2015 Cyber Risk Rundown
Cyber risks are not confined to credit card data breaches perpetrated by malicious hackers, risk managers learned at the 2015 Cyber Risk Summit held Sept. 27-28 in San Francisco.
With virtually everything connected to the Internet today, a simple network disruption has the potential to shut down industrial control systems, perhaps even the power grid, according to Joe Weiss, an internationally known expert in industrial control system security who has conducted thousands of vulnerability assessments, amassing a database of more than 700 actual control system incidents with cyber origins.
“All too often, organizations have regarded cybersecurity as an IT problem,” Mr. Weiss said. “But it is not; it is a risk management problem,” he asserted during his provocative morning keynote address.
“Cyber risk is about governance, framework and controls, not technology,” concurred Scott Corzine, managing director and head of the risk management practice at FTI Consulting, who moderated a panel titled “Cyber Risk Mitigation: When Insurance Isn’t Enough.”
The conference opened with FBI Assistant Special Agent M.K. Palmore, who heads up the San Francisco division’s cyber branch, sharing details of criminal cyber investigations, and closed with the cogent warnings of reformed hacker-turned-consultant Jeff Moss, president of DEF CON Communications, who advised risk managers to “treat every network as if it has been compromised, just as you would treat every gun as if it is loaded.”
In between, the 2015 Cyber Risk Summit addressed cyber risk just like any other business risk, progressing through the steps in the risk management process by identifying the risk, quantifying the risk, evaluating and implementing risk transfer and risk mitigation strategies, and then testing those strategies in an interactive exercise led by Matt Prevost, vice president, privacy & technology, and product line manager at ACE USA.
In some ways, the “Cyber Improv: Audience Participation Encouraged” session resembled improvisational theater, with members of the audience shouting out scenarios while a panel of legal, insurance and cybersecurity experts all discussed potential responses and their ramifications. Meanwhile, a player posing as a fictional plaintiff’s attorney literally “blew the whistle” each time a scenario or response indicated the potential for litigation.
During other sessions at the conference, attendees learned tips for securing coverage in today’s tightening cyber risk insurance market, with Southwest Airlines’ Corporate Insurance Manager Kristy Harris and the airline’s Chief Technology Officer Craig Maccubbin describing their joint presentation to underwriters with the support of their specialist insurance broker Lauri Floresca, a partner and senior vice president at Woodruff-Sawyer & Co.
“Passionate storytelling will sway cyber risk underwriters,” acknowledged Brad Gow, senior vice president at Endurance Specialty Insurance Ltd., during the “A Buyer’s Guide to Cyber Insurance” session, at which Meredith Schnur, national practice leader in Wells Fargo Insurance Services’ professional risk practice, advised risk managers to practice their presentations beforehand in a “dry run” with their brokers.
Becky Pearson, senior vice president in Willis North America’s FINEX Cyber and E&O team, provided a demonstration of the broker’s modeling software for determining the scope of an organization’s cyber risks to guide purchasing decisions, while Bill Hardin, managing director and vice president at Charles River Associates, offered some tactics that could be employed when such innovative technology is not available.
Without such models, cyber risk insurance buyers are often forced to rely on benchmarking to determine how much coverage to buy, explained Ethan Harrington, director, insurance and risk management, at H&R Block, moderator of “Quantifying the Impact of a Cyber Incident: How Long is the Tail?”
The 2015 Cyber Risk Summit also provided updates on laws and regulations governing cyber security, including the U.S. Department of Commerce’s voluntary NIST (National Institute of Standards and Technology) framework, which many organizations are adopting as a risk management protocol. During a pre-conference cocktail reception and networking breaks, attendees also had the opportunity to consult with vendors of technology services designed to address cyber risks.
Altogether, approximately 100 people attended the conference, whose admission was restricted to risk managers, chief information security officers, chief technology officers, and a handful of risk management consultants, attorneys and cyber or technology service providers. All registration applications were subject to approval by . Insurers, agents and brokers were not eligible to attend, except as speakers.
The 2016 Cyber Risk Summit will be held Sept. 11-12 in San Francisco.