How to build a best-in-class cyber risk plan

Your commercial client is looking to put together a best-in-class risk management plan for dealing with a cyber event. What’s the first thing they need to do?

“An ideal plan starts with developing a team,” says Ruby Rai, manager of cyber and professional liability financial lines at AIG in Canada. “Not including all key stakeholders in planning stages is often overlooked. A robust cross-sectional team includes participants from risk management, HR, legal, marketing, operations and IT. External partners such as key vendors should also be included as they can be crucial to operational resiliency.”

In the best laid plans, all stakeholders understand the organization’s cyber risk, potential threats and strategy in the event of an attack or a breach, she said.

Rai is speaking about cyber insurance and resilience as a panelist at the 4^th annual International Cyber Risk Management Conference (ICRMC). Sponsored by MSA Research, the ICRMC takes place at the Metro Toronto Convention Centre on Apr. 11-12, 2018.

In an emailed response to questions from Canadian Underwriter, Rai said certain risk mitigation strategies separate prepared organizations from unprepared ones. “Some of these strategies include conducting proactive cyber hygiene checks, risk planning and modelling, and testing existing controls to hypothetical risk scenarios,” she wrote.

Testing is not only important for preparation, but also for helping to quantify the organization’s loss.

“A step that is often the most difficult is assessing [the] impact [of a cyber event] on business operations, which can be addressed by running hypothetical scenarios against existing controls,” Rai wrote. “This step can provide an estimate of financial impact to an organization. For attacks that cannot be fully mitigated, insurance plays a crucial role in reducing its impact and should be a part of discussion when developing a risk mitigation plan.”

Rai noted that more clients are starting to use insurance as a risk transfer tool for cyber losses. That said, business clients are increasingly focused on what additional tools insurance can provide in the event of an attack or breach. Cyber coverage needs will depend upon a client’s risk profile.

“For example, for utilities, energy or manufacturing clients, traditional cyber insurance might not address all cyber associated risks,” Rai wrote. “Clients within these industries focus on tangible losses, such as physical losses caused by cyber events. Some clients do not look at cyber insurance when reviewing their risk profile, but there are solutions available.”