Reputation for Security Protecting…
…a $7bn Healthcare Company
Interview: A Reputation for Cyber Security Protects a $7bn Healthcare Company
It is generally accepted that the relentless commitment to penetrate cybersecurity defenses will at times succeed against even the best systems. A Chief Information Security Officer, Chief Risk Officer, Enterprise Risk Manager, or a Risk Manager managing this risk must responsibly strengthen both institutional defenses and reputational resilience.
A limiting condition to the former is the degree to which a firm is exposed through its software or service vendors. Reports indicate that 43% of the most recent incidents across all industries originated at software or service vendors. With the chance of a breach being a coin flip, reputation resilience is necessary.
Steel City Re imagined a conversation with a risk executive at a publicly-traded health technology company about the new wave of cybersecurity risks and corporate resilience strategies. The conversation, a composite of individual discussions, has been edited for length and clarity.
Risk Executive. This risk is affecting all of us because investors are having a hard time figuring out which firms are serious about cyber risk management, and which are phoning in their solutions just to be compliant.
Steel City Re. Would you elaborate?
Risk Executive. Our work in cyber security is highly technical and involves layers of systems. Risk managers are technically responsible for managing the risk of a system failure. Yet generally they defer to us on processes we would like to implement and insurances we would like to buy because every cyber security engine looks the same to them when they look under the hood. Step outside of the company where visibility is much lower, and investors have no idea if what is under the hood works, or not.
Steel City Re. If you’ve avoided an incident, isn’t that sufficient proof to an investor?
Risk Executive. To the cynical, not having an adverse event just means we’ve been lucky.
Steel City Re. And if there is an adverse event?
Risk Executive. Having an adverse event means the risk management apparatus is incompetent and the board of directors is asleep at the switch. This is worrisome on a personal level as investors have started suing CISO’s along with boards when they believe that they’ve been harmed, meaning, the adverse event triggered the tanking of a firm’s stock price.
Steel City Re. The idea of strengthening reputation resilience is to prevent the stock price from tanking?
Risk Executive. Yes.
Steel City Re. It sounds like you’re dabbling in investor relations.
Risk Executive. Not at all. My role in strengthening reputation resilience is providing the investor relations professional with simple, easy to understand, and completely credible story of cyber security that they can then present to investors in a way that investors can best appreciate and value.
Steel City Re. That prevents a stock price drop?
Risk Executive. It reduces the initial fall and accelerates the recovery. That’s what reputation resilience looks like when seen through an investor’s lens. There’s a significant body of literature on the behavioral economics of it all, and empirical data on how it really works.
Steel City Re. We’re missing something. We understand there is a $17bn market for cyber security insurance whose sole reason for existence is to provide firms with financial protection. Isn’t your work for investor relations—and building reputation resilience—done once you’ve secured insurance?
Risk Executive. Not anymore, not today, for two reasons. First, cybersecurity insurance is expensive, does not offer the level of limits we typically need given the costs of an adverse event, and the policies are riddled with exclusions. My own CFO wouldn’t buy more for these reasons, so if we hadn’t strengthened our reputational resilience, a big event would surely eat into our balance sheet, reduce our earnings, and tank our stock.
Steel City Re. The second reason?
Risk Executive. The second reason is the reputational impact. Remember that cynical investor? There are also cynical customers, regulators, suppliers, and even employees. Adverse events make them, let me say, “sad.” The value of our reputation falls in the minds of sad stakeholders and they don’t want to engage. The operational goals of a reputation risk management program are to keep customers buying, not boycotting; employees working, not fleeing; investors buying, not selling; lenders adjusting interest rates down, not up; regulators deferring, not enforcing; and social license holders acquiescing, not protesting.
Steel City Re. What can a risk executive can do to build a story for investors, and from your last answer, every other stakeholder too?
Risk Executive. The story we tell here at our firm, condensed, is that we have a thoughtful risk management process and dutiful oversight over our cyber security program which we recognize as a mission critical asset.
Steel City Re. That’s the story you want investor relations to convey; and perhaps government relations to convey to the regulators. Why?
Risk Executive. We want to win the minds of the investors so they will not be sad if something goes awry. We want them to give us a break—not to be cynical—and that’s where the risk executive’s work comes to the fore.
Steel City Re. You had us at hello, but we’re missing the details of what you do and how it works.
Risk Executive. Let me break down into three parts what we did and why:
- To show we care greatly about what is important to our stakeholders, we created a layer of reputation risk protection in our captive to be triggered in the setting of an adverse cyber security event. Our investors recognize that if we are using our captive for reputation risk, we have figured out how to value, measure the frequency and severity of loss, and mitigate the risk. An NDBI policy is ideal here;
- Second, to show that our insurance and risk management processes are rich in “risk management,” we have strengthened our risk forecasting and intelligence capabilities;
- Last, to authenticate the quality of our captive operations and risk management processes, we chose the “warranty-like” power of risk transfer by reinsuring our captive with an all-risk outcome-linked parametric cover in the open market. Investors know that parametric policies will not be written for firms that are bad risks.
Steel City Re. Instead of more cyber insurance, you are using reputation risk insurance strategically?
Risk Executive. Two ways. Strategically, I like that we have a way to get credit for all the cybersecurity systems we’re implementing. Operationally, I like that this solution also gets us some excess insurance coverage for a really bad event.”
Steel City Re. Anything else you would like to share?
Risk Executive. Our C-suite likes this strategy. Our legal officer thinks this can augment D&O defenses and our CFO has seen that besides giving comfort to the board, this strategy has helped us secure better rates with the bond and open insurance markets for a broad range of casualty products.
With reputation risk forecasting, management, and insurance, Steel City Re helps companies build and prove to stakeholders their thoughtful risk management and dutiful governance over all that is mission-critical. It is an authenticated story stakeholders can appreciate and value.