In this series, Grace Crickette provides C-Level executives a comprehensive overview of cyber insurance, while addressing business impacts and offering best practices for implementing a risk-management strategy that includes a cyber-liability policy.
Part Three: Risk Management and Insurance Basics
Insurance and Risk Management Basics
Insurance is just one tool in the Risk Managers belt, but sometimes it is their favorite tool. Why? It is the easiest to wield when all the rest of risk management is quite difficult. The identification, understanding, and management of risk requires people to change their behavior, which is challenging. Also, people are not very good at understanding or talking about risk. When asked what a risk is, a lawyer might say it is a lawsuit filed against the company – wrong, that is an impact. A CFO might say receiving a downgrade from a rating agency – wrong, that is a long term consequence. A CISO might say that the management cares more about system availability than downtime for security – right, we just identified a risk.
In Chinese it takes two symbols to represent risk
Danger and Opportunity
Risk is an uncertainty which is neither good nor bad, just unknown. In western culture if all fails, we label the event or action leading to the undesired outcome as a “risk.” If all goes well, we don’t refer to the event or action as a “risk,” even though creating any opportunity always requires risk taking. We generally think of risk as a major bummer, but risk is really a good thing as long as our judgment is sound.
Risk Management Basics:
Risk management should allow us to take more risk. As Risk Managers, we want to have people be risk aware, meaning that they are not risk adverse, but are willing to take greater risks because they have a better understanding of the risk and how to manage it. We want to be able to anticipate that a risk event might occur, prepare for it and understand what is at risk, meaning what assets are at stake.
Thinking about what could go wrong, we can understand and anticipate, and in some circumstances even calculate what the risk impact might be. In addition to the immediate impact, we want to understand what the longer term risk consequences might be. By institutionalizing and formalizing the identification of risks through risk assessments, audits, hot-line reporting, surveys, and other methodologies, we can develop an inventory of risks and evaluate their impact, frequency, the quality of our controls, and our ability to monitor the risks. Based on that evaluation, we can develop risk mitigation strategies including effective risk responses.
The word “Risk” alone is confusing – Risk should never be a lonely word…. try matching up…the pictures to the terms to the right…
After all of this risk management effort…. unwanted and unplanned risk events are going to happen in spite of our best efforts – and that is our residual risk. It is this residual risk that we me may want to insure based our risk appetite and risk tolerance.
Risk Appetite represents the decision of how much risk an organization is willing to assume consistently with its strategy. Risk Tolerance is the parameters we identify to know if our Risk Appetite is aligned.
If you have ever heard someone say: “My eyes were bigger than my stomach” – this is exactly how Appetite and Tolerance works, you go to the buffet and you want to get your money’s worth (appetite), but the next morning you get on the scale and are upset that you gained two unwanted pounds (tolerance).
- Risk appetite: the broad based amount of risk an organization is willing to accept in pursuit of its mission and vision.
- Risk tolerance: the acceptable variation relative to the achievement of an objective, best measured in the same units as those used to measure the related objective
Brand / Reputational Risk: Failure to protect / build our brand may cause our value to erode over time and, ultimately, impair our ability to sustain value proposition.
Now, I can hear you thinking…. how do you insure Brand and Reputation Risk? There are actually some insurance products for this. It is safe to say that you can insure just about anything unless it is forbidden by law.
One risk management technique is risk transfer, meaning that we transfer the risk to someone else via a contract. This could include completely outsourcing an area of operation to another company, such as physical security and monitoring of your data center.
We would want to have strong contract language wherein the security company indemnified us from all liability and we would want to make certain that they had adequate insurance limits, the right type of insurance, and that we are included as a named insured and/or additional insured on the policy. Or, we may decide we understand enough about physical security that we don’t want to outsource it.
We have a great security team, continuous video monitoring, state-of-the-art biometric access controls, and we have good risk management techniques in place to detect, prevent and manage risk events, but we know that we are still going to have some residual risk, so we have to decide how we want to finance it. Here are a few examples:
Option 1: Pay-as-you-go: other than workers’ compensation and auto liability in most states, there is no legal requirement to purchase insurance. You don’t have to purchase liability insurance, professional liability, cyber, etc… You would be surprised how much insurance is not purchased and companies go “bare” just writing checks out of their general funds. Some don’t even budget for it. So, an unplanned risk event is an operational surprise and a financial surprise. I don’t recommend option 1.
Option 2: Self-insure: you can self-insure almost any risk as allowed by law. In many states employers can qualify to self-insure even mandatory insurance such as workers’ compensation and auto liability – you have to go through a lot of rigger, but it can be done. For the rest, you can self-insure in different ways and with different retentions.
Option 2A – self-insure 100% – this is different than pay-as-you-go, as you will record not only the liabilities on your balance sheet, but reserves for what your losses might be.
Option 2b – take a high deductible or retention, but purchase an insurance policy. Meaning insuring the first layer of the loss up to a limit that you are financially comfortable or to the level that insurance carrier is willing to offer.
Option 3: Trust/Captive – you might establish a formal trust or a Captive to take on a large portion of the risk and then purchase insurance or re-insurance.
As I’ve indicated in Part 1 and 2 of this series, buying insurance is not like buying widgets. The insurance market place has limited capacity and through the underwriting process will limit the amount of retention you can or will want to take – high or low, how much insurance you can buy, and if you can even get insurance. Even on a good risk, when dealing at the enterprise level you will get more rejections than quotes.
In insurance – cheap is cheap. You get what you pay for. If you go for the lowest quote without looking at the terms of the coverage and without considering the carriers’ ability and willingness to pay, you won’t have a risk management job for very long.
Generally, insurance policies impose upon insurance companies two important duties: the duty to defend and the duty to indemnify. If a business is sued and the claims asserted against it are potentially covered by an insurance policy, then its insurance company has a duty to defend the business – i.e., the insurance company must pay for the defense of the case.
In addition, if the claims are covered by the policy, then the insurance company has a duty to indemnify the business for liability up to the limits specified in the policy (after any applicable deductible). So, why do some claims not get paid?
- The risk event is not covered
- The application completed by the insured was inaccurate
- The insured misrepresented the risk, their risk event history, their ability to manage the risk
- The insured did not report the claim soon enough
- The insured did not cooperate with the insurance company once the loss occurred
- The insured has 2 or more policies that cover the same risk event – so the insurance companies argue for years over who will pay
- I could go on….
Having a good insurance broker as a business partner (with a rock solid Errors and Omissions insurance policy) is as important as selecting your insurance carriers. The broker can help you understand what you are buying, who you are buying it from, and because of their buying power they can help to get your claims paid.
Recall that I started out with “Insurance is just one tool in the Risk Managers belt, sometime it is their favorite tool…” In addition to a solution to the residual risk problem, insurance can be a great change agent. Sometimes, it is easier to get people to change because the “insurance company requires….” than it is for the Risk Manager or the CISO to say, “This is the best way to manage this risk…” We will explore this further in this series.
Well, that was the basics, I surely left something out, so please contact me and contribute.
Next, we will move on to “What are we trying to insure?” In the IT environment many may think that running out and getting a “Cyber” policy will do the job” – I say that depends….
Included is an addendum that will build-out as we progress through the series, a dictionary of sorts with “text book” and “real world” explanations.
If you would like to comment or contribute additional information on this topic, please comment below or email Grace at email@example.com
Capacity: The amount an insurer can insure, which is limited by financial strength, regulations, debt covenants and other factors. All insurance companies or syndicates have limited capacity. I recall a meeting with an underwriter on fine arts at the end of a long day, he sat down and immediately state that, “I’m done, not going to write any more fine arts coverage this year!”
Captive: A captive is an insurance company created and wholly owned by one or more non-insurance companies to insure the risks of its owner (or owners). Captives are essentially a form of self-insurance whereby the insurer is owned wholly by the insured. A Captive has the benefits of formalizing your self-insurance program; you have a board, governance documents, and generally better financial controls.
Errors and Omissions Insurance (E&O): Is a professional liability insurance that protects companies and individuals against claims made by clients for inadequate work or negligent actions. In the case of an Insurance Broker, their E&O policy can come into play if there ends up being problems with a particular insurance policy and associated claims. The E&O policy provides another layer of protection to ensure that your organization is properly protected. Errors and omissions insurance often covers both court costs and any settlements up to the amount specified on the insurance contract
Reinsurance: Protect an insurer in circumstance when large individual claims or large numbers of smaller claims as a result of a catastrophe or other unforeseen circumstance threatened to cause catastrophe for the insurance companies own balance sheets. Think of it as insurance for insurance companies. Reinsurance involves underwriters sharing out parts of their risk portfolios so that the risk can be more equally shared – far better for insurers, and for claimants. Excess of loss reinsurance provided a new way of apportioning risk between reinsurers and is widely used.
Syndicate: A self-organizing group of individuals, companies, corporations or entities formed to transact some specific business, to pursue or promote a shared interest. In most cases formed groups aim to scale up their profits. Unlike many other insurance brands, Lloyd’s is not a company; it’s a market where our members join together as syndicates to insure risk. Much of Lloyd’s business works by subscription, where more than one syndicate takes a share of the same risk. Business is conducted face-to-face between brokers and underwriters in the Underwriting Room.
Trusts: Unlike insurance purchased through traditional insurance companies, an organization might self-insure and set aside the money for anticipated claims and other costs in a Trust. The Trust is simply a financial vehicle –it as an isolated account that has governance documents that dictate what it can be used for, versus general funds that are discretionary. Often a Trust will consist of a homogenous group of risks with similar exposures. This allows the Trusts to minimize the “peaks and valleys” of pricing over the long term. Basically, the Trusts can provide long-term rate/premium stability unlike traditional insurance companies.
Underwriting: The process of gathering information about an insured, its industry, region, and other factors along with using modeling of data to understand the risk and develop the appropriate premium to cover the expected losses that might arise from that risk. Insurance underwriters evaluate the risk and exposures of potential clients or insureds and then make a decision whether they want to provide coverage and how much.
Wording: The wording or written language in the insurance policy itself is intended to provide protection for the insurance company and to eliminate loopholes in coverage. Policy wording is open to interpretation by the courts.
There are even “wording specialists” employed by the carriers. It is good to take the time and meet with the wording specialist as they can be extremely helpful in crafting the language that you desire and in establishing a clear understanding between you and the carrier.
Keep in mind that ambiguity in an insurance policy is not always a bad thing, in many jurisdictions if the language is ambiguous then the court as a matter of law will rule in favor of the insured and not the insurance company.