Steve Levine, director of risk management for a major restaurant chain, said he thinks cyber insurance has become very trendy, but that companies should not use insurance as a short cut to true cyber security.
“I hate the example of lemmings because they don’t really follow each other off a cliff, but there is a sheep mentality relative to cyber, because everyone is doing it, and everyone is putting this protective measure into place. If everyone is doing it, I have crossed the threshold into D&O exposure, and risk managers are also covered under D&O. To fail to make a prudent business judgement, there could be potential consequences relative to other issues outside of just the standard cyber exposure if I don’t follow best practices,” Levine said. “I’m not saying that’s the case because I think more companies still don’t have cyber insurance than do.
“The priority always needs to be on the front end. On general liability, slip and falls, for instance. It is a funny thing about guest satisfaction--you come in for enjoyment and great food, but if you slip and fall and end up in the emergency room, it erodes the enjoyment factor,” Levine noted. “So we focus on safety and minimize the risk of slip and fall on the front end so you don’t have to deal with it on the back end, and that is how I feel about cyber as well.”
On top of that, Levine said he has questions about the validity of cyber coverage. “It hasn’t been truly tested in the marketplace. There isn’t a lot of history relative to claims payments, and there are a lot of redundancies relative to coverages already available under crime and D&O. We’ve done a lot of research relative to the category.
“You put a cyber policy in place, but what happens when you have that breach, if you don’t already have your crisis plan established, your vendors, forensic researchers, your crisis firm, pr firm, outside counsel, then the policy itself is just a back end payment deal after you have already received the bad press. For us, good cyber coverage is a matter of proactively managing with your insurance company to make sure the partners you want are already established and written into the policy itself; that is what we have done, including simulations. In-house simulations are crucial. I’ll tell you why. When the building is on fire, you need to stay calm and think things through methodically and be comfortable. So if you do the simulations in advance, it enables people to recognize the steps, and in a time of true emergency the team can remain calm and go through the steps just the way you planned them.”