April 1, 2016 by Jason Contant, Online Editor
Insurers who underwrite cyber insurance may want to consider less “absolute” questions during their coverage questionnaires, a speaker suggested on Thursday at the 2016 International Cyber Risk Management Conference (ICRMC), held in Toronto.
“I was the one that completed the underwriting questionnaire and it’s actually a very hard instrument to complete because it’s typically absolute,” said Rick Haier, chief security officer at eHealth Ontario during a session titled Risk Manager Views. “It asks questions like: ‘Do you patch?’ Yeah. ‘Is your data encrypted?’ Yeah. But I don’t patch all systems and not all my data is encrypted,” he explained.
Although Haier acknowledged that cyber insurance is evolving, he suggested that organizations and insurers could work together to “square that circle. You’re fearful should you have a claim, is that going to be brought back out?” he said.
Tracy Dallaire, chief internal auditor, chief risk officer and chief compliance officer, also at eHealth Ontario, said that at each renewal time, the organization revisits their cyber insurance coverage. “I expect we will continue to annually need to revisit what the scenarios look like, the type of data that is there,” she said. “Which parts of our various insurance would cover [the risks]?” she asked. “Do we have any gaps or are we overcovered in some areas?”
Dallaire noted that when eHealth Ontario purchased their coverage, there was less data in the system, but it is “evolving and growing.” Now they have “more and more clinicians coming live onto the usable electronic health records, both in the acute care setting, which is in our hospitals, as well as in primary care, or family doctors,” she said.
Another speaker was Derek Tang, manager of risk and insurance at Metrolinx, an agency of the government of Ontario that was created to improve the coordination and integration of all modes of transportation in the Greater Toronto and Hamilton areas. He told conference attendees that the agency has gone back over the last 24 months or so and looked at the terms and conditions and gaps in its cyber insurance coverage. “In the last renewal, I increased my policy limit and in fact, we are in the process of doing a risk assessment [to see] how much more policy limit I need to purchase,” Tang reported. “We probably need to enhance with this upcoming renewal.”
The only speaker that said they current do not use cyber insurance was Martin Loeffler, director of information security and enterprise architecture at the University of Toronto. Loeffler told the audience that the UofT’s major tool for managing risk is a risk assessment process that looks at assets, controls, strategies such as threat intelligence and vulnerability assessments and continuous monitoring. “In the context of central systems, such as HR and finance, controls are every bit as strong as you would find in a more corporate sector,” he said.
Each of the speaker’s organizations relies on enterprise risk management (ERM) frameworks or risk assessment processes. Haier said that eHealth Ontario uses a ‘cybersecurity scorecard’ to measure about 100 different controls, capacities in place and cybersecurity function against the threat landscape “and uses those as a proxy for risk. This forms our baseline – we use this to set priorities on where we will make investments, in decision around where we will reduce risk or accept risk for a period of time.”
Tang said that when Metrolinx’s ERM framework was introduced about four years ago, cyber risk wasn’t considered a serious risk. “I would say three of four years ago while we were tracking it, it was more of a low, medium type of risk,” Tang said. But as of “about 18 months ago, I would say we see that as a medium to high risk.” For organizations starting out, he suggested creating a privacy database inventory, which can outline which program or application is dealing with some private information from all the different departments. “Once you have that, you can easily look at what’s really critical, what’s not.”
For Loeffler, from the perspective of the different sources of cyber risk, they are all viewed as having potentially the same severity, he said. “The assets that are compromised are all the same regardless of the avenue that they go through,” he said, adding that the university is currently focusing its efforts on Internet traffic risks and phishing attacks.
For Haier, getting eHealth Ontario’s board of directors “to make risk appetite decisions is a very difficult conversation.” But by looking at high, medium and low cyber risks as a start, the organization was able to get the board to “gravitate” toward certain risk appetite statements.
“It’s almost like writing your will,” Haier said. “It forces you to think about and make decisions about things you’d rather not think about or make.”
The ICRMC was held on March 31 and April 1 at the Toronto Hilton in downtown Toronto.