Cyber Security: Don’t Pay for a Landslide
At 8 p.m. on the evening of the 1960 presidential election, the television news networks reported Republican Richard M. Nixon leading Democrat John F. Kennedy by more than 400,000 votes in Illinois. The Chicago precincts were not included in those early figures.
When those precincts finally sent in their totals — very late that night — the voting tally produced a 9,000 vote margin for JFK and victory in the presidential race.
The announced “turnout” by the Daley political machine in Chicago was a historic 89 percent.
Thirty years later, allegations surfaced that mob boss Sam Giancana helped rig the election, partly by using money from Joseph Kennedy, the father of the incoming president.
After the 2011 breach, we might ask, “Did Sony have second thoughts about what it should spend on cyber security?”
We also became familiar with an alleged quote by the senior Mr. Kennedy, “Don’t buy a single vote more than necessary. I’ll be damned if I’m going to pay for a landslide.”
Cyber security today reminds us of the Joe Kennedy philosophy in Chicago in 1960.
The issue was succinctly expressed in 2007, when the executive director of information security at Sony Pictures reportedly said, “It is a valid business decision to accept the risk of a security breach. Sony would not invest $10 million to avoid a possible $1 million loss.”
Subsequently, a Sony unit experienced a destructive 2011 cyber attack that brought down its systems for 24 days and compromised personal details and other data on 77 million user accounts.
The attack resulted in more than 50 class action lawsuits, and caused a financial loss in the hundreds of millions of dollars.
In 2014, hackers struck Sony Pictures again. They lit up Sony websites with annoying sounds and threatening pictures, stole or erased software and data on 4,000 computers and servers, and publicly released completed and unreleased movie films, unfinished movie scripts, embarrassing emails, and salary data and Social Security numbers for 47,000 employees.
The event represented another loss in the hundreds of millions.
After the 2011 breach, we might ask, “Did Sony have second thoughts about what it should spend on cyber security?”
The evidence is not comforting, at least when we consider a lengthy July 2015 investigative article in “Fortune” magazine that documented a failure in the risk management culture at Sony Pictures.
A few days before the attack, Sony requested a meeting with a “threat-intelligence” firm to discuss protecting Sony against computer and system hacking.
A four-man team from Norse Corp. were sent to a room in the IT building that had unattended computers logged in to Sony’s international data network.
The magazine learned Sony Pictures assigned only 11 people to its information security team. The team consisted of a senior vice president, executive director, three directors, three managers and three information security analysts.
The presence of two high-ranking officers on the team seems to indicate top management interest in cyber security, but “Fortune” described problems with the personalities of Sony leaders and conflicts between U.S. and Tokyo executives.
The presence of only three security analysts seems to be inadequate for such a complex and visible organization, with 6,000 employees, $7 billion in revenues and dozens of subsidiaries and joint ventures.
At this point we could analyze the problems and suggest solutions. That would be redundant.
Suffice it to conclude that Sony needed a stronger and more proactive risk-awareness culture in 2007, 2011 and 2014. We don’t know if changes have been made. We can offer encouragement that is good advice for any organization evaluating its cyber risk management activities.
“Sony, don’t pay for a landslide but buy enough ballots to win.”
Three Producer Cyber Strategies
Cyber risk is still poorly understood by a lot of organizations. Agents and brokers are optimally positioned to help their clients get cyber under control. Here are three ways that a skilled producer can help clients prepare to manage cyber exposures.
Share the News: Cyber Risk Involves More than Customer Data
The headlines continue to focus on breaches that involve customer data, perhaps because so many people are potentially affected.
Agents and brokers can help clients measure and then prepare for the great variety of cyber risks, including first party exposures. Insureds may not be thinking about the costs of forensics, fines and restoration of systems and data in the wake of a cyber breach.
Perhaps the biggest threat is business interruption, whether from a targeted attack or a widespread outage of network services resulting from state-sponsored cyber terrorism.
Scott Addis, founder of “Beyond Insurance,” says “There is a misconception that breaches are caused primarily by hackers. Recent studies show that more than one-third of cyber breaches are caused by negligent or rogue employees.
“A well written cyber policy is far more expansive than just protection for the liability and response costs associated with a data breach. Policyholders may benefit from comprehensive protection including coverages such as network interruption, data restoration, reputational harm, social engineering, regulatory fines and penalties, and media liability, just to name a few.
“When a breach occurs, the board will be far more interested in the adequacy of coverage than the premium that was charged. Work with an expert.”
Use the Whole Toolbox
Producers sell insurance, and they help insureds understand policy choices and then match proper coverage to their exposures. But at a more fundamental level, insurance is just one tool in a risk manager’s toolbox. Especially for the mid-size and smaller organizations, the producer can serve as the de facto risk manager.
Consider all of the hygiene practices we employ to manage well-known risks like fire. We build to safety code standards, we equip buildings with sprinklers and extinguishers, we don’t store greasy rags next to the boiler, and we conduct fire drills. We do all that to mitigate the fire risk, and then we buy insurance.
A savvy producer can help a customer embrace that same approach with cyber risk. Mitigate the exposure by good cyber hygiene, understand the first party risks, understand that employees are still the biggest area of vulnerability, and only after that buy cyber risk insurance.
Read the Policy, and Then Read it Again
Stephanie Snyder, national cyber sales leader with Aon Risk Solutions, says that “cyber insurance policies are consistently inconsistent. There are over 60 cyber insurance markets that offer 60 different policy forms. These forms may contain different coverage triggers, definitions and exclusions.”
She says that no cyber policy should be bound “off the shelf.” Due to the unique needs of every organization and the inconsistency in policy wording, “all cyber policies require coverage to be manuscripted.”
To get to the right policy that properly addresses the client’s cyber exposures, the producer must consider the industry exposure and specific customer concerns. “Ask questions,” Snyder advises.
“The dynamic nature of cyber risk means that just as your clients are trying to address their enterprise cyber risk exposures, the underwriters are trying to understand potential losses and how to underwrite to them. The evolving nature of cyber risk means that to an extent, we are all learning together.”
Helping Investment Advisers Hurdle New “Customer First” Government Regulation
This spring, the Department of Labor (DOL) rolled out a set of rule changes likely to raise issues for advisers managing their customers’ retirement investment accounts. In an already challenging compliance environment, the new regulation will push financial advisory firms to adapt their business models to adhere to a higher standard while staying profitable.
The new proposal mandates a fiduciary standard that requires advisers to place a client’s best interests before their own when recommending investments, rather than adhering to a more lenient suitability standard. In addition to increasing compliance costs, this standard also ups the liability risk for advisers.
The rule changes will also disrupt the traditional broker-dealer model by pressuring firms to do away with commissions and move instead to fee-based compensation. Fee-based models remove the incentive to recommend high-cost investments to clients when less expensive, comparable options exist.
“Broker-dealers currently follow a sales distribution model, and the concern driving this shift in compensation structure is that IRAs have been suffering because of the commission factor,” said Richard Haran, who oversees the Financial Institutions book of business for Liberty International Underwriters. “Overall, the fiduciary standard is more difficult to comply with than a suitability standard, and the fee-based model could make it harder to do so in an economical way. Broker dealers may have to change the way they do business.”
As a consequence of the new DOL regulation, the Securities and Exchange Commission (SEC) will be forced to respond with its own fiduciary standard which will tighten up their regulations to even the playing field and create consistency for customers seeking investment management.
Because the SEC relies on securities law while the DOL takes guidance from ERISA, there will undoubtedly be nuances between the two new standards, creating compliance confusion for both Registered Investment Advisors (RIAs)and broker-dealers.
To ensure they adhere to the new structure, “we could see more broker-dealers become RIAs or get dually registered, since advisers already follow a fee-based compensation model,” Haran said. “The result is that there will be likely more RIAs after the regulation passes.”
But RIAs have their own set of challenges awaiting them. The SEC announced it would beef up oversight of investment advisors with more frequent examinations, which historically were few and far between.
“Examiners will focus on individual investments deemed very risky,” said Melanie Rivera, Financial Institutions Underwriter for LIU. “They’ll also be looking more closely at cyber security, as RIAs control private customer information like Social Security numbers and account numbers.”
Demand for Cover
In the face of regulatory uncertainty and increased scrutiny from the SEC, investment managers will need to be sure they have coverage to safeguard them from any oversight or failure to comply exactly with the new standards.
In collaboration with claims experts, underwriters, legal counsel and outside brokers, Liberty International Underwriters revamped older forms for investment adviser professional liability and condensed them into a single form that addresses emerging compliance needs.
The new form for investment management solutions pulls together seven coverages:
- Investment Adviser E&O, including a cyber sub-limit
- Investment Advisers D&O
- Mutual Funds D&O and E&O
- Hedge Fund D&O and E&O
- Employment Practices Liability
- Fiduciary Liability
- Service Providers D&O
“A comprehensive solution, like the revamped form provides, will help advisers navigate the new regulatory environment,” Rivera said. “It’s a one-stop shop, allowing clients to bind coverage more efficiently and provide peace of mind.”
Ahead of the Curve
The new form demonstrates how LIU’s best-in class expertise lends itself to the collaborative and innovative approach necessary to anticipate trends and address emerging needs in the marketplace.
“Seeing the pending regulation, we worked internally to assess what the effect would be on our adviser clients, and how we could respond to make the transition as easy as possible,” Haran said. “We believe the new form will not only meet the increased demand for coverage, but actually creates a better product with the introduction of cyber sublimits, which are built into the investment adviser E&O policy.”
The combined form also considers another potential need: cost of correction coverage. Complying with a fiduciary standard could increase the need for this type of cover, which is not currently offered on a consistent basis. LIU’s form will offer cost of correction coverage on a sublimited basis by endorsement.
“We’ve tried to cross product lines and not stay siloed,” Haran said. “Our clients are facing new risks, in a new regulatory environment, and they need a tailored approach. LIU’s history of collaboration and innovation demonstrates that we can provide unique solutions to meet their needs.”
For more information about Liberty International Underwriters’ products for investment managers, visit www.LIU-USA.com.
Liberty International Underwriters is the marketing name for the broker-distributed specialty lines business operations of Liberty Mutual Insurance. Certain coverage may be provided by a surplus lines insurer. Surplus lines insurers do not generally participate in state guaranty funds and insureds are therefore not protected by such funds. This literature is a summary only and does not include all terms, conditions, or exclusions of the coverage described. Please refer to the actual policy issued for complete details of coverage and exclusions.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Liberty International Underwriters. The editorial staff of Risk & Insurance had no role in its preparation.