By CYRIL TUOHY, managing editor of Risk & Insurance®
In an interview with Risk & Insurance®
Managing Editor Cyril Tuohy, Scott Clark, the new president of the Risk and Insurance Management Society Inc. (RIMS), talked about
one of the most important emerging exposures that he foresees for risk managers: cyberrisk.
Q: Why are people not paying as much attention to this risk as they should be?
A: I haven't found this to be true. Cyberrisk has attracted quite a bit of attention within the risk management community in terms of insurance and other solutions. We are also showcasing two sessions at RIMS 2011 this year that focus squarely on cyberrisk.
Q: What exactly is it about cyberrisk that the RIMS membership is concerned about?
A: Cyberrisk is not a concern merely for RIMS members but for anyone with risk responsibilities within an organization. Cyberrisks are broad and far reaching and include theft of sensitive information, concern over solar flares, and concern over reputational risks that can result from social media or data theft.
Q: What kinds of RIMS membership companies most at risk?
A: Cyberrisk is no longer a concern merely for tech companies, but for any organization that relies on technology for its operations and/or has a presence on the Internet. Today, this includes almost all organizations.
Q: What about the kinds of insurance policies out there to protect against these kinds of risks?
A: The insurance industry has responded to the emerging exposures by creating products to specifically address the new cyberexposures, while excluding those risks from traditional policies.
The insurance industry, however, cannot remain static when it comes to covering cyberrisks. As technology continues to evolve rapidly, transforming business and business exposures in new and unexpected ways, insurers must continuously adapt their products to meet the evolving exposures and to keep pace with rapidly changing technology and its risks. Organizations must remain in tune with those adaptations so that they can take advantage of them.
Q: You've mentioned that cyberrisk is going to feature prominently in at the annual RIMS conference, which this year will be held in Vancouver. Can you give us a sense of what sessions will be developed around the topic of cyberrisk?
A: Our two sessions will be Cyber Security: Covering your assets and Public Entity
Background on the sessions:
Companies of all sizes, in all industries, face an inherent, unseen risk: information-technology security and privacy issues. Computer hacking and other cyberincidents, network security breaches, and loss of private and confidential information can be devastating to the organization's bottom line and reputation.
But network security and privacy issues are usually left to the IT folks, an endemic and costly error. While the average security breach of $206 might not sound significant, multiplied by thousands or millions of records, the total exposure may become astronomical.
Understand the risks to your company's data and critical systems, explore ways that information can be compromised and discover methods to mitigate it, including insurance solutions.
Q: What cyberrisk lessons can you take away from your experience as the risk manager for Miami-Dade Public Schools, one of the largest public school systems in the country?
A: Like all industries, Miami-Dade County Public Schools is more reliant upon technology than ever before to provide a quality education for the 345,000 students we serve daily.
Over the past few years, we have moved to such technologically sensitive areas such as "online gradebook," where all teachers post student grades on line. Additionally, the district is in the midst of an Enterprise Resource Planning (ERP) installation, replacing legacy systems which we have had for more than 30 years.
Part of the ERP installation includes all finance, benefits and payroll. Timely and accurate financial transactions for a $5 billion organization are crucial to getting vendors paid, as well as the safekeeping of taxpayer's funds. Paying salaries and providing employee benefits pursuant to labor contracts represent significant risks once all these transactions are converted to the new system.
Any internal or external threat to district systems could compromise the ability to provide instructional services (and) pay vendors for services performed, and result in unpaid employees with healthcare claims which are not properly adjudicated. All of these risks must be evaluated, with a proper determination as to what steps must be taken to insulate the district from risk of loss.
One of the significant cyber risks to Miami-Dade County Public Schools due to its reliance on systems is a major hurricane bringing down the entire information-technology area. This is why risk management and information technology work so closely together on issues such as these.
March 1, 2011
Copyright 2011© LRP Publications