Michael Kelly 2016 (2).png

Managing your risk by Michael Kelly

NCACC Risk Management Director Michael Kelly writes a regular column on risk management for CountyLines. With more than 41 years of risk management/ insurance experience, he holds the CPCU - Chartered Property & Casualty Underwriter, ARM-P - Associate in Risk Management for Public Entities, CRM - Certified Risk Manager, ARe - Associate in Reinsurance and CIC - Certified Insurance Counselor Professional Designations. He can be reached at michael.kelly@ncacc.org or (919) 719-1124.  For archives of this column click here.

View All Posts

Oct 12

Cyber Risk –an evolving Exposure

Posted on October 12, 2012 at 8:50 AM by Chris Baucom

It is difficult to pick up an insurance or risk management trade publication today and not see at least one article on what is being labeled: Cyber Risk or Cyber Liability – which is an exposure to loss arising out of the breach, destruction or damage of data.

It is a complicated issue due to the rapidly changing nature of technology, and as the methods for accessing data grow almost exponentially, it will most certainly continue to evolve.  The issues are further exacerbated by the fact that insurance carriers tend to change both their underwriting posture as well as coverage design fairly slowly.  As such, in some cases, potential loss exposures are outstripping a carrier’s ability to respond.

The term “Cyber” is a fairly broad concept. Standard insurance policies tend to cover “tangible” assets (computers, mainframes and related networking hardware) but the primary cyber exposure stems from the fact it is an intangible asset (computer data). There are unique perils related here, such as malicious computer code, i.e.  viruses, to actual data theft, cyber extortion, website damage through hacking, and hactivism.
Hactivism is broadly defined as the act of hacking, or breaking into a computer system, for a politically or socially motivated purpose. The individual who performs an act of hacktivism is said to be a hacktivist.  A hacktivist uses the same tools and techniques as a hacker, but does so in order to disrupt services and bring attention to a political or social cause. It is more accurately a form of vandalism than anything else.1

Getting down to specifics, the primary loss exposures for cyber risk tend to fall into three major categories: Property, Mitigation and Liability:

Property Losses can be related to data restoration costs, loss of business income and related extra expense necessary to lessen a business income loss, as well as actual physical damage to servers, network hardware and computers.

Liability losses can arise out of a data breech that violates the right to privacy, possible identity theft and financial fraud from stolen data.  There is a possibility of imposed network security liability or denial of service through an entity’s network.

First party mitigation/crisis management is the  cost for customer notification, credit monitoring expense and possible additional expenses for call centers necessary to contact the individuals whose information may have been  stolen for exploitation.

There may be costs associated with required regulatory defense, fines and penalties depending upon loss circumstances, as well as the possibility of extortion from the perpetrator. In such a case they may demand a cash payment for not destroying your captured data – at a potential huge cost depending on in-place IT protocol data backup procedures.

It is also likely that there will be some initial cost to have a forensic analysis done to learn the extent of data damaged or breeched, as well as potential legal fees to determine the response needed to responsibly mitigate the loss.

Cyber risks in a typical county can be found in such areas as health departments – from potential release of patient’s health information (HIPAA violation) to web-based services, such as license and permit applications, tax payments, parking tickets, online complaint forms, online crime reporting, repair requests, etc.

In addition, your own employees may be an unintentional source for cyber risk by web surfing or checking personal email, etc. on a networked county computer. Some employees may inflict intentional damage if not properly barred from your network after their termination.  Other entry points, such as county library computers heavily used by the public to gain access to the internet, are a huge potential source for infiltration of problems for your networks.

So as the Risk Manager for your entity, what should you be doing at this point?  The first step is to be aware of the potential risk – begin educating yourself to understand the potential problems that may be unique to your system, and then get your IT department involved and working with you.
Pre-loss prevention is the key here – with the underscored emphasis being data utilization procedures with protocols established for greater control.  Current virus/malware preventative software should be used and continually updated on a regular, reoccurring basis.  Filtering all inbound emails for control of attached executable file types should be mandatory with server default parameters configured to trap/isolate any suspicious emails.

All entity computers should be configured so nothing may be installed through executable software at the primary user level.  Database software designed to allow field staff to access the county network should require a VPN (virtual private network) interface.  No public data should be stored on any remote computing device. Instead, you should require a live connection to the main county network to manipulate data.  This should help eliminate the issue of a stolen laptop with public information getting into the wrong hands.  Finally, your network should have proper firewall protection with all non-necessary access ports closed.

On the issue of coverage – discuss this exposure with your insurance carrier’s representative.  If you are a member of the NCACC Liability & Property Risk Pool, we are in the process of developing specific coverage design in concert with additional clarifying policy language to address this issue.  As a member-owned, self-insured group, a careful approach is warranted, and we are working with our reinsurance carriers to see that a responsible, yet affordable solution is achieved.  There will be more specifics on this to follow in the future.
1 Cyber Risk: A Growing ERM Topic – County Reinsurance LTD. - May 2012

Editors Note: Cyber security is a Presidential Initiative for NACo President Chris Rodgers this year.  Visit www.naco.org for more information.