Seeking Clarity for Cyber Cover
It was a black-or-white question: Do you have procedures for responding to allegations of a privacy breach?
But the answer was a shade of gray for the University of Wyoming, which was applying this year for its first cyber insurance policy.
“The answer might be yes, we have procedures, but they might be different for our two medical clinics than they would be for the accounts receivable department,” said Laura Peterson, chief risk officer for the university, in Laramie, Wyo.
Similar conundrums are confronting risk managers around the country as they apply for cyber coverage. Risk managers are finding that the cyber application process is more taxing than it is for traditional insurance — especially for organizations analyzing coverage for the first time.
It’s the difference between buying a couch for the living room, and trying to install a home wireless network that syncs with computers, televisions and stereos, said John Mullen, chair of the U.S. data privacy and network security group at the law firm Lewis Brisbois. “It’s just a whole different level of complexity.”
“From our experience, many cyber applications are not designed with the typical small to middle-market firm in mind.” — Reza Khan, executive vice president of ThinkRisk Underwriting Agency
Interest in policies has spiked over the last year, prompted by high-profile data breaches, including one that has cost retailer Target Corp. nearly $150 million to date. Insurance covered about $38 million of the total, according to the company.
When cyber insurance first emerged in the late 1990s, insurers sometimes hired third-party vendors to test the network security of organizations as part of the underwriting process. They also would schedule meetings with clients to review their cyber defenses.
Today, most insurers rely on applications boiled down as much as possible to yes-or-no questions. The forms serve as a handy checklist for cyber security efforts, according to brokers and insurers, but the answers don’t come easily.
“Many customers are very uncomfortable with that binary sort of yes-no response because it’s not 100 percent ‘yes,’ and it’s not 100 percent ‘no,’ ” said Greg Gamble, a director at Crystal & Company, a brokerage in New York City. “A lot of the time that we spend with clients is helping them pick yes or no, and then how to explain the answer.”
Companies, for example, worry about how an answer looks to the insurer, Gamble said. An application might ask whether a company outsources its information security management to a qualified firm. “What if you say, ‘no’? Is that bad?” Gamble said. “Maybe you have an employee who handles it.”
Risk managers also often have to hunt for the answers, whether from internal staff or external vendors. And colleagues in IT may perceive the application for insurance as second-guessing their efforts to protect data.
“I can understand why that would be a difficult pill to swallow,” said Anne Corona, managing director and U.S. practice leader for cyber insurance at Aon Risk Solutions. “But I think everyone understands that this isn’t a criticism, but an added level of protection, really, from a financial perspective.”
At the University of Wyoming, Peterson contacted the IT staff to lay the groundwork before she started lobbing questions. She explained that cyber coverage was not a reflection of the department’s work, but a necessary safeguard. And despite good intentions, accidents can happen, she added, just as they do in other university departments. An employee could click on the wrong link in an email, or lose a flash drive.
“We didn’t have any trouble getting them to help us complete the parts of the application that we needed their help with,” Peterson said, noting that she also needed assistance from administrators in other areas, such as finance.
One question asked for the percentage of revenue from credit card transactions, Peterson said. But revenue for a university is different than revenue for a business. Peterson put down 9 percent, and explained the sources of revenue, including state and federal funding.
Risk managers also must be alert to the ways a cyber policy could interact with their other policies and exclusions, brokers and insurers said.
“We want to give them as much information as possible,” she said.
Since their answers could come back to haunt them in a coverage dispute, risk managers and other insurance buyers need to take extra care.
“If they make a representation in an application that they have certain security measures in place and those security measures aren’t followed … or aren’t actually in place, then the insurance company could conceivably use that as a basis to avoid coverage if there is a claim,” said Brooke Yates, a partner in the litigation department at the law firm of Sherman & Howard in Denver.
Past breaches, if they’re not reported on the insurance application, also could become an issue, said Tracy Tenorio, a senior vice president and account executive at ABD, a commercial brokerage in San Mateo, Calif. Insurers bind coverage on the understanding that the client is not aware of anything that could lead to a claim, Tenorio said. Questions about that awareness are often the first place an insurer will look after a claim.
“The good thing is that the carrier will often ask the client, ‘OK, we need to talk about this because this is what I believed the risk to be; this is how you answered the question. What am I missing?’ ” she said.
Smaller companies, already worried about the perceived cost of cyber insurance, may be turned off by the application process before they even begin, said Reza Khan, executive vice president of ThinkRisk Underwriting Agency in New York City.
“From our experience, many cyber applications are not designed with the typical small to middle-market firm in mind,” Khan said.
ThinkRisk recently introduced a 21-question application for a new admitted cyber/privacy product. The questions reflect the company’s concern that many firms won’t understand typical cyber jargon.
“Quite frankly, when you’re entertaining a $10 million dental practice, how much technical underwriting information do you really need to properly assess and price their exposures?” Khan asked.
Others are seeking to streamline applications as well. Allied World North America, for example, offers an application that asks for only a few questions if companies have less than 50,000 records, according to Josh Ladeau, cyber practice leader for the insurance carrier. Policies are capped at a limit of $1 million.
Companies may not fully understand how many records they actually have, Ladeau added. But Allied World is confident it has the underwriting experience to tell if a business is undercounting. “Even smaller retailers will have more than 50,000 transactions,” he said.
Once they get through the application process, risk managers still have to sort through products that can be difficult to compare.
Approaches to notification costs are among the variables. Some insurers offer an overall sublimit, while others provide limits based on the number of people being notified, said Sheri Pastor, partner and practice leader for the insurance coverage group at the law firm McCarter & English in Newark, N.J. Some carriers require the use of prescreened vendors to deal with a breach, while others allow policyholders to choose their own.
“It is not unusual for a risk management department to take a long period of time to analyze these products, and then decide which to place,” Pastor said. “Many companies can explore them for months, if not a year or more, with their renewal cycles coming and going.”
Risk managers also must be alert to the ways a cyber policy could interact with their other policies and exclusions, brokers and insurers said.
Emerging risks are another factor to consider. Content liability is overlooked in many cyber policies, for example, but could pose a threat, said Ken Goldstein, worldwide cyber security manager for Chubb Group of Insurance Cos. Businesses could face claims if a competitor believes it is being disparaged in an online ad, or a person’s image is being misappropriated.
“There’s real claims activity in this area,” Goldstein added.
At the University of Wyoming, Peterson grappled with decisions about breach-response and credit-monitoring services. Depending on the scope of a potential breach, the university might have to notify people in every state. It has 13,000 undergraduate and graduate students, as well as thousands of alumni around the country. In addition, thousands attend concerts, football games and other events at the university.
“You can listen to other people who have had breaches, but they’re all very, very different, depending on whose information was breached and what information was breached and what state is affected,” she said. “So it’s really just hard to know.”
Brokers have helped Peterson sort through the details. But, she added,
“Ultimately, it still comes down to me trying to assess what’s most likely to happen here or, even if it’s not what’s most likely, it’s where are the places where we’re going to want the most assistance, and that’s an institution-by-institution analysis.”
Redefining In-House Counsel
Twenty years ago, the in-house lawyer might have drafted a detailed memo warning fellow executives to steer clear of some legal pitfall — and then moved on.
But for general counsel today, a strictly advisory role no longer suffices. Once stereotyped as risk-averse deal-killers, attorneys are more engaged than ever in business decisions. As a result, they are just as likely to be managing risks as urging colleagues to avoid them.
It’s a trend with implications for risk managers, who are seeing general counsel take a more active role in matters ranging from buying insurance to developing crisis management plans.
“It’s been a sea change over the past couple decades,” said Veta T. Richardson, CEO of the Association of Corporate Counsel, an international membership group based in Washington, D.C. “General counsel have evolved beyond just being looked at as someone you go to to ask for legal advice.”
The evolution is driven by several factors, boiling down to the growing complexity of law, business and technology, according to Richardson and other observers. Regulations are proliferating both in the United States and in other countries. And regulators seem to be taking a more aggressive approach in areas such as privacy, anti-corruption, antitrust and tax avoidance.
Insurance policies are another area of growing complication, according to Finley Harckham, a shareholder with the law firm Anderson Kill in
Counselors De-Code Policy Language
While insurers and policyholders often battle over claims, the disputes drew more attention after Superstorm Sandy in 2012, said Harckham, who represents policyholders. Companies learned that buying insurance did not mean they’d be covered.
Harckham advises in-house attorneys to scrutinize insurance contracts and bring their legal knowledge to bear. “Lots of policies have clauses which stack the deck in favor of the insurance companies and against the policyholder, and it’s important for in-house counsel to evaluate those clauses before they end up in the insurance policies,” Harckham said.
While the review might cause friction with risk managers, who might feel they are being second-guessed, he said, it can help both parties by avoiding contested claims and unforeseen exposures.
“I have seen it work well and it ought to work well, because the lawyers can add value to what the risk manager’s doing,” he said.
Even as they share the load, risk managers will still be needed. But like in-house attorneys, they also may have to take a broader view of their companies, especially as risk management matures, said Donna Epps, a Dallas-based partner with Deloitte Financial Advisory Services.
“Those people who don’t move with it run the risk of losing the value that they’re bringing to the organization,” she said.
Teamwork Boosts Value
Successful risk managers already seek input from across their companies as they develop risk-transfer strategies, said John Peterson, Chicago-based co-leader of U.S. retail sales for Aon Risk Solutions.
From attorneys, risk managers can learn about a company’s most pressing legal risks. Attorneys can learn from risk managers about insurance policies or other solutions that might help address those risks, Peterson said.
“That teamwork certainly has proven to be quite effective.”
“General counsel that we interviewed recognize that there has to be some risk-taking to run a business. Their contribution can be to help evaluate and manage that risk.” — Bryan Jones, global and Americas head of dispute advisory services, KPMG, Dallas
Attorneys also may help in probing the root causes of recurring claims, added Bryan Jones, global and Americas head of dispute advisory services for KPMG in Dallas. To understand the changing role of general counsel, the consulting firm surveyed in-house lawyers worldwide in 2012 and 2014.
“General counsel want to contribute value by not only reacting to claims but also by preventing them,” Jones said, adding that attorneys are less risk-averse than the images of old. “General counsel that we interviewed recognize that there has to be some risk-taking to run a business. Their contribution can be to help evaluate and manage that risk.”
But while in-house lawyers may be pitching in more often, risk managers still report primarily to CFOs, controllers and other finance executives. According to Aon’s 2013 Risk Management Survey, 51 percent of risk management departments reported to finance, down from 62 percent in 2009. Nine percent reported to the general counsel, compared to 8 percent in 2009. Highlighting greater executive attention to risk management, 12 percent of departments reported to CEOs, up from 6 percent in 2009.
Diversify Knowledge and Services
At PubMatic, an advertising technology company based in Redwood City, Calif., risk management has been shared by the legal and finance departments, according to Nadine Stocklin, the company’s general counsel.
Besides contributing her legal knowledge, she also learns as much as she can about the company’s operations and tries to become involved early on in new initiatives, such as partnerships and acquisitions. The efforts paid off after the vice president of finance left, and she took over insurance buying.
“If I didn’t understand the business, I wouldn’t know what to say to our insurance broker about what we need to be covered,” she said. “Now, I’m the primary liaison with our broker.”
Stocklin follows what she calls a balanced approach to risk management that accounts for both the risks and rewards of business. “Legal is often viewed as a roadblock,” she said. “So I think it’s important for people to see that I’m doing this risk-reward analysis on a day-to-day basis to understand what’s best for the company.”
At Safway, risk management gradually migrated from finance to legal over the last decade, said Curt Paulsen, who joined the company in 2003 as its first general counsel. Based in Waukesha, Wis., Safway is a scaffolding and worker access company with branches around the United States and Canada. The company also provides industrial painting and insulation.
When Paulsen began, he worked closely with the company’s CFO on risk management, which still came under finance. But after a few years, risk shifted to the legal department. A lawyer working under Paulsen now heads the company’s risk management department, Paulsen said.
The change stemmed, in part, from the legal aspects of handling claims, Paulsen said. But it also seemed to make sense, given the growing complexity and importance of risk management. “That doesn’t mean that, gee, you need a lawyer to do it,” he said. “But given its importance for some entities, I think it can quite easily, for some companies, just morph into the legal department.”
Where they don’t have direct oversight, lawyers often join risk management teams, and take part in risk management discussions, said Dan Cahoy, a business law professor in the Smeal College of Business at The Pennsylvania State University in State College, Pa.
“You could argue that we have some very special additional legal complexity that hasn’t existed in the past, and you’re not going to be able to quantify it unless you get some specialized legal knowledge at the table,” Cahoy said.
But lawyers are not always trained to make business decisions, Cahoy added.
“So, to the extent that you bring in a counsel whose answer is ‘no’ 99 percent of the time, that may not help your business.”
Much depends on the personalities of the people involved, Cahoy and others said, but risk managers and in-house attorneys can learn to work together, given that their expertise and their concerns often overlap. Both departments are charged with identifying what can go wrong and mitigating the damage.
“The friction is between people who want to or feel that it’s important to do risk analysis, and the business-development types that don’t want to hear it because they don’t want to hear any naysayers.” — Eric Esperne, legal counsel, Dell Inc.
“They’re both a slightly different approach to similar problems operationally,” said Laura Peterson, chief risk officer — and a trained attorney — at the University of Wyoming in Laramie, Wyo.
Conflict could arise, however, over issues such as when to press an insurer for coverage, Peterson said. A lawyer might want to fight, while a risk manager may have an eye on the costs of outside counsel. On the other hand, she said, a risk manager may want to contest a claim, to avoid setting a precedent and inviting even more claims. An attorney, with an eye on the strength of the legal case, might choose to settle.
Friction also can arise if in-house lawyers focus solely on legal issues, said Scott Goodreau, chief sales officer for brokerage HUB International in Chicago. “What’s important is for general counsel to ensure that they understand the fact that it’s not just about the legal risk,” he said. “It’s also about the total impact to the company.”
The greater tension, however, is not between attorneys and risk managers, said Eric Esperne, counsel in the legal department at Dell Inc., based in Canton, Mass. He has written and spoken about risk management for legal audiences.
“The friction is between people who want to or feel that it’s important to do risk analysis, and the business-development types that don’t want to hear it because they don’t want to hear any naysayers,” Esperne said. “All they care about is creating opportunities to generate revenue.”
Finding the Balance
With thousands of students traveling and taking the field every semester as part of campus sports clubs, leaders of The California State University system couldn’t afford to sit on the sidelines.
So when Zachary Gifford joined the system’s risk management office in 2008, he quickly found himself on a conference call with campus administrators who had been kicking around ways to mitigate the risks.
“The learning curve was like a black diamond ski slope,” said Gifford, associate director for systemwide risk management for the CSU system, based in Long Beach, Calif.
Administrators began scrutinizing sports clubs, which are separate from NCAA-sanctioned sports, after two fatal accidents involving students in the early 2000s.
“It was a serious exposure to the university that needed to be addressed, and it’s an example of something that every campus was handling a little differently,” said Cindy Parker, who works closely with Gifford and CSU in her role as vice president of operations for Sedgwick Claims Management Services Inc.
As Gifford hashed out a uniform approach, he had to balance the needs of 23 campuses ranging in size from fewer than 6,000 students to more than 35,000. Some had well-established sports clubs, while others were just getting started.
Ultimately, Gifford wanted to produce policies and procedures that every program could use, and that would not be seen as directives from above by campuses that treasure their autonomy.
For two years, Gifford and his fellow risk managers in the chancellor’s office worked closely with campus-based risk managers, club administrators and other university personnel to develop a comprehensive guide for club sports. A final document came out in 2010, and reflected Gifford’s collaborative approach.
“He really respected the comments and the input and, especially as a risk manager, was kind of able to see things from both sides if there was a little bit of push back and conflict between how a risk manager might see something, and how a practitioner might see something,” said Pam Su, campus recreation director at San Francisco State University.
She helped lead implementation of the guide.
Some campuses, for example, balked at travel policies they felt were too onerous. The final guide allowed those clubs to essentially acknowledge they are traveling on their own, in non-university vehicles, outside university control.
Two years after the guide came out, the system launched an insurance program for club sports, giving campuses access to more uniform coverage. Clubs are required to have adequate insurance, but don’t have to go through the CSU program.
All but one or two campuses have opted into the program so far, Gifford said. He expects the coverage to eventually give CSU a better picture of the overall risks and a way to explore possibilities for self-insurance.
A new version of the guide is due out this fall, with revisions reflecting a recent survey of its users.
Overall, the feedback has been positive.
“A lot of the sports club administrators were actually really thankful for having some guidelines in place,” said Su.
Risk All Stars stand out from their peers by overcoming challenges through exceptional problem solving, creativity, perseverance and/or passion.