By Jennifer Cryder, CPA, CFO and vice president - operations
Cyber liability insurance and related risk mitigation is an area for which many in corporate finance are finding themselves responsible, despite many having little or no background in technology. While I found this to be a bit intimidating when I joined the PICPA team, I’ve since learned more about this area. I am looking forward to sharing some of this information at PICPA’s upcoming Accounting & Auditing Conference on Wednesday, Dec. 6, 2017, in Malvern, Pa., and here is a quick overview of what I’ve encountered.
The most important thing to know is that the responsibility for the assessment and mitigation of cyber risks is shared among many in an organization. While your technology team may be the first line of defense, cyberthreats are truly a business risk that demands the attention from the C-suite as well as the directors and officers. In my case, the PICPA is a nonprofit with an audit committee and board of directors that are attuned to risk management and cybersecurity in particular. I’ve often been asked by our board about what we’re doing in this area. Some of their questions have been reassuringly specific: “When was the last time we had a vulnerability scan or penetration test?” I’m glad that they want, and that we’ve been able to provide, solid answers, and welcome this demonstration of the board actively exercising its fiduciary duty.
I’ve been pleased to find that I can deploy many of my auditor skills as I’ve built my knowledge in the area of cyber risk. Just like in planning an audit, the first step to mitigating cyber risks is understanding where the data is and what could be at risk. This can include personally identifiable information, financial information such as bank accounts or customer credit card data, or even personal health information. The location of the data is an important consideration. Is the data hosted locally on the organization’s servers or in the cloud? The answer gives rise to different cyber risk and insurance considerations. Just as an auditor does a risk assessment during planning, once these data sets are identified and located, risks can be prioritized and mitigation strategies can be developed.
Cyber liability insurance is one component of a larger risk mitigation strategy. It’s important to work with an experienced insurance broker when crafting a policy since this is an evolving area of insurance. Like anything else, the devil is in the details, and you need to be sure you understand all exclusions. You wouldn’t want to find that something was excluded when it’s too late. For example, how does your policy address exposure through third parties, such as vendors, who have access to your systems? Most costs related to a breach come from the need to hire outside experts – legal, forensic, and others. Be sure to understand what limits there are to coverage in your policy when it comes to these experts. Also know if there are any gaps in coverage, such as the cost of business interruption, notification and credit monitoring, or data replacement.
Please join me at PICPA’s Accounting & Auditing Conference on Dec. 6 in Malvern to learn more about this topic and many others!