In recent months, numerous surveys of business leaders have reported that one of their top concerns, if not their top concern, is the issue of cyber security. In many cases, small businesses that suffer a cyber event fail to recover from it. Even for larger businesses, the fallout from a cyber hacking or phishing event can be punishing financially.
Risk & Insurance, which is affiliated with The Institutes, recently spoke with Adam Carmichael, CPCU, the President of The Institutes Knowledge Group, about a new Institutes Designation. You can read the original interview on the Risk & Insurance website now. The Associate in Cyber Risk Management™ (ACRM™) is intended to bolster the knowledge and effectiveness of risk managers and risk-transfer professionals in this very important area of the insurance sector.
You can also try out a free sample course (about 30 minutes of content) to learn a little more about cyber risk and the scope of the program. What follows is a transcript of Risk & Insurance’s discussion with Mr. Carmichael, edited for length and clarity.
Risk & Insurance: In terms of your new cyber designation, which segments of the risk management and insurance profession is this course built for?
Adam Carmichael: I think a lot of times when people hear cyber, they immediately jump to IT. But really, cyber risk is an enterprise risk.
This new designation is focused on professionals such as the risk manager, the underwriter, the broker; various roles that have to manage cyber risk, to better equip them with a framework of how to do so.
R&I: How long did it take to pull the structure and the resources together to create this new designation?
AC: We worked on the program for several months. We talked to various practicing subject matter experts in the field to gather what are the most important things, what are best practices, to make sure we’re putting all of that in the courses, and in the program.
R&I: If I was going to take this course and get this designation, how much time should I set aside to do so?
AC: The designation has 3 main courses. It also has a short ethics course that goes with all of our designations. But with the 3 main courses, for most people, you could complete the entire program within 6 to 9 months if you’re doing a few hours of study each week.
R&I: As we know, cyber risk is a complex topic. As your team was putting together the materials, what were you trying to address in terms of knowledge gaps that you thought you could help professionals with?
AC: It is a complex topic. I think from that perspective, first, what we want to do is help people develop a plan or a strategy, a holistic approach on how to manage cyber threats.
That’s everything from identifying cyber-related risk exposure to understanding downstream impacts such as potential revenue loss, that could stem from a cyber event. Of course, the best course is to prevent these events.
We want to predict and prevent wherever possible and at least mitigate any losses. But we also want those that take the course to know what options are available for cyber coverage. It is an area that’s still evolving, but there are some key aspects to be able to understand what is and what is not covered, and to be able to plan accordingly.
R&I: That’s going to be an ongoing learning curve, isn’t it, in terms of what’s happening with coverage, exclusions and insurance capacity?
AC: No doubt. In some cases, the coverage is an endorsement of a certain policy. In other cases, it’s a cyber-specific policy. So we really do encounter a lot of variety there.
R&I: I assume you got a good deal of feedback or communications from risk professionals saying, “Hey. We could really use some help here.”
AC: We certainly heard directly. We also have an advisory board that we communicate with on the nuances of cyber risk and cyber coverage. Then added to that, we do look at independent research as well, to see what is top of mind for companies, and where the needs are.
Just to list a few statistics: A recent Munich Re survey showed that 87% of C-Suite-level executives said their company is not adequately protected against cyber risks or cyber-attacks. That’s a big number.
When we started talking about having a strategy and a holistic plan for how to manage that risk, it was the scope of that business leader concern that we were trying to address.
Similarly, the International Insurance Society, which is affiliated with The Institutes, conducts a Global Priority Survey in which 62% of executives polled said cybersecurity was their top priority. So again, very top of mind for business leaders. And this wasn’t just for large companies, either.
Cyber risk, as you know, applies to companies as well as individual risks, which we do address in the program as well. It’s startling, but 60% of small businesses close within 6 months of a cyber attack. Yet, despite these risks, about two thirds of small businesses lack any cyber insurance coverage.
R&I: When you think about this, is there anything about the topic, Adam, that I didn’t ask you about that you’re particularly passionate about that you wanted to get across to the readers?
AC: What I’m passionate about is that cyber risk is one of the largest threats that organizations of all sizes face. It’s not hard to not see it in the news or be impacted personally. Data breaches happen; that’s the interconnected world that we live in. It’s a data-driven world and cyber risk is very real. Our hope is that this designation is going to really help learners; help both them and their customers better manage cyber risk.