On Monday, I had the honor of moderating the first breakout session at Business Insurance’s Cyber Risk Summit 2015 in San Francisco. More than 100 people (most of them risk managers) attended the session, which in this moderator’s humble opinion was an eye-opening look at cyber security and what risk managers need to know today about mitigating cyber risk. In this blog post, I’ll share the key points covered in the session and how they apply to risk, claims and safety managers.
The session was called “So You’re Not a Retailer, You’re Still a Target (pun intended),” which not-so-subtly makes the point that cyber risk is a threat to B2B businesses just as much as it is to retailers and other B2C enterprises. A key point that the panelists made was that even if your business doesn’t have customer data or payment information, cyber risk is still a major exposure for you.
Okay, who hasn’t heard by now that their organization needs to take cyber threats more seriously? I think attendees really sat up and took notice, however, when the panelists began talking about the many surprising forms cyber attacks and events can take. A particularly illustrative example of that was the exposure that manufacturers can have in their industrial control systems, where cyber attacks have led to unanticipated first-party damage to physical property.
In one example, cited here, hackers disrupted the control systems at a German steel mill, preventing a blast furnace from shutting down. The details of the physical damage aren’t publicly known, but the report by German authorities characterized the damage as “massive.”
Here’s where it gets interesting for risk managers: From the inception of cyber coverage, most policies have been focused on third-party loss scenarios like network breaches or viruses. “The goal was to cover a company for the liability it incurred due to a cyber event rather than its own losses,” as the report cited above notes. The upshot? The “massive” damage may well have gone uncovered even if the insured had cyber coverage.
I took away three key lessons from the session:
- Organizations need to understand who they’re doing business with (for example, vendors who provide outsourced software like industrial control systems for steel mills) and have a complete understanding of their third-party partners’ security frameworks and accreditations.
- Organizations need to understand their coverage (cyber, property, etc.) and what’s in and out: Mind the gap[s], as the London subway memorably puts it.
- There need to be organizational culture changes and investments that prioritize the evaluation of operations and business partners as seen through the lens of cyber risks and exposures (i.e., a top-down commitment to priorities like the two above).
My sense of the mood at the Cyber Security Summit was that many of the attendees were feeling a bit overwhelmed with all the information and scenarios being thrown at them. However, Ventiv’s advice (based on our long experience in the world of risk management systems, claims management systems and safety management systems) is to address cyber risks like you would any other: set relative goals that your organization can meet, and continue to improve incrementally from there. As we’ve said before, analyze your biggest cyber exposures and set priorities around them. Then keep calm and carry on.
Stephen Rhee is CEO of Ventiv Technology. Contact Stephen at Stephen.Rhee@Ventivtech.com.