Travelers recently released findings from its annual Consumer Risk Index, which measures Americans’ risk preparedness. The survey findings include consumers’ perceptions of cyber risks, financial concerns and risks, personal privacy and identity theft. Michael Kaiser, executive director of the National Cyber Security Alliance (NCSA), conducted an interview with Tim Francis, enterprise lead for cyber insurance at Travelers, to discuss the survey and what consumers and businesses can do to protect themselves and their information.
Michael Kaiser: Good morning, Tim, and thanks for joining us. Travelers just released findings from the Consumer Risk Index, an annual survey of risks Americans believe are the most prevalent in their lives. Did this research uncover any surprising statistics related to cyber risk?
Tim Francis: Certainly the notion that cyber as a risk is foremost on folks’ minds, second only behind healthcare costs, really isn’t surprising. As someone who lives and breathes cyber every day, I think the other statistics should be surprising, but they are not. What is troublesome is that many respondents indicated that cyber threats are a top concern, but they have not done much about it.
Michael: Cyber risks are changing; especially when Americans think about the kinds of breaches that they’ve seen in the last year. In 2014 it was all about the retail risk. In 2015, it’s been a lot about healthcare. What does your survey show about how Americans might be viewing these changes, and/or reacting to them, if they are reacting to them?
Tim: I think more and more individuals and companies are increasingly aware of cyber risks and the demographics of who is aware and who is concerned are increasingly diverse. It is not an issue that is affecting only large companies; it’s not an issue that affects people only as they make a retail purchase. It has permeated through so many aspects of life; whether it is healthcare information, personal identities or credit card information being stolen. Cyber risks are becoming more and more pervasive.
Michael: Thinking about that, what can consumers do to protect themselves? I know they have concerns about protecting their money and their finances, but also their identities. Constantly we see identity theft as one of the biggest concerns consumers have about using the Internet.
Tim: We provide risk management advice to consumers and businesses. So, when we’re talking to businesses about cyber threats, we’re talking about steps they can take to secure their networks, often involving activities their employees should take. However, much of the advice we would give to a company regarding their employees is identical to the advice we would recommend to consumers for protecting their own information. And some of it is very basic: make sure that you’re using passwords that are unique to every site that you’re using, and make sure that those passwords are secure. We understand sometimes it’s hard to identify whether or not you are using a secure site when making a transaction. Make sure you are on a site that is actually the business that you want to do business with. That leads to the next tip: avoid phishing emails that inevitably everyone receives, whether you’re an employee in a company, or an individual sitting in your home or on your mobile device. The bad guys are getting better and better at creating emails that can fool people. But some of them are still, frankly, not that good.
A little bit of discretion can go a long way in making sure that when somebody sends the “I’m a prince from Nigeria” email, that you don’t open that and you don’t respond to that and you don’t fall for those scams. Those emails are almost obviously fake. Make sure you aren’t indiscriminately clicking on links, because that is often how systems are corrupted in the first place.
Michael: So those are some ways people can start to protect themselves. But there’s also identity insurance. Can you tell us a little bit about that, and what everyone should know about it?
Tim: Identity theft insurance goes by a couple of different names, but it has been around for some time. And it can come in different formats. At Travelers, we provide this insurance either as an add-on to a homeowner’s policy or as an add-on for companies that are providing the insurance to their employees or defined customer groups. In either instance, it works in a similar way. The insurance will pay for some of the associated expenses when an identity fraud event takes place. Those expenses can include procuring legal advice to help you through the ordeal. Often, some of those expenses are things that you might not always think about: the effort to deal with creditors, to get your driver’s license changed, which might require time off from work. We will reimburse for time off from work.
For our identity fraud coverage, we partner with a firm called IDT911, which provides identity fraud resolution services. Somebody can actually speak to an identity fraud expert who will guide them through the process of whom to speak with, how to initiate contact and how to communicate, so the situation is rectified expediently and with less hassle and headache to our customer.
Michael: Great. And obviously businesses have cyber risk as well. How is the industry beginning to look at cyber risk and underwrite it? For clients, and maybe potential customers, can you tell us what that type of cyber insurance entails?
Tim: First, in terms of education regarding cyber insurance, I think that as a company and as an industry, we’ve spent a lot of time over the last couple of years simply educating our customers, and the agents and brokers that represent them, on how coverage works. We stress that no two companies are alike and often they’re completely different. So, what a large retail organization might need for coverage is quite a bit different than a small mom and pop storefront, a healthcare provider or manufacturing firm would need. Making sure we’re providing coverage specific to the risks facing those specific companies is critical for us.
Michael: When we think about insurance and items being underwritten and the process and procedures that must be in place before individuals and companies can do that, can cyber insurance help strengthen our cyber security posture overall? I mean, is it good for everyone?
Tim: Yes. Some customers can demonstrate that they’ve got a more sophisticated and robust cybersecurity posture, the right firewalls, the right incident response plans and they have a team in place that monitors the cybersecurity posture on a regular basis. Those measures are going to make the insured a better risk, and as a result, they are going to pay less money, or receive more favorable terms for both. And so, as an industry ‒ as that process works its way through ‒ I think that will have an effect of making customers more secure. And there’s an added benefit: they are not only more secure but they are likely to have insurance available to them and certainly at more favorable rates.
Michael: You mentioned a couple of the factors you might look at when addressing cybersecurity, but are there other specifics that underwriters look for when reviewing a company or that they require for companies to be covered?
Tim: Within an industry or peer group, the underwriter is looking at the positives, the strengths, as well as the potential weaknesses that a customer may have. We aren’t just looking at the technical aspects of security such as software, firewalls, intrusion detection systems, etc. We are also looking at the culture within the organization. Is information security taken seriously and is it a top-down mandate? And this goes beyond employee background checks. We look at the policies and procedures; is the company not only trying to prevent the incident from occurring, but have they assumed that an event may take place and have they developed a response plan?
All of those things together help paint the picture of a particular company’s risk profile, which ultimately leads the underwriter to the terms and price.
Michael: Are there any other thoughts about what businesses should be doing, or some common sense advice for what businesses should be doing to ensure their customer data is secure?
Tim: A lot of companies – frankly, all companies – are concerned about their budgets, and they’re thinking, “How much can we do, given the budget?” A lot of our basic recommendations are fairly inexpensive, relatively speaking. We need to make sure, first of all, companies understand the information that they have in the first place and that they have assessed if they are retaining information that they no longer need and can destroy.
It is important for companies to look at their data, understand it and only store data that’s business critical. For example, companies might have files of job applicants that they never hired. These people may have filled out an application with their Social Security number on it. Those kinds of things add up over time, for any company. In addition, companies should have an incident response plan in place. If a company doesn’t know what an incident response plan should look like, Travelers provides access to templates to get them started and then access beyond that to additional professionals within the cybersecurity arena that can give businesses more advanced training or consultation, as needed.
Michael: Well, that’s terrific. Anything else you’d like to add?
Tim: I think it’s important for companies to understand what they should be looking for an insurance provider. Often, it’s the access to the very things I was talking about. It’s not just about having good coverage at a good price. Companies should have access to a team that can provide real value in the event of a data breach. So, when the event takes place, they should know the company that’s going to help remedy the problem. They should know who they have relationships with. Because when it is 3 o’clock in the morning and your head of IT says you just had a breach, that’s not the time to try to figure out what company you’re going to use to do a forensic investigation, provide legal advice and provide public relations support. Having access to that team, understanding who that team is, having access to risk management advice and services, working to prevent the incident in the first place: all these actions are critically important.
For more information about the Consumer Risk Index, visit the Travelers website.
About Michael Kaiser
Michael Kaiser joined the National Cyber Security Alliance in 2008. As NCSA’s chief executive, Mr. Kaiser engages diverse constituencies—business, government, other non-profit organizations—in NCSA’s broad public education and outreach efforts to promote a safer, more secure and more trusted Internet. Mr. Kaiser leads NCSA in several major awareness initiatives, including National Cyber Security Awareness Month (October), Data Privacy Day (Jan. 28) and STOP. THINK. CONNECT., the global online safety awareness and education campaign. NCSA builds efforts through public-private partnerships that address cybersecurity and privacy issues for a wide array of target audiences, including individuals, families and the education and business communities. In 2009, Mr. Kaiser was named one of SC Magazine’s information security luminaries.
About Tim Francis
As a second vice president for Travelers Bond & Financial Products, Tim Francis leads Travelers’ Business Insurance Management and Professional Liability initiatives. He also serves as the enterprise lead for cyber insurance. In this latter role, Tim has oversight of all of the company’s cyber product management, including products for businesses of all sizes, public entities and technology firms. Tim has emerged in the insurance industry as one of the foremost cyber experts, having been quoted in The Wall Street Journal, USA Today, Reuters, Insurance Journal, Property Casualty 360, Business Insurance, CNBC.com and other premier media outlets. Additionally, he served as co-chair of the 2013 NetDiligence Conference and has spoken at numerous other conferences on the evolution of cyber risk and how businesses can protect against them.