Risk managers have plenty on their plates as 2014 begins. Cyber risk is front and center after the recent data breaches experienced by retailers, most notably Target. The possible expiration of the U.S. government’s terrorism backstop at the end of this year is another concern.
“This breach at Target, I think, is a wake-up call and should be a wake-up call for individuals as well as organizations,” said Al Gorski, chief risk officer for the Orange County Transportation Authority in Southern California and a board director at RIMS.
Gorski said a 2012 data breach at the South Caroline Department of Revenue “pushed security and privacy risks higher on my list.” He notes that the South Carolina incident also involved a lot of data—it exposed sensitive information from almost 4 million taxpayers and 700,000 businesses.
Insurance Only Part of the Solution
The Orange County Transportation Authority, which deals with everything from buses and paratransit routes to toll roads, has three types of information to protect, Gorski said: that of consumers who use their accounts to pay for buses or tolls, information about the agency’s employees, and data related to its business partners. “As a public agency, we want to make sure we’re concerned with the public,” he said.
The authority has been buying cyber insurance for the last few years, since before the South Carolina cyber breach, but cyber insurance is only part of the solution, Gorski said.
“We have to look at other things—the security of the premises, password control,” he said. “We have lots of exposure we didn’t have, say, five years ago, with smartphones and things like that.”
The authority has responded by working to improve security, said Gorski, pictured at left. “We’ve tightened down the security internally. We’ve tightened down the security dealing with laptops, the information provided on laptops, the access to our system from outside the organization—
say accessing business information for business purposes.
“According to the manager of the information technology department, there’s lots of knocks on our door every day from cyber,” he added.
Gorski said the decaying U.S. infrastructure is another of his key concerns. “One of the things I think risk managers are not thinking about is our infrastructure is getting older, and the amount of money from gas taxes is not meeting the need of maintaining that infrastructure.”
He noted the role the nation’s roads play in companies’ supply chains. “Forty percent of all goods coming into this country come in through Los Angeles and Long Beach ports,” Gorski said. “We have to maintain those roads for those goods to be moved.”
Leslie Lamb, director of global risk management for Cisco Systems and also a RIMS board director, said cyber issues are a big concern for many companies, as are natural catastrophes. And catastrophes can result in business interruptions, another topic that risk managers are looking at these days, she said.
Lamb also cited compliance concerns and noted that for companies doing business around the world, that includes the challenge of ensuring they have the correct policies and limits in place in each country. “In some countries, you’re required to carry certain types of insurance, and if you don’t, there are stiff penalties,” she said.
Insurance brokers can provide information on what’s needed in each country, Lamb said, but there are gray areas: “If you talk to 10 different people about what’s required and what are the ramifications, you might get at least seven or eight different answers.
Lori Seidenberg, a RIMS board director and senior vice president of enterprise risk management for Centerline Capital Group, a real estate investment and finance company, cited “grave concern” in the real estate industry about whether Congress will renew the terrorism backstop. That facility, the Terrorism Risk Insurance Program Reauthorization Act (TRIPRA), will expire on Dec. 31; it was enacted in 2007 to succeed the original backstop, the Terrorism Risk Insurance Act (TRIA).
Seidenberg noted the likelihood that the backstop’s renewal will “come down to the wire” given the many other issues Congress has to deal with. In addition, she said, “there are a lot of new congressmen and women who were not around the last time this happened. They don’t understand what terrorism is expected to cover and the consequences of
not renewing .
“There is concern that it’s very possible it is going to sunset, just because of those factors,” she said.
“There’s a consensus in Congress that terrorism is readily available on the regular market,” Seidenberg said, but she argued that that is true only for organizations located in geographies where the risk of terrorism is not great. “If you’re in New York, two blocks from the Freedom Tower, it’s hard to find coverage.”
Given the possibility the backstop will expire at year-end, insurers renewing policies this year will attach sunset clauses saying that if the terrorism backstop sunsets, the policy’s terrorism coverage will end as well on Dec. 31, she said.