The best story told about insurance is how it originated may centuries ago. Merchants traveling to a nearby market used to load their goods into boats and travel down-river to a nearby market. Unfortunately, dangerous water conditions often tipped the boats causing the merchants to lose all their possessions. Since this caused significant hardship for the merchants and their families, an alternative solution needed to be created.
The merchants decided if they spread their possessions among several boats traveling to the market, chances are most boats would make it and they wouldn't lose all their possessions. This model worked originally but unfortunately several conditions made it unfavorable over time, for example;
1. Some merchants didn't take good care of their boats and therefore were more likely to sink.
2. Newer merchants were inexperienced navigating the waters and tipped their boats more frequently.
3. Some merchants started stealing the goods of other merchants.
Eventually wealthy merchants decided a different alternative was needed. They then agreed to replace all the possessions of any given merchant for a small fee. With this model, every merchant would carry their own goods, in the event their boat tipped traveling through the dangerous waters, the wealthy merchants would pay to replace all their possessions. Of course, the merchants decided the following rules would apply;
1. Any merchant with a boat in poor condition would be charged extra for their journey
2. Newer merchants would be charged extra because they had less experience navigating the dangerous waters.
Of course, this story continues to evolve over many generations but you can get an idea of how insurance allows us to protect ourselves against the financial hardship of a loss.
Today insurance covers 100's possibilities. For example;
• Protecting you from financial loss when your home is damaged.
• Protecting your family against the financial loss of a critical illness or death.
• Protecting your business from the financial loss of damages, injury and interruption.
• Protecting yourself from the financial loss of lawsuits
• Protecting you from the financial loss of a car theft or accident.
Insurance works by "pooling" risk with others. This simply means a group of people want to protect against a loss or exposure that could cause financial hardship. Since the "pool" is so large, you can project what the actual losses will be for a loss or exposure "pool". It is obvious not all people in the pool will have a loss at the same time. This allows third parties (insurance companies) to profitably cover losses or new exposures as they may arise.
What do you think?
Malwarebytes released a study suggesting too many businesses are oblivious to the realities of cyber crime. Almost 40% of business reported having experienced some form of ransomware in the last year and another 40% reported having paid a ransom amount to unlock their data. With an alarming 259% increase in the last year it is hard to imagine how big the impact has been on businesses.
When working with executives on risk management, cyber risk can one of the hardest areas understand. Often CIOs, CISOs and IT directors are stuck with limited budgets to handle such large threats to an organization. Not to mention the communication between highly technical IT personnel can be very difficult for other executives to understand.
From an insurance perspective cyber is one of those risks we can anticipate and handle accordingly. Organizations who take an active approach towards cyber strategy should engage their IT personnel with security and insurance professionals in order to tackle cyber risks holistically.
We wanted to take this opportunity to share a ransomware infographic posted by Malwarebytes.
The Privacy Commissioner Of Canada released a follow up to the investigation on the Ashley Madison (ALM) cyber breach and executives should be familiar with the results. The commissioner commented “It is not sufficient for an organization such as ALM, or any organization that holds large amounts of personal information of a sensitive nature, to address information security without an adequate and coherent governance framework".
Here are 3 takeaways for executives on Cyber Security:
1. Harm extends beyond financial impacts:
Harm from data breaches is often focused on identity theft and credit card fraud. The commissioner notes “While impactful and highly visible, these do not represent the entire extent of possible harm. For instance, reputational harm to individuals is potentially high-impact as it could have a long-term effect on an individual’s ability to access and maintain employment, relationships, or safety depending on the nature of the information.” This is important given the recent court rulings coming out of the United States ruling otherwise.
Here is the story: Plaintiffs Cannot Bring Data Breach Lawsuits Without Evidence That Information Will Be Used To Harm.
It is possible an organization could be held liable for harm caused by a data breach. A standard Commercial General Liability policy will not cover these damages and a separate Cyber Liability policy needs to be purchased to cover this exposure.
2. Safeguard should be supported by a coherent and adequate governance framework
The privacy commission mentions a security framework should be “consistently understood and effectively implemented.” In Ashley Madison’s case, regulators found 75 percent of the company's staff had not received general privacy and security training. Not to mention they supported a “Trustmark” to consumers, implying information was being protected when in fact it was not.
Executives should have written security policies and procedures for the entire organization. Not only will this protect an organization and its consumers, but it will assist with documentation in the event of legal proceedings. .
3. Documentation of privacy and security practices can itself be part of security safeguards
The commissioner notes “Having documented security policies and procedures is a basic organizational security safeguard”. It is surprising how many organizations have nothing in place, especially when free resources are available such as this Cyber Liability Toolkit.
Every executive should place an organization’s attention to security as a priority. The commissioner notes this helps an organization to identify and avoid gaps in risk mitigations, provides a baseline against which practices can be measured, and allows the business to reassess practices in an evolving threat landscape.
From a Directors and Officers liability perspective we can’t stress how important it is for executives to take a proactive step towards cyber security. Something as simple as documentation of privacy and security practices can help executives if there is ever a lawsuit.
Don’t wait until your company shows up in the headline of a local newspaper, start engaging in a cyber strategy today.
See the full release by the Privacy Commissioner here: https://www.priv.gc.ca/cf-dc/2016/2016_005_0822_e.asp
What should you do about employees when it comes to cyber?
Human resource management focused on cyber is the process of training and educating employees on the cyber strategy. Keep in mind poor human resource activity can lead to compromised systems and increased costs for an organization.
What steps can your human resources take towards an effective cyber strategy:
1) Planning - Human resource management needs to come from the strategic plan of an organization. If cyber is not part of the strategic plan then the organization will struggle to implement any initiatives and the strategy will ultimately fail. Having the entire executive team as part of the planning process is very important when it comes to cyber strategy.
2) Selecting - This can be one of the most difficult parts of any cyber strategy. Deciding a balance between security and functionality can be difficult. Often the more secure a cyber strategy is, the harder it can be for the entire organization to use the system. I suggest it is better to restrict access and grant permission on a case-by-case basis.
3) Orienting - The entire organization needs to understand the cyber strategy and their role in it before a plan is implemented. Just like orientating an employee to a new role, the onboarding process for a cyber strategy needs to be clear and communicated effectively. Once performance expectations are understood, it becomes easier for the entire organization to implement the cyber strategy.
4) Training - The long-term success of a cyber strategy depends on the strength of its users. Training should be viewed as an investment, in the same way that major purchasing decisions are made for an organization. The more people that understand and buy-in to the cyber strategy, the more likely the plan is to succeed.
5) Terminating - Unfortunately human resource management requires making difficult decisions. If circumstances present themselves where an employee is not following the cyber strategy, termination may be necessary. Employment standards should be followed to give an individual the proper opportunity to buy-in to the cyber strategy. In the event an improvement plan is not working; an employee should be terminated to prevent the entire cyber strategy from being compromised.
What do you think?
It is clear to most organizations they face a growing cyber threat and something needs to be done about it, but what happens if they don't?
The resulting loss of reputation, income and market positioning can be detrimental to an organization. Directors and Officers are subject to lawsuits brought by shareholders and regulators in the event of a cyber breach. Of course, this means the resulting lawsuit needs to be something that can be considering by the Director and Officers liability policy. In most cases Directors and Officers policies have not been modified to consider cyber based claims, opening a big "grey area" when it comes to paying for legal defense.
Most boards should consider taking the necessary steps to ensure they are adequately protected from a cyber breach. Allegations for failure to properly prevent a cyber breach can be costly Here are some steps to take:
1. Start the discussion - Surprisingly many organization have neglected to start the conversation around cyber security. It is time to bring the IT team to the discussion table to understand what is being done to proactively prevent cyber threats. Involve a professional risk manager in the conversation and consider using them for implementing a cyber strategy.
2. Update security practices - What is your organization doing to stay up-to-date when it comes to cyber security? Could you show all stakeholders you have taken the adequate steps to protect the organization from a cyber breach?
3. Insurance- It is surprising how many decision makers within an organization have no idea how their insurance policy will respond to certain events. A lot of that must do with finding the right professional to administer a Directors and Officers liability insurance policy. Even then, most, if any of the expenses from a cyber breach will not be covered by a Directors and Officers liability policy. There are various other products available in the market to cover for first and third party related incidents occurring from a cyber breach.
Has your board started or considered any of these points? As a director or officer of an organization personal assets can be on the line and that is the last thing you want to happen. Make cyber security personal and have your board start the discussion around cyber strategy.
What do you think?
The Base Team
Insurance made easy. How we can make insurance better for you?