanned risk events are going to happen in spite of our best efforts – and that is our residual risk.  It is this residual risk that we me may want to insure based our risk appetite and risk tolerance.

Risk Appetite represents the decision of how much risk an organization is willing to assume consistently with its strategy.  Risk Tolerance is the parameters we identify to know if our Risk Appetite is aligned.

If you have ever heard someone say: “My eyes were bigger than my stomach” – this is exactly how Appetite and Tolerance works, you go to the buffet and you want to get your money’s worth (appetite), but the next morning you get on the scale and are upset that you gained two unwanted pounds (tolerance).

• Risk appetite: the broad based amount of risk an organization is willing to accept in pursuit of its mission and vision.
• Risk tolerance: the acceptable variation relative to the achievement of an objective, best measured in the same units as those used to measure the related objective

Brand / Reputational Risk: Failure to protect / build our brand may cause our value to erode over time and, ultimately, impair our ability to sustain value proposition.

Now, I can hear you thinking…. how do you insure Brand and Reputation Risk?  There are actually some insurance products for this. It is safe to say that you can insure just about anything unless it is forbidden by law.

Insurance Basics:

One risk management technique is risk transfer, meaning that we transfer the risk to someone else via a contract.  This could include completely outsourcing an area of operation to another company, such as physical security and monitoring of your data center.

We would want to have strong contract language wherein the security company indemnified us from all liability and we would want to make certain that they had adequate insurance limits, the right type of insurance, and that we are included as a named insured and/or additional insured on the policy.  Or, we may decide we understand enough about physical security that we don’t want to outsource it.

We have a great security team, continuous video monitoring, state-of-the-art biometric access controls, and we have good risk management techniques in place to detect, prevent and manage risk events, but we know that we are still going to have some residual risk, so we have to decide how we want to finance it. Here are a few examples:

Option 1: Pay-as-you-go: other than workers’ compensation and auto liability in most states, there is no legal requirement to purchase insurance. You don’t have to purchase liability insurance, professional liability, cyber, etc…  You would be surprised how much insurance is not purchased and companies go “bare” just writing checks out of their general funds.  Some don’t even budget for it.  So, an unplanned risk event is an operational surprise and a financial surprise.  I don’t recommend option 1.

Option 2: Self-insure:  you can self-insure almost any risk as allowed by law.  In many states employers can qualify to self-insure even mandatory insurance such as workers’ compensation and auto liability – you have to go through a lot of rigger, but it can be done.  For the rest, you can self-insure in different ways and with different retentions.

Option 2A – self-insure 100% – this is different than pay-as-you-go, as you will record not only the liabilities on your balance sheet, but reserves for what your losses might be.

Option 2b – take a high deductible or retention, but purchase an insurance policy.  Meaning insuring the first layer of the loss up to a limit that you are financially comfortable or to the level that insurance carrier is willing to offer.

Option 3: Trust/Captive – you might establish a formal trust or a Captive to take on a large portion of the risk and then purchase insurance or re-insurance.

As I’ve indicated in Part 1 and 2 of this series, buying insurance is not like buying widgets. The insurance market place has limited capacity and through the underwriting process will limit the amount of retention you can or will want to take – high or low, how much insurance you can buy, and if you can even get insurance.  Even on a good risk, when dealing at the enterprise level you will get more rejections than quotes.

In insurance – cheap is cheap.  You get what you pay for.  If you go for the lowest quote without looking at the terms of the coverage and without considering the carriers’ ability and willingness to pay, you won’t have a risk management job for very long.

Generally, insurance policies impose upon insurance companies two important duties: the duty to defend and the duty to indemnify.  If a business is sued and the claims asserted against it are potentially covered by an insurance policy, then its insurance company has a duty to defend the business – i.e., the insurance company must pay for the defense of the case.

In addition, if the claims are covered by the policy, then the insurance company has a duty to indemnify the business for liability up to the limits specified in the policy (after any applicable deductible).  So, why do some claims not get paid?

• The risk event is not covered
• The application completed by the insured was inaccurate
• The insured misrepresented the risk, their risk event history, their ability to manage the risk
• The insured did not report the claim soon enough
• The insured did not cooperate with the insurance company once the loss occurred
• The insured has 2 or more policies that cover the same risk event – so the insurance companies argue for years over who will pay
• I could go on….

Having a good insurance broker as a business partner (with a rock solid Errors and Omissions insurance policy) is as important as selecting your insurance carriers. The broker can help you understand what you are buying, who you are buying it from, and because of their buying power they can help to get your claims paid.

Recall that I started out with “Insurance is just one tool in the Risk Managers belt, sometime it is their favorite tool…” In addition to a solution to the residual risk problem, insurance can be a great change agent.  Sometimes, it is easier to get people to change because the “insurance company requires….” than it is for the Risk Manager or the CISO to say, “This is the best way to manage this risk…”  We will explore this further in this series.

Well, that was the basics, I surely left something out, so please contact me and contribute.

Next, we will move on to “What are we trying to insure?”  In the IT environment many may think that running out and getting a “Cyber” policy will do the job” – I say that depends….

Included is an addendum that will build-out as we progress through the series, a dictionary of sorts with “text book” and “real world” explanations.

If you would like to comment or contribute additional information on this topic, please comment below or email Grace at grace.crickette@hanoverstonepartners.com

Dictionary

Capacity:  The amount an insurer can insure, which is limited by financial strength, regulations, debt covenants and other factors.  All insurance companies or syndicates have limited capacity. I recall a meeting with an underwriter on fine arts at the end of a long day, he sat down and immediately state that, “I’m done, not going to write any more fine arts coverage this year!”

Captive:  A captive is an insurance company created and wholly owned by one or more non-insurance companies to insure the risks of its owner (or owners). Captives are essentially a form of self-insurance whereby the insurer is owned wholly by the insured.   A Captive has the benefits of formalizing your self-insurance program; you have a board, governance documents, and generally better financial controls.

Errors and Omissions Insurance (E&O):  Is a professional liability insurance that protects companies and individuals against claims made by clients for inadequate work or negligent actions.  In the case of an Insurance Broker, their E&O policy can come into play if there ends up being problems with a particular insurance policy and associated claims.  The E&O policy provides another layer of protection to ensure that your organization is properly protected.  Errors and omissions insurance often covers both court costs and any settlements up to the amount specified on the insurance contract

Reinsurance: Protect an insurer in circumstance when large individual claims or large numbers of smaller claims as a result of a catastrophe or other unforeseen circumstance threatened to cause catastrophe for the insurance companies own balance sheets.  Think of it as insurance for insurance companies. Reinsurance involves underwriters sharing out parts of their risk portfolios so that the risk can be more equally shared – far better for insurers, and for claimants. Excess of loss reinsurance provided a new way of apportioning risk between reinsurers and is widely used.

Syndicate:  A self-organizing group of individuals, companies, corporations or entities formed to transact some specific business, to pursue or promote a shared interest. In most cases formed groups aim to scale up their profits. Unlike many other insurance brands, Lloyd’s is not a company; it’s a market where our members join together as syndicates to insure risk. Much of Lloyd’s business works by subscription, where more than one syndicate takes a share of the same risk. Business is conducted face-to-face between brokers and underwriters in the Underwriting Room.

Trusts: Unlike insurance purchased through traditional insurance companies, an organization might self-insure and set aside the money for anticipated claims and other costs in a Trust.  The Trust is simply a financial vehicle –it as an isolated account that has governance documents that dictate what it can be used for, versus general funds that are discretionary.  Often a Trust will consist of a homogenous group of risks with similar exposures. This allows the Trusts to minimize the “peaks and valleys” of pricing over the long term. Basically, the Trusts can provide long-term rate/premium stability unlike traditional insurance companies.

Underwriting: The process of gathering information about an insured, its industry, region, and other factors along with using modeling of data to understand the risk and develop the appropriate premium to cover the expected losses that might arise from that risk.  Insurance underwriters evaluate the risk and exposures of potential clients or insureds and then make a decision whether they want to provide coverage and how much.

Wording:  The wording or written language in the insurance policy itself is intended to provide protection for the insurance company and to eliminate loopholes in coverage. Policy wording is open to interpretation by the courts.

There are even “wording specialists” employed by the carriers. It is good to take the time and meet with the wording specialist as they can be extremely helpful in crafting the language that you desire and in establishing a clear understanding between you and the carrier.

Keep in mind that ambiguity in an insurance policy is not always a bad thing, in many jurisdictions if the language is ambiguous then the court as a matter of law will rule in favor of the insured and not the insurance company.

The post Making Insurance Part of Your Enterprise Risk Management Program – Part Three appeared first on Security Current.

In this series, Grace Crickette provides C-Level executives a comprehensive overview of cyber insurance, while addressing business impacts and offering best practices for implementing a risk-management strategy that includes a cyber-liability policy.

Part Two: A Very Brief History of Insurance and Coffee Houses

Coffee houses or cafés have served as centers of social interaction for patrons to access the Internet on their laptops, write novels, and launch startups over a cup of coffee, and the café lifestyle is not a new idea. It has been around for a very long time.

Let’s travel back to the City of London in 1675, where we find a coffee house on every corner, over 80 to choose from within one square mile. You are a daring entrepreneur whose family owns a clothing mill and you want to import cotton from the new world.

You have made a deal with a shipper, the Sinkability, but you’re concerned about the abilities of the captain and crew, the worthiness of the ship, the weather across the Atlantic, and oh ye maties the dreaded pirates. If the ship loaded with cotton or later with the cloth from your mill is sunk, your family’s fortune will be lost and you wind up in debtor’s prison!

Luckily, you are headed to Lloyd’s coffee house where you have heard that they not only provide a nice espresso, but a venue for merchants and shippers to discuss deals and pool their money to cover a portion of each other’s potential losses. The patrons are not just sharing a cup of coffee – they are sharing risk. You are now a seventeenth century Risk Manager!

Today Lloyd’s Coffee house is Lloyd’s of London, which is unlike any other market place for insurance. I encourage you to visit the Lloyd’s website to not only learn of its amazing history, but to learn about the innovation that is going on in that market place, including the insuring of information technology and data risks. More: https://www.Lloyd’s.com/Lloyd’s/about-us/history

Putting on my risk manager hat, I can tell you that Lloyd’s has a stellar reputation for covering claims, and while I may have had to work hard to prove my case a time or two, in the end the syndicates that insured my program always came through, just as they did in the great earthquake of 1906.

The head of Lloyd’s visits San Francisco every year to commemorate the great earthquake of 1906 and remember how Lloyd’s responded to the losses by declaring that “every claim shall be paid.”

During this era, governments were not expected to supply relief funds, so the burden of losses fell on the insurance industry. This resulted in great loss to the Lloyd’s market, but also the birth of a new idea, reinsurance.

What about insurance in America?

“An Ounce of Prevention is worth a Pound of Cure,” Benjamin Franklin.

We can thank Benjamin Franklin for being practical and inventive. In 1752, he started the Philadelphia Contributionship for the Insurance of Houses from Loss by Fire, which became the first mutual fire insurance company in America.

The Philadelphia Contributionship for the Insurance of Houses from Loss by Fire set new standards for building houses because it refused to insure houses that were considered fire hazards. This criteria, also known as underwriting, was used to evaluate buildings and became the foundation for building codes and zoning laws. Seven years later, Franklin was also instrumental in getting the first life insurance company, the Presbyterian Ministers’ Fund, off the ground.

Insurance in the U.S. differs in many ways from Lloyd’s, but in short: In the US corporations create and sell insurance products. The insurance laws in the US are governed by state law, so the regulations are fragmented. Most policies purchased are not customized with wording, rather standard insurance policies are provided and then altered through exclusions and endorsement, though there are some carriers that allow greater flexibility.

In the U.S., there is tremendous capacity and pricing is very competitive. This is absolutely not a complete summation of the contrast between Lloyd’s and the rest of the insurance world. There will be plenty of time to dive in deeper as we continue The CISO’s Guide to Insurance.

If you would like to comment or contribute additional information on this topic, please comment below or email Grace at grace.crickette@hanoverstonepartners.com

Dictionary

Capacity:  The amount an insurer can insure, which is limited by financial strength, regulations, debt covenants and other factors. All insurance companies or syndicates have limited capacity. I recall a meeting with an underwriter on fine arts at the end of a long day. He sat down and immediately stated: “I’m done, not going to write any more fine arts coverage this year!”

Reinsurance: Protects an insurer in circumstances when large individual claims or large numbers of smaller claims as a result of a catastrophe or other unforeseen circumstance threatened to cause catastrophe for the insurance companies own balance sheets.

Think of it as insurance for insurance companies. Reinsurance involves underwriters sharing out parts of their risk portfolios so that the risk can be more equally shared – far better for insurers, and for claimants. Upon creation, excess of loss reinsurance provided a new way of apportioning risk between reinsurers and is widely used.

Syndicate:  A self-organizing group of individuals, companies, corporations or entities formed to transact some specific business, to pursue or promote a shared interest. In most cases formed groups aim to scale up their profits.

Unlike many other insurance brands, Lloyd’s is not a company; it’s a market where members join together as syndicates to insure risk. Much of Lloyd’s business works by subscription, where more than one syndicate takes a share of the same risk. Business is conducted face-to-face between brokers and underwriters in the Underwriting Room.

Wording:  The wording or written language in the insurance policy itself is intended to provide protection for the insurance company and to eliminate loopholes in coverage. Policy wording is open to interpretation by the courts.

There are even “wording specialists” employed by the carriers. It is good to take the time and meet with the wording specialists as they can be extremely helpful in crafting the language that you desire and in establishing a clear understanding between you and the carrier.

Keep in mind that ambiguity in an insurance policy is not always a bad thing. In many jurisdictions if the language is ambiguous then the court, as a matter of law, will rule in favor of the insured and not the insurance company.

Underwriting:  The process of gathering information about an insured, its industry, region, and other factors, along with using modeling of data to understand the risk and develop the appropriate premium to cover the expected losses that might arise from that risk. Insurance underwriters evaluate the risk and exposures of potential clients or insured’s and then make a decision whether they want provide coverage and how much.

The post Making Insurance Part of Your Enterprise Risk Management Program – Part Two appeared first on Security Current.

In this series, Grace Crickette provides C-Level excutives a comprehensive overview of cyber insurance, while addressing business impacts and offering best practices for implementing a risk-management strategy that includes a cyber-liability policy.

Part One

The role of the CISO is expanding, shifting from a focus on information security programs to a holistic risk management approach. Necessary skills now encompass IT administration as well as the ability to think strategically to influence business risk decisions affecting everything from developing privacy policies to preparing disaster recovery plans, to obtaining insurance coverage.

Even if the CISO is not driving the insurance purchasing process, enlisting the CISO’s help is critical in creating an insurance program that facilitates improvement and ensures that the insurance policies have the appropriate wording to provide the desired coverage in the event of a breach.

I recently led a roundtable discussion with an impressive group of CISO’s. We discussed four topics and the most animated…okay…heated topic was “insurance.”  Opinions were that existing policies offer little value and the premium dollars would be much better spent in the hands of the CISOs to deploy loss prevention and detection technology.

Whether considering data risk, compliance issues, or hazard risk events, I am always in favor of prevention strategies, but I felt compelled to offer the following:

1. Insurance policies can be designed by the insured, which means with a basic understanding of how policies are constructed to a great extent you can craft them to suit your organizations needs
2. A well-designed risk financing and insurance program, such as a combination of self-insuring and excess insurance or a captive structure, can create a cost effective and sustainable resource for funding loss prevention and detection
3. Insurance policies can be great change agents; it is easier to implement needed controls and programs if, “the insurance company requires it”

Following the in-depth discussion, everyone around the table bought into the strategic virtues of insurance and went running back to their offices to make a date with their risk manager…okay not exactly what happened…but, I did get the CISO’s thinking and speaking a bit broader about the possible benefits of insurance.

In this series, I hope to provide information that will inform and excite you about insurance. I will be including input and opinion from a variety of my colleagues including, underwriters, brokers, legal counsel, risk managers, and of course some CISOs.

In the coming series we will cover:

    A Brief History of Insurance

    Insurance and Risk Management Basics

    What are we trying to insure?

    What insurance do we have, and what is covered?

    Security Assessments, Risk Assessments, and Underwriting Submissions

    Re-defining of the rules of cyber-insurance

    How is the insurance community responding?

    Business impacts of cyber-insurance

    Discover how to achieve savings by implementing a risk management strategy which includes cyber-insurance.

Included is an addendum that will build-out as we progress through the series, a dictionary of sorts with “text book” and “real world” explanations.

If you would like to comment or contribute additional information on this topic, please comment below or email Grace at grace.crickette@hanoverstonepartners.com

Dictionary

Wording:  The wording or written language in the insurance policy itself is intended to provide protection for the insurance company and to eliminate loopholes in coverage. Policy wording is open to interpretation by the courts.

There are even “wording specialists” employed by the carriers. It is good to take the time and meet with the wording specialist as they can be extremely helpful in crafting the language that you desire and in establishing a clear understanding between you and the carrier.

Keep in mind that ambiguity in an insurance policy is not always a bad thing, in many jurisdictions if the language is ambiguous then the court as a matter of law will rule in favor of the insured and not the insurance company.

Underwriter:  Insurance underwriters evaluate the risk and exposures of potential clients or insureds. They decide how much coverage the client should receive, how much they should pay for it, or whether even to accept the risk and insure them. Underwriters are looking for the best “horse” to place their bets on.

The underwriter’s performance is judged significantly on their ability to select to provide coverage to an insured who will not have terrible claims, and determine the correct amount of premium for the coverage, and  ensure the policy is crafted to reduce the risk to the carrier.

The post Making Insurance Part of Your Enterprise Risk Management Program – Part One appeared first on Security Current.