By MATTHEW BRODSKY, senior editor/Web editor
Who should know best about cyberliability and ways to mitigate it? You would think those risk managers in the industry perhaps most exposed to digital data and online exposures: the retail industry. Insurance brokerage Aon recently attempted to distill the experience and practices of 25 of these retail risk managers (including those at firms that do not use Aon as a broker).
The resulting survey covered other issues besides cyberliability, but some of the most intriguing findings dealt with e-exposures. For instance, 59 percent of respondents said they do not purchase cyberliability insurance and instead rely on loss prevention measures.
"I wasn't really surprised," said Len Churnetski, managing director of Aon's retail practice.
STANDARDS SET HIGH
Why? Retailers have tough outside standards to meet, such as the Payment Card Industry (or PCI) Data Security Standards, which were established by the credit card industry to protect its customers' private data, according to Churnetski.
Then came the T.J. Maxx incident, when a loss from a data breach snowballed into the hundreds of millions in losses for the discount-store operator. It caught everyone by surprise, said Churnetski.
Now board members at retail firms are going down to their IT departments and saying, "Hey, we are complying with all these standards, aren't we?" said Churnetski.
Retail risk managers concern themselves with their in-house IT security and also must make sure their vendors are meeting the PCI standards. If not, they might even induce them to purchase cyberliability insurance.
"That's what drives them to decide, 'Well, do we need some kind of risk transfer for this exposure, or have we absolutely done everything to make certain that we have the best possible standards in place?' " said Churnetski.
The broker added that Aon is coaching retail clients to consider risk transfer as an alternative and has seen increased interest in proposals and quotes for coverage.
But he still understands the retailers' loss-prevention-first mindset. After all, even if a retailer has insurance to cover a cyberbreach, an event would still damage its organization--say, with a hit to its reputation.
Churnetski was surprised and amazed by the level of effort that goes into protecting data and the talent that retailers have in-house to do it--though oftentimes, it's not the risk manager he was talking about.
Without naming names of course, Churnetski mentioned one retail risk manager he's spoken with who told him that, when it came to IT, "I have no idea what we have in place internally."
At another retailer, though, Churnetski found out that the risk manager had a seat on the company's privacy council. That retailer views customer data as "sacred," said Churnetski.
"They really drive it through the organization," the broker said.
January 19, 2009
Copyright 2009© LRP Publications