Risk managers have plenty on their plates as 2014 begins.Cyber risk is front and center after the recent data breachesexperienced by retailers, most notably Target. The possibleexpiration of the U.S. government's terrorism backstop at the endof this year is another concern.

“This breach at Target, I think, is a wake-up call and should bea wake-up call for individuals as well as organizations,” said AlGorski, chief risk officer for the Orange County TransportationAuthority in Southern California and a board director at RIMS.

Gorski said a 2012 data breach at the South Caroline Departmentof Revenue “pushed security and privacy risks higher on my list.”He notes that the South Carolina incident also involved a lot ofdata—it exposed sensitive information from almost 4 milliontaxpayers and 700,000 businesses.

Insurance Only Part of the Solution

The Orange County Transportation Authority, which deals witheverything from buses and paratransit routes to toll roads, hasthree types of information to protect, Gorski said: that ofconsumers who use their accounts to pay for buses or tolls,information about the agency's employees, and data related to itsbusiness partners. “As a public agency, we want to make sure we'reconcerned with the public,” he said.

The authority has been buying cyber insurance for the last fewyears, since before the South Carolina cyber breach, but cyberinsurance is only part of the solution, Gorski said.

“We have to look at other things—the security of the premises,password control,” he said. “We have lots of exposure we didn'thave, say, five years ago, with smartphones and things likethat.”

Theauthority has responded by working to improve security, saidGorski, pictured at left. “We've tightened down the securityinternally. We've tightened down the security dealing with laptops,the information provided on laptops, the access to our system fromoutside the organization— say , people accessing business information for business purposesfromtheir homes .

“According to the manager of the information technologydepartment, there's lots of knocks on our door every day fromcyber,” he added.

Gorski said the decaying U.S. infrastructure is another of hiskey concerns. “One of the things I think risk managers are notthinking about is our infrastructure is getting older, and theamount of money from gas taxes is not meeting the need ofmaintaining that infrastructure.”

He noted the role the nation's roads play in companies' supplychains. “Forty percent of all goods coming into this country comein through Los Angeles and Long Beach ports,” Gorski said. “We haveto maintain those roads for those goods to be moved.”

Catastrophes andCompliance

Leslie Lamb, director ofglobal risk management for Cisco Systems and also a RIMS boarddirector, said cyber issues are a big concern for many companies,as are natural catastrophes. And catastrophes can result inbusiness interruptions, another topic that risk managers arelooking at these days, she said.

Lamb also cited compliance concerns and noted that for companiesdoing business around the world, that includes the challenge ofensuring they have the correct policies and limits in place in eachcountry. “In some countries, you're required to carry certain typesof insurance, and if you don't, there are stiff penalties,” shesaid.

Insurance brokers can provide information on what's needed ineach country, Lamb said, but there are gray areas: “If you talk to10 different people about what's required and what are theramifications, you might get at least seven or eight differentanswers.

Terrorism Risk

Lori Seidenberg, aRIMS board director and senior vice president of enterprise riskmanagement for Centerline Capital Group, a real estate investmentand finance company, cited “grave concern” in the real estateindustry about whether Congress will renew the terrorism backstop.That facility, the Terrorism Risk Insurance Program ReauthorizationAct (TRIPRA), will expire on Dec. 31; it was enacted in 2007 tosucceed the original backstop, the Terrorism Risk Insurance Act(TRIA).

Seidenberg noted the likelihood that the backstop's renewal will“come down to the wire” given the many other issues Congress has todeal with. In addition, she said, “there are a lot of newcongressmen and women who were not around the last time thishappened. They don't understand what terrorism [insurance]is expected to cover and the consequences of not renewing [the backstop] .

“There is concern that it's very possible it is going to sunset,just because of those factors,” she said.

“There's a consensus in Congress that terrorism [insurance]is readily available on the regular market,” Seidenberg said, butshe argued that that is true only for organizations located ingeographies where the risk of terrorism is not great. “If you're inNew York, two blocks from the Freedom Tower, it's hard to findcoverage.”

Given the possibility the backstop will expire at year-end,insurers renewing policies this year will attach sunset clausessaying that if the terrorism backstop sunsets, the policy'sterrorism coverage will end as well on Dec. 31, she said.