As insurance professionals, “risk management” is a key phrase in our business, but for many it’s just another buzz phrase that rolls off the tongue far too often and is easy to ignore. Heck, we insurance folk get tired of hearing it too.
But while we sometimes tire of it, we also appreciate how risk management techniques can save a company from disaster or stanch the bleeding if (God forbid) catastrophe strikes.
My toughest professor in college (yet the one from whom I learned the most), Dr. Joshua Rubongoya at Roanoke College, always started a complex topic with a very simple definition of any term we were analyzing.
Dr. Rubongoya (a.k.a. "Dr. J")
Risk, as defined in Spreading the Risks: Insuring the American Experience, is “the possibility of loss—[and] is as certain as life and inevitable as taxes.” In other words, it’s the chance something bad could happen.
“Risk management” is then defined as the techniques, tools, and procedures that attempt to reduce this prospect of something bad happening. For instance, locking your car when you get out of it is a risk management technique that reduces the likelihood that your car will disappear before you return to it.
The car example is rather simple and easy, but what about the internet and confidential data?
Now that nearly every business relies on the internet and utilizes data to reach peak efficiency, risk management techniques are critical to ensuring that organization stays in business. A data breach of sensitive information can critically harm an entity’s reputation, resources, and bottom line, sometimes to the point of bankruptcy.
Data breaches aren’t going anywhere anytime soon. Let’s look at a couple statistics: 2013 has been deemed the “year of the mega breach,” with over 823million records exposed, compared to 264million records in 2012. (Stats courtesy Risk Based Security [PDF].)
With the likelihood of a loss (“risk”) increasing, how can a business reduce (“manage”) it? Here are a handful of tips that organizations of any size can implement immediately to protect themselves:
- Risk: Data control. Look at the type of data your organization collects and ask yourself if it’s necessary to keep this information? Often a piece of sensitive information is needed for a single transaction, but then the company stores it indefinitely.
- Management Technique: Set up a process whereby sensitive data and unnecessary records are deleted/destroyed/purged shortly after their intended purpose.
- Risk: Employees. Approximately 35% of all data breaches are due to an inside actor, i.e. an employee or person with direct access, and over half of those breaches are accidental. For example, last month a college in California suffered a data breach when an employee accidentally misspelled an e-mail address and “potentially exposed student personal information for 35,212 students.”
- Management Technique: Training. Accidents will happen, but training and reinforcement of proper techniques will reduce their frequency. Teach all staff members what your company’s policies are and then practice them. Include all these policies in an employee handbook, and then have every single member of the team sign a document saying they’ve read and understand it. Repeat at least once a year.
- Risk: Unpreparedness. Do you have a plan in place when a check arrives in the mail? Just like you have a plan for good incidents, a having a plan in place when bad events happen is even more important because it’s easy for emotions and frustrations to rule the day.
- Management Technique: Incident response plan. In a disaster, when a step-by-step plan is prepared and practiced in advance, the costs and damages from a disaster can be significantly mitigated. Like an employee handbook, analyze and revise your incident response plan at least once a year.
- Risk: Massive data breach. Unfortunately, even the best data destruction policies, employee handbooks, and incident response plans can only reduce the chance that a data breach will take place. Hackers take pride in circumventing even the most advanced security systems (just ask eBay, Target, and the Nasdaq) and as aforementioned, accidental insider data breaches occur rather frequently. In our modern interconnected world, it’s not a question of if a data breach will happen, but when.
- Transfer Technique: Cyber Liability Insurance. Unlike the risk management techniques above, cyber liability insurance (like all other insurances) is a “risk transfer” mechanism, whereby one party (the insured) passes on a specified risk to another party (the insurance company) in exchange for a premium. With the premium paid and a cyber liability policy in place, a company then has access to financial and expert resources that would have otherwise not been available, or could be available, although at a much higher cost. As we detail here, a cyber liability insurance policy can respond to a wide array of issues while keeping the breached company in business.
I hope the term “risk management” has become a little less cliché for you and can provide some true benefits to your business.
If you’re considering cyber liability insurance as a risk transfer tool for your organization, please glance over our Buying Process page, because we don’t believe there should be any surprises when you’re buying a product.
Stay safe and stay cool,
Direct: 410-727-2211 x606