NEW YORK—Risk managers no longer have a problem getting the attention of their company board and executives when it comes to cyber issues, according to panelists at the Advisen Cyber Risk Insights conference yesterday.
At Royal Ahold N.V., in fact, a supervisory board “insists on an annual presentation on the insurance policies,” which include cyber, said Nicholas Parillo, vice president of global insurance for the company. Giving his annual presentation to the board is made much easier, because “the person before me is the chief security officer and before that, the CIO and it’s good to know that they are saying the same things I’m saying. That’s the level this kind of risk has achieved within major corporations.”
In the U.S., Ahold owns about 2,000 supermarkets—780 in the northeast, including Stop ‘n Shop and Giant Food Markets and 300 pharmacies, Parillo said. The company, which has annual revenue of $42 billion, also owns a number of chains throughout Europe.
Parillo noted that Ahold’s chief concern is the large amount of customer data needed for its goal of major online sales growth.
“Our CEO a couple of years ago established a goal of increasing our online sales from $400 million annually to $1.5 billion,” he said. “We should hit that target in the next two years or sooner. One of our big concerns in this area is fast growth in ecommerce,” and also that “good governance surrounds” that growth.
The company purchased its first cyber security insurance policy in 2007, he said, an action that was hastened by “two watershed events in retail business,” the Hannaford Bros. Co. privacy violation and the TJ Maxx case. Both of these have run into the “hundreds of millions of dollars now with a significant amount of legal fees associated,” he said, adding, “These events made my job a lot easier in terms of going to my management and saying that this could happen to us, despite the biggest and the brightest in our IT group.”
Jimmy Kirtland, vice president, corporate risk management with ING said that in the past, “trying to convince your CFO and CEO and general counsel that there really was [cyber] exposure,” was an issue. He explained that 10 or 15 years ago, “Even if you were going to look at cyber coverage you had only three brokers you could go to.”
Since then, “There has been a complete turnaround in 10 years. The market has grown tremendously and so have the brokers and it’s become much more sophisticated, which we appreciate. The C-suite has recognized that this is something that has to be looked at,” he said.
Dutch-based ING is restructuring, separating its banking and insurance operations. ING U.S. plans to rebrand as Voya Financial, a retirement, investment and insurance company, according to the company’s website. “In our case, one of the biggest concerns we had was that because of the split with our parent company, we had very little time to place our financial lines products, including cyber. So the concern is to get it right.”
The company filed an IPO in May, “and yesterday we announced we would have a secondary offering. When you don’t have the umbrella of a major global corporation anymore, you become keen on your risks and exposures,” Kirtland said.
What happens if technology fails at the company? “With us it really is out in the cloud,” Kirtland said. “Classic business insurance reimburses you for supply chain problems or if a warehouse burns down, so it’s an extra expense we have to worry about.”
To be able to stay in business in case of a technology failure, or in the case of “a system-wide blowout, we went with a time-limited type of retention. It’s a set amount based on the time you are out,” he explained.