tom ridge advisen cyber risk conference

More Americans worry about being hacked than they are of mugging, burglary, sexual assault, murder, or physical harm of a child, according to a new Gallup poll. While hacking concerns did increase with household income, they impacted a majority of Americans in every income and age bracket, while no other form of violent crime surpassed 45% of those polled.

A new survey from Advisen and Zurich found that this fear is nearly universal for companies as well. Across industries, 88% of businesses view cyber as at least a moderate risk – up to 93% among larger businesses and 81% among small. Despite this widespread recognition, however, fewer businesses have a breach response in place than just a year ago. In 2014, only 62% have a response place – a 10% decrease from 2013. Yet 66% now use cloud services, presenting a 20% jump from last year.

“Clearly, security concerns are being outweighed by the benefits of technology,” said Erica Davis, Zurich vice president and assistant national manager for E&O, while presenting the findings on Tuesday at Advisen’s Cyber Risk Insights Conference.

Throughout the conference, consensus was clear: the 69% of Americans and 88% of businesses are on the right track, as their fears are well-founded. “There are two types of banks today: those that have been breached, and those that will,” Roc Starks, senior vice president and director of corporate insurance at Citizens Bank, said at one of the day’s panels. “First response is the critical difference in how banks and customers will fare.”

Keynote speaker and former Director of Homeland Security Tom Ridge (now of Ridge Insurance Solutions) shared this outlook on cybersecurity across industries. “There are going to be breaches,” he said. “Resilient companies are the ones that are prepared to respond.”

Yet breach response without risk management and an eye toward mitigation is no longer sufficient. “Those prepared to organize around risk and resilience are those that will withstand and lead,” he added. “By the time we get here next year, the risks will be different – the digital sun will never set.”

The landscape of cyberrisk and hacking schemes is constantly evolving, and changing at a scale and speed unlike anything seen before, Ridge said. For attendees, there was little doubt about this insight, as panelists throughout the day detailed new phishing schemes seen, top areas of emerging vulnerability, and the myriad breaches they or their industry colleagues have navigated. More companies are investigating the most useful forms of coverage for their unique exposures and exploring what management structures and risk owners are most effective to monitor and mitigate cyber. The recognition is there, and so are some of the solutions, but the insurance landscape must still evolve, as must the strategies. “We’ve seen a mind-shift,” Ridge said. “CEOs get it, but they do not know what to do and who the threats come from.”

To that end, there is more the industry can do to help. Ridge lauded the idea of “intelligent insurance,” arguing that, in addition to devoting greater resources to investigating cyber threats, the insurance industry should turn its attention to incentivizing companies to manage cyberrisk more effectively.

Much as in insurance disciplines like kidnap and ransom, some of the greatest benefits of insuring cyberrisk may come from the processes of evaluation and contingency planning. According to Ridge and other conference speakers, finding out how to oversee and incentivize those processes may be the next adaptation for cybersecurity insurers.


MIAMI – Enterprise risk management (ERM) continues to gain momentum in boardrooms around the world as it is increasingly being considered an essential element of an organization’s strategic planning process. In recognition of one organization’s efforts to successfully align its ERM program with its strategic objectives, thereby enhancing its resiliency and operational efficiencies, RIMS presented the 2014 ERM Award of Distinction to Malaysian-based Astro Overseas Limited at the RIMS ERM Conference in Miami.

The award was presented by Lori Seidenberg, senior vice president of insurance and risk management at Hunt Companies and member of the RIMS board of directors and was accepted by Ghislain Giroux Dufort, president of Baldwin Risk Strategies, on behalf of Astro Overseas Limited (above). It recognizes Astro for successfully implementing and sustaining an ERM program across multiple investments in a diverse mix of businesses in the media and broadcasting industries. The program is an extension and evolution of the group enterprise risk management program implemented at Astro Malaysia Holdings Berhad, which is Astro Overseas Limited’s sister company, and the main source of operations for television and radio broadcasting activity. The program not only allowed the organization to better manage its IT and cyberrisk vulnerabilities, but prompted its board of directors  to include enterprise-wide risk assessments and related investment and risk performance dashboards as part of the organization’s strategic decision-making process.

“It started as a process to address operational risks but our leadership quickly realized the value our ERM program can add to achieving strategic objectives,” said Patrick Adam K. Abdullah, vice president of ERM at Astro Overseas Limited. “It’s our hope that sharing the success of our ERM program will inspire others to advance their own risk programs and highlight the impact such a program can have on an organization’s ability to navigate exposures and leverage new opportunities. It is a tremendous honor to be recognized with this prestigious award.”

Honorable mention for this year’s ERM Award of Distinction went to Schaumburg Ill.-based American Agricultural Insurance Company and was accepted by Lorie Graham, the company’s senior underwriting and corporate risk manager (below). As a result of its ERM program, the company was able to reduce uncertainties caused by severe weather by reassessing corporate goals, developing a diversified income base and grow surplus.

“Whether it is global expansion, the use of new technologies or even outdated operational practices, ERM continues to prove to be an effective risk management approach that propels organizations, regardless of industry, to reach and exceed expectations,” said Carol Fox, RIMS director of strategic and enterprise risk practice. “The judging panel for the ERM Award of Distinction was impressed with the complexity and quality of all of the submissions and congratulates Astro Overseas Limited for winning this top honor.”

Judging criteria for the ERM Award of Distinction includes the scope of the ERM program and how it engages different levels throughout the organization; the program’s link or connection to the company’s overall mission; and its ability to create additional value for the organization.


MIAMI – It may be stating the obvious, but just about every company wants to be innovative. Innovation is what sets you apart from your peers and what will ultimately help you carve out a successful place in a given market. But actually being innovative is easier said than done. Innovation means change and often requires the disruption of traditional ways of doing business. For many companies, this change is scary. “What if we fail?” “What if we lose the customers we already have?” “What if the chances we take don’t pan out they way we hoped?” The fear of failure stifles the creative impulse to innovate and breeds complacency. Often, it’s only a matter of time before the company joins the likes of Circuit City, Blockbuster, Kodak and the rest on the ignominious list of brands that disappeared due to their unwillingness or inability to innovate and change with the times.

Speaking to attendees at the 2014 RIMS ERM Conference in Miami, author and CEO of Detroit Venture Partners Josh Linkner (above) summed up the problem. ”We overestimate the risk of making a change, but underestimate the risk of standing still,” he said. According to Linkner, we need to tap into our latent ability to be creative and innovative in order to work past this mindset.

The key is to understand what makes an innovator who they are and how we can apply those qualities to our own lives. To this end, Linkner outlined the five “obsessions” common to all innovators:

1. Innovators encourage courage. Don’t be afraid to fail. James Dyson created more than 5,000 failed protoypes before successfully developing the vacuum motor than made him a billionaire.

2. Innovators shed the past. Protecting past successes often comes at the expense of future growth.

3. Innovators defy tradition. Just because it’s always been done one way doesn’t mean that better ideas don’t exist.

4. Innovators get scrappy. Think small. Innovators are often the ones who are willing to move quickly and be nimble. They take chances and embrace risk to gain the extra advantage over slow-moving competitors.

5. Innovators push the boundaries. Reinvent the wheel. Literally. You never know what might happen.

We all have the capacity to be creative, said Linkner. We just need to embrace risk and welcome creativity. For risk managers looking to implement innovative solutions like ERM, it is a way of thinking that could lead to real success.



The price of not having good information governance is steep. Despite storage costs being cheap ($0.20/GB), e-discovery costs ($3,500/GB) and lawsuits are not. The following legal cases demonstrate the price of not managing your data while in litigation and offer best practices for when litigation is pending.

Zubulake v. UBS Warburg
Laura Zubulake sued her former employer, UBS, over gender discrimination, requesting key information that was archived in emails. When the e-discovery took place, backup tapes and some emails had been deleted prompting the court to conclude that UBS acted willfully. The jury was instructed to assume that the deleted emails were detrimental to the case. Ultimately, costs were reimbursed to Zubulake in addition to her receiving $9.1million in compensatory and $20.2 million in punitive damages. This case established the framework of electronically stored information (ESI) retention while also setting the legal precedence for e-discovery. It underscores the importance of complying with electronic data preservation and production while also suspending document destruction and putting legal holds in place when a party is subject to litigation.

Lessons learned:

  • The scope of a party’s duty to preserve digital evidence during the course of litigation
  • Duty of the lawyer to monitor clients’ compliance with electronic data preservation and production
  • The imposition of sanctions for the spoliation of digital evidence
  • Data sampling, so that knowledge about costs and effectiveness of the recovering process are known in advance

Apple v. Samsung Electronics
In April 2011, Apple sued Samsung for $2.5 billion over patent infringement. Throughout the case, Samsung did not disable its bi-weekly auto-deletion of emails, despite asking employees to manually save their emails due to the litigation. Although Samsung sent initial litigation-hold notices to 27 employees notifying them of a “reasonable likelihood of future patent litigation between Samsung and Apple,” it wasn’t for another eight months that they sent litigation-hold notices to an additional 2,700 employees. Samsung was faulted for failing to send notices to all relevant employees and not providing instructions regarding how to save their emails.

As it turns out, Apple was doing the same thing by sending automatic notices to employees asking them to reduce the size of their email accounts. As a result of these missteps, both parties agreed not to instruct the jury to assume that the deleted emails were detrimental to the case.

Lessons learned:

  • If litigation is anticipated, issue litigation holds to all potentially relevant employees
  • When litigation is reasonably anticipated, disable any auto-delete functionality
  • The duty to preserve documents arises when there is a reasonable likelihood of litigation prior to litigation being formally filed
  • Businesses should audit employees to assure they are following the preservation instructions

915 Broadway Associates v. Paul Hastings
915 Broadway brought its former counsel, Paul Hastings, to court alleging that he had committed legal malpractice. Due to the litigation, 915 Broadway issued a legal notice to its employees instructing them to save files and not delete their emails; however, compliance was not monitored and automatic deletion was not stopped. Throughout the two years of litigation, 915 Broadway made no effort to preserve relevant documents from its employees, while failing to suspend its document retention policy which automatically deleted emails after 14 days. Additionally, 915 Broadway went so far as to replace its email servers, preventing any recovery of deleted emails, after Hastings raised concerns about spoliation to the court. Because crucial files were deleted, the $20 million complaint was dismissed and Paul Hastings’ motion for spoliation sanction was granted.

Lessons learned:

  • Courts have the liberty to dismiss a case if plaintiff does not comply with e-discovery obligations
  • e-discovery compliance needs to be treated with greater importance and urgency
  • It’s imperative to invest in a solid e-discovery infrastructure

The Importance of Information Governance
Information governance has long been viewed as essential for global companies that handle large amounts of data, and continues to become increasingly mission critical each day as demonstrated by the above cases. Take note of these best practices should you ever find yourself in a similar situation:

  • Govern information so that it can be retrieved in a timely manner and you’re not reviewing old documents
  • Don’t just instruct a legal hold, make sure key documents are not being deleted
  • Suspend automatic deletion and document destruction when litigation is pending
  • Comply with electronic data preservation and production

With more than 14,000 laws and regulations related to information management—jurisdiction specific requirements, regulatory compliance, litigation and e-discovery, planned and unplanned audits—it can be difficult to enforce across an organization’s IT infrastructure, although critical during a litigation period. Governance programs are long-term solutions to challenges of frequent litigation and investigations.