Captive.com logo

Captive Insurance News

Free Captive Wire Report

Tax Considerations for Captive Insurers

A FREE 16-page special report courtesy of Captive.com

Dig deep into important issues and trends in captive insurance. Download this FREE special report featuring practical knowledge and insights from nine respected captive insurance thought leaders!

Show Me My Free Report

RIMS 2016: The Cyber Conference

Kane RIMS Presentation
April 15, 2016

If cyber risk wasn't on the radar of every risk manager in the United States last year, it certainly is this year. No fewer than 10 workshops focused on the topic at the RIMS Annual Conference & Exhibition held April 10–13, 2016, and all were very well attended. Other sessions and workshops also addressed the topic.

"Cyber is not an emerging risk; it is the solutions for managing cyber risk that are emerging," declared Lori Goltermann, chief executive officer of Aon Risk Solutions U.S. Retail, at the Executive Forum panel discussion.

"Business interruption exposures from cyber attacks are a growing concern with corporations worldwide," she added.

Exposures emanating from the "Internet of Things" (IoT) were discussed in several workshops. David Mordecai, Ph.D., president of Risk Economics, Inc., explained that there were only 1,000 devices connected to the Internet in 1984; it rose to 17 billion devices in 2012 and is expected to increase even further to 26–50 billion by 2020. Each of the devices in this pervasive and ubiquitous network presents a possible point of attack for cyber terrorists and other bad actors.

In many ways, the IoT presents more significant risks than data breach. This is because disruption or failure of devices from cyber attack can lead to bodily injury, property damage, or business interruption.

"While there have been few successful tort liability suits brought by people whose data was breached, these other types of losses are likely to lead to legal liability or financial loss far greater than that involved in notifying and providing credit monitoring to those affected by a data breach," explained Dr. Mordecai.

"Just buying a cyber policy isn't enough," said Ms. Goltermann. "More time and effort must be spent on risk assessment and mitigation."

Gerry Kane, cyber security segment director at Zurich Services Corporation, recommends the National Institute of Standards and Technology (NIST) Cybersecurity Framework for managing the risks of the IoT. This involves five pillars:

1. Identify—perform a detailed risk assessment

2. Protect—train employees, install access controls, employ rigorous authentication methods, encrypt data

3. Detect—prevention is ideal but detection is a must

4. Respond—prepare a plan in advance

5. Recover—develop a plan

Awareness training of employees is one of the least costly mitigation activities that companies can implement and has a high payback, according to Mr. Kane. Many major hacks begin with some type of social engineering ruse to get past the security systems in place, and training employees can greatly reduce susceptibility to this. He also emphasized the importance of data encryption. Risk managers should ask information technology (IT) staff if all critical data is encrypted and make a case for it if not.

In summary, cyber risk awareness is moving from concern over data breach, which is proving to be a manageable exposure for most companies, to risk of bodily injury, property damage, and business interruption arising from the proliferation of devices connected to the Internet.

As Mr. Kane said, "It's not just an IT issue anymore!"

Pictured above, Gerry Kane stands next to an artistic summary of his RIMS presentation that was created by Stephanie Crowley of Chrysalis Studios, Inc.

Captive Insurance Company Reports
Follow Captive.com on Twitter

Twitter Feed