rwlogox120gif.gif (3180 bytes)
sample3.jpg (4063 bytes)
sample3.jpg (4063 bytes)
sample3.jpg (4063 bytes)
sample3.jpg (4063 bytes)

 

 
| Home | Software Providers | Consultants | Articles | Columns | Reviews | Headlines |
 
{short description of image}

Copyright © 2003 Business Insurance

  

"Approach to Handling IT Exposures Vary Widely"

December 1, 2003
by:  MICHAEL BRADFORD

When it comes to protecting their companies from cyber risks, most risk managers are leaving the nitty gritty work to their information technology departments.

How involved risk managers become with IT varies. At some organizations, there is close communication between the two departments, while at others, there is little. Much depends on the corporate and risk management philosophies of the company.

But even at organizations where risk managers are on a first-name basis with their IT colleagues, it likely is understood that the technology experts are the ones to identify such risks as those posed by viruses, hackers or other threats to computer security.

In many cases, risk managers become advisers to IT departments, making sure those areas are aware of the types of technology-related risks the organization faces and putting together risk financing programs to cover the potential impact of computer security breaches.

"Risk managers are focused on the overall risk," said Peter Foster, Boston-based senior vp and co-leader of Marsh Inc.'s information risk advisory practice. IT departments, in turn, are looking at putting up security firewalls, protecting networks from intrusion and determining "what they are going to do in response" to a security breach, he added.

Elizabeth Morrell, senior risk analyst with The Southern Co. in Atlanta, chairs the technology advisory council of the Risk & Insurance Management Society Inc. She said that in talking recently with risk managers regarding their role in protecting their companies from hackers and viruses, the "almost universal" response was that none has a relationship with their IT department in which they directly address that exposure.

Ms. Morrell said her role at the Atlanta utility company has been to focus on the organization's risk management information system, a responsibility that entailed taking over some functions that previously were handled by the information technology department.

"With regard to risk management and its relationship to IT, it varies on an individual organization basis," said Catherine Dowdall, risk and insurance manager for the Ontario Lottery & Gaming Corp. in Sault Ste. Marie. "And it also varies with the role of the risk manager and how proactive the risk manager is within that organization."

Sandy Bragman, vp-risk management at Tenet Health Systems in Dallas and vp-technology on RIMS' Executive Council, agreed. Within a company that takes an enterprise risk management approach, a risk manager will have more IT involvement than will one at an organization that approaches loss control in a more traditional way, he said.

A company's business can also influence the extent of interaction between risk management and IT, according to Ms. Dowdall. A risk manager might be more directly involved in higher-level IT matters at an e-commerce business, she said, while at another type of operation, the risk manager's technology loss control efforts might focus more on computer security problems posed by desktop computers, e-mail and other, more general threats.

"I see my role as making IT aware of the potential exposures to the organization and bringing solutions to those exposures," Ms. Dowdall said.

"I am an expert in what I do, and they are the experts in what they do...I don't tell them how to put patches on their systems. I say, `Here are the coverages and the gaps in the coverages, this is what we need to protect.' If they think insurance is the end-all and be-all, I have to tell them that it's not," she said.

When the IT and risk management departments work together to dovetail their strengths in assessing technology risks, the organization has a strong loss control approach, Ms. Dowdall suggested.

For a multihospital operation such as Tenet, managing all the intricacies of a complex technology network is "way beyond my reach," Mr. Bragman said.

"Here, I have very little to do with IT," he noted. The level of expertise in that department is "very sophisticated," he said, noting that his job is to make sure that IT and risk management communicate and coordinate their approach to loss control.

"With each corporation, it's a different mindset," said Mr. Foster of Marsh. "The best model," he said, involves "putting together an e-risk team" to identify and determine how to protect against cyber threats. Such a team should be made up of risk management and technology professionals as well as members of the organization's legal and human resources departments, business section leaders, internal audit professionals and others.

Jan Wleugel, senior vp at Marsh in Toronto, said that "the first thing risk managers should do is work with IT and senior executives to point out that this is both a first-party and third-party risk." Risk managers who are able to become more involved in managing IT risks are those who get endorsements from their chief executive officers and chief financial officers, he noted.

That is accomplished, Mr. Wleugel said, in part by convincing senior management that the costs associated with protecting the organization from cyber threats needs to be considered part of the company's overall cost of risk. It also helps to make sure management understands the potential loss to the organization from breach-of-privacy actions if confidential customer information is left unguarded in a computer system, he said.

There can be some philosophical battles between IT and risk management departments, though, Mr. Wleugel acknowledged. "We have seen that happen. IT typically looks at the risk and risk control measures such as firewalls and virus protection. They feel like they have engineered 90% of the risk out and typically they would assume that the remaining 10% is highly unlikely to occur."

That, Mr. Wleugel emphasized, "is a different approach than a risk manager would take," as the risk manager would consider that the 10% "has the potential for a catastrophic loss."

When risk managers are ready to cover cyber risks, they have a ready market that has matured over the last few years, observers say. "My assessment is that the players that were there three years ago are still the same," said Ms. Dowdall. "And we know where they want to be now with their property and liability coverages."

Mr. Foster said insurers can provide capacity of up to $200 million for cyber risks to protect against losses from viruses, hacking, corrupted data, data-recovery costs and other exposures. Underwriters also are willing to cover the expenses related to cyber extortion, he said, with insurance that pays the costs for responding to thieves who have stolen computerized information. Reward amounts paid to recover the information are part of the coverage.

 

© Copyright Business Insurance 2003