Cyberattacks are constantly evolving in sophistication, not to mention happening with more frequency to companies of all sizes. While no one can guarantee staying a step ahead of hackers, Richard Fernandez and AmWINS make sure its clients’ assets are protected against the ever-changing risks of the digital world.
Fernandez is the executive vice president of professional lines for wholesale insurance brokerage at AmWINS Group. He is also managing director of the company’s national professional lines practice and a member of the cabinet of its largest office in Atlanta. At a high level, that means that he and his team specialize in providing clients with coverage to protect against all types of cyber threats. Hispanic Executive caught up with Fernandez to talk about why insurance against these risks are important and how he addresses ever-evolving challenges.
Hispanic Executive: Let’s start at the beginning. What drew you to the insurance industry initially?
Richard Fernandez: I started out on Wall Street, but found banking to be somewhat restrictive and closed off to the idea of approaching anything creatively. Later, a personal acquaintance brought me to AIG, where I learned more in my first five years than some people learn in their entire careers. It was, and still is, an aggressive environment, but it offered the opportunity to take on great responsibility at an early stage in my career. In situations that more conservative companies would have walked away from, I got to sit down with very bright people and develop complex situations for very complex problems. The experience taught me the insurance industry inside and out, and I owe my success over the last ten years to relationships I made there.
HE: Can you point to exactly when cyberthreats become the pressing concern that they are today?
RF: They’ve been a concern for decades as more and more consumers and businesses have moved into the digital domain. But the incident that was a “ten on the Richter Scale” was TJX in 2006 that involved 46.5 million records and cost the company $256 million. In 2011 there was Epsilon, considered one of the costliest attacks ever. That involved more than one billion stolen email addresses and losses estimated to be anywhere from $225 million to $4 billion. Unfortunately, they’ve become a fact of life for businesses and individuals.
Cybersecurity 101
Richard Fernandez offers these guidelines to help strengthen your company’s cybersecurity efforts:
Use a reputable insurance broker to help navigate the numerous cyber threats your industry faces and how best to structure a program around them.
Regardless of size, if you have a significant digital footprint, you need cyber liability insurance. Smaller and mid-sized companies are actually targeted at a higher rate because their controls are typically not as sophisticated as larger organizations.
Consider hiring a chief information security officer (CISO) as soon as possible. You wouldn’t operate without a CFO. In today’s world, a CISO is equally, if not more, important.
HE: Is anyone safe from cyberthreats?
RF: Not really. Large companies—like healthcare, retail, and financial institutions that retain highly sensitive information for long periods of time—face the most extensive risks. But small- and medium-sized companies aren’t immune. They often assume otherwise since they have a smaller digital footprint, so they don’t invest in robust cybersecurity. That just makes them low-hanging fruit for hackers. A 2015 NetDiligence study showed that 71 percent of cyber claims came from companies with revenue below $2 billion, and 46 percent from those with less than $300 million. They can also be victims of ransomware attacks that encrypt all company data until hackers receive payment. That might not attract public attention, but it costs a sizable amount for a smaller operation. In fact, ransomware attacks are becoming more frequent as hackers are quickly able to turn the ransom demand into payment in the form of bitcoin.
HE: What kinds of challenges does all this pose for the insurance industry?
RF: First of all, the nature and types of threats are changing almost weekly. As a result, there is little protocol or a reliable standard for determining what a “typical breach” looks like. A breach of one million records could have less impact than one with ten thousand records if that smaller batch contains birth dates, patient health information, and credit card or Social Security numbers. That could be devastating to a company’s reputation and create exorbitant costs related to notification, credit monitoring, possible regulatory fines and penalties, defense costs and potential future settlements, or class action law suits. As the industry slowly comes to understand what these claims look like and cost, it will continue to innovate and tackle larger and more complex issues, such as attacks on critical infrastructure, the national power grid, and other critical utilities. It’s an evolving process, and one where we need to walk before we run.
HE: How does AmWINS address those kinds of constantly evolving threats and business challenges?
RF: Specialization is our mantra. My team only works on cyber liability and in the Professional Lines area. Anything that falls outside that very prescribed box gets referred to another AmWINS team. We spend a considerable amount of time with industry cyber underwriters to understand the complexities of their coverage and how one insurance company’s coverage differs from the next. We also have extensive meetings with our insureds to understand their businesses so that we can suggest new ways to cover existing or emerging threats. We do not take a “cookie cutter” approach to risk. Instead, we tailor coverage to the needs of our insureds.
HE: Aside from hackers changing their tactics, what do you see as the insurance industry’s greatest business challenge?
RF: Rampant over-capacity is permeating the industry. That leads to instability of carriers and wide pricing fluctuations. We have to be wary of premiums being driven down, which is good for the insureds but often unsustainable. Eventually that can push markets into insolvency or force them to sell to bigger players and shrink capacity.
