Risk managers should work closely with their IT departments, legal departments, and corporate boards to keep everyone informed in the development of crisis management protocols in the event of a breach. A risk assessment should be implemented that addresses data access controls, physical security of servers and IT hardware, employee training, and corporate IT policy. Cyber-crime needs to be considered a top business risk due to the interruption it can have on a business and its supply chain.
Many companies, for the first time, are looking at purchasing cyber insurance. Risk managers should carefully review cyber policies as the terms vary from insurance carrier to insurance carrier. Key provisions to carefully evaluate are the choice of counsel provisions as well as retroactive periods. Companies may not want to have the insurance carrier control the defense with their use of panel counsel. Further, retroactive dates need to go back further than the policy inception date. Another area of concern is exclusions which eliminate coverage for dishonest acts of employees, even though one of the frequent sources of cyber-attacks is employee misconduct.
The role of a risk manager in dealing with the company’s cyber security issues is more important than ever. Cyber breaches are occurring every day. If a company is not addressing its cyber security issues, it is leaving itself open to a potential breach which can result in serious negative consequences.