Cyber Security is a Board-Level Issue


“Girly, tough ain’t enough.”

– Frankie Dunn (Clint Eastwood) in Million Dollar Baby

A research study by AIG conducted in the UK indicates that 84% of company directors believe that their IT department is able to protect their company from a cyber attack. And they are surely not alone, as most of us probably still associate the task of safeguarding valuable data with the IT function. Commercials for security products often use metaphors and imagery to suggest that their IT product/service’s tough-guy approach will get the job done. But as Clint Eastwood’s Frankie Dunn, the curmudgeonly boxing coach in Academy Award winner Million Dollar Baby tells wannabe fighter Maggie Fitzgerald (Hilary Swank), sometimes “tough ain’t enough.”

While day-to-day responsibility for cyber protection may lie with the IT and security teams, strategy and response need to have ownership across silos and functions. Hence they need board-level engagement.

The changing landscape of cyber risk

Despite the high level of confidence in the (obviously essential) role that the IT department plays in cyber defense, the cyber threat landscape continues to evolve rapidly, prompted by society’s ever growing dependence, socially and economically, on all things digital. Originally viewed as primarily a threat to data breach/loss, the impact of cyber attacks has widened considerably to include business interruption, theft of intellectual property and other issues. This rapid escalation in threat levels has prompted the evolution of cyber risk from being primarily an IT threat to an enterprise wide management issue needing board-level attention.

Four themes emerged from AIG’s research that highlight the need for many large companies to take a closer look at how they are managing cyber risk – and at how they might decrease that risk even further.

Cyber security issues should be more prominent in discussions at the board level

The issue among board members at large companies is not a lack of awareness of cyber threats. More than four out of five (82%) senior business leaders in the UK said they know at least a “fair amount” about their company’s cyber security governance and risk management framework. However, barely a quarter (26%) of UK companies said they discuss cyber security policy on a regular basis in board meetings, and more than half (52%) either rarely or never discussed it. This is potentially a recipe for disaster.

Part of the problem is that companies are split over where responsibility for cyber security lies. Less than one in ten (9%) UK companies maintains overall responsibility for cyber security at the board level. Fortunately, an additional 43% do give ownership of the issue to a key board member. Nevertheless, almost half do not, and more than a third (36%) still designate maintenance of cyber security as an IT department function. However, what we have learned from large breaches is that it takes an enterprise-wide effort to minimize the number of attacks and to mitigate damage from attacks that do occur.

The legal implications of a cyber breach is not well understood among directors

A very high percentage (86%) of the UK executives interviewed felt they had a strong understanding of the financial implications of a digital breach for their companies. However, roughly one-third said they were not very confident about their grasp of the legal ramifications for the company – and themselves – subsequent to a breach. This is problematic since, depending on a country’s regulatory environment, boards and management may potentially be liable for this kind of risk. In the US, for example, shareholder lawsuits have been filed against boards following large scale data breaches.

High levels of stated confidence in company IT departments vis-à-vis data breach protection may be misplaced

As noted earlier, 84% of UK company directors and executives believe that their IT departments alone can protect their company from cyber attack1. Nevertheless, almost half (45%) of the UK companies surveyed have already experienced a cyber security breach. And 62% believe it likely that their company will suffer an attack within the next 12 months. So even on an empirical basis it’s clear that the IT department alone is not providing as much protection as would be desirable from cyber attack. Again, the only way to strengthen security is by implementing a company wide cyber risk management program with top-down ownership at the board level.

Internal company threats cause a significant number of serious breaches

When most of us think of cyber attacks, we have in mind criminals and hackers, and indeed, these groups form the highest cases of perceived threats to data security among those interviewed. Nevertheless, in a recent study by the European Centre for Media, Data and Society2, over half (56%) of European data breaches from 2005-2014 involved company employees or other areas internal to the organization (administrative errors, hardware issues, theft, etc.). Criminal hackers accounted for the remaining 42% of cases.


Of the UK companies surveyed, only 44% had cyber insurance in place. But as the results of the survey suggest, cyber security risk management and associated insurance need to be a central point of discussion at the board level for large companies. It is only at this level that broad policies can be put together that work synergistically to provide protection. And it is only at this level that gaps in insurance coverage can be found and rectified systematically, so that maximum protection is provided.

A tough, robust IT department will always play an important role in the cyber security management matrix. But as threats continue to evolve, tough will no longer be enough: board level involvement in managing cyber risk and related insurance coverage is essential.

1 “Cyber: Joined up?”  AIG CyberEdge white paper. The paper was authored by Mark Camillo, Head of Cyber and Professional Indemnity, EMEA at AIG Europe Limited. Results based on more than 100 face-to-face interviews with respondents from very large companies in the UK. Respondents were C-suite members and other executive board directors. Interviews were conducted between September and December 2014.

2 Data Breaches in Europe: Reported Breaches of Compromised Personal Records in Europe, 2005-2014 – Center for Media, Data and Society, 2014.

Date Published: 7/18/2016

Cyber Risk: How to Stay Smarter


In 2014, the FBI’s Internet Crime Complaint Center received over 250,000 complaints of cybercrime. In total, the individuals making these complaints reported over 800 million dollars in losses.

When you think of cybercrime, you may envision someone stealing your credit card number. However, there are other forms of cyber risk, including clicking on an unknown link: today, the average person—with good intentions—can accidentally download malware that harms his or her computer.

At AIG, we’re here to help reduce fear of the future and empower our clients through our risk expertise. To boost your cyber intelligence, read on:

4 Common Cyber Risks for Individuals and Families

  1. Identity theft: The cybercriminal steals another person’s personal information in order to access money or credit.
    Did you know: Young adults make nearly 1/3 of identity theft complaints.2
  2. Phishing: The cybercriminal tricks an email user into revealing personal information that the cybercriminal can use unlawfully.
    Did you know: These attacks can look like personalized emails that include links or attachments.
  3. Cyber Bullying: Posting damaging messages about another person online. Cyber bullies often post anonymously to avoid responsibility.
    Did you know: Damaging messages can go viral, causing serious harm to the victim’s reputation and well-being.
  4. Cyber Predators: These criminals search the internet for other people in order to manipulate, control, or hurt them.
    Did you know: Cyber predators regularly target young adults. It’s not only children and teenagers who are at risk.3

There are many ways you can reduce the risk of a cyberattack. To help protect yourself and your personal devices, consider these 7 cybersecurity actions:

7 Tips to Increase Your Personal Cybersecurity

  1. Set up strong, unique passwords for all of your devices and accounts.
  2. Password protect your Wi-Fi.
  3. Read emails and information online with a healthy dose of caution: if a deal or offer sounds too good to be true, it probably is.
  4. Install an anti-virus/anti-malware security suite from a reputable company.
  5. Make sure to regularly update your software and operating systems.
  6. Limit how much personal information you share online.
  7. Use a file scrubber to remove your files before you sell or recycle your old devices.

Smart parents share cybersecurity strategies with their children to keep the whole family safe online. You can help to protect your kids from cyber risks by taking these 5 steps:

5 Simple Ways to Keep Your Kids Safer Online

  1. Place a dedicated computer for your kids to use in an open area of your house.
  2. Filter and monitor your children’s online activities as you see fit. Parental controls can help you maintain a presence in your child’s online life.
  3. Create technology rules and post them where they’re visible. Modify these rules as your kids mature to reflect their changing online lives.
  4. Cultivate an interest in your kids’ online activities. Don’t be afraid to ask your children who they are talking to online and what they’re talking about.
  5. Model safe behavior when using technology. You can show your kids how to use technology safely.







1 2014 Internet Crime Report, Federal Bureau of Investigation Internet Crime Complaint Center, 2014, p. 8.

2 Stop Think Connect Resource Guide, (download as PDF), Department of Homeland Security, 2014.

 3 Stop. Think. Connect. Brochure, (download as PDF), Department of Homeland Security, 2014.

The content contained herein is intended for general informational purposes only.  Companies and individuals should not solely rely on the information or suggestions provided in this article for the prevention or mitigation of the risks discussed herein.

Publish Date: 5/13/2016

4 Ways to Recognize Aviation & Aerospace Risk


Recent man-made losses within the aviation sector have been trying for the industry. However, according to the International Air Transport Association, total global air travel demand increased nearly 6 percent year-on-year in 2014. Emerging risk management issues, like supply chain risk, are important given the continued increase in air traffic.

To help you recognize the real risks for aviation and aerospace companies, Mark Heath, Head of Aerospace and Security, UK, and Richard Powell, Regional Head of Aerospace Claims, EMEA, offer this advice:

1. Rotables Risk: Take it Seriously

Aerospace and aviation companies should proactively manage the risks of ‘rotables’, the aviation term for components and inventory items that can be repeatedly and economically restored to fully serviceable condition. Crucial questions to answer include: Which rotables should be taken out and replaced? How often? And when?

2. Working Lifespan Risk: Take it Seriously

Aviation and aerospace companies must keenly understand each component’s working lifespan, also referred to as the “mean time between failures.” It’s important to stay ahead of the game when it comes to maintaining, repairing, and replacing components given how many different products make up today’s aircraft. It’s not just the engine or the cockpit instruments—it’s the whole plane, from the passengers’ seats to the aeronautical data needed for a successful flight.

3. Supply Chain Risks: Take them Seriously

Supply chain issues can lead to rotables risks—and to liability risks as well. If a rotable manufacturer goes out of business or loses production capabilities, this can affect the supply chain. Often, the rotable, such as a fuel control unit, is made up of smaller components. So the little guy with a problem impacts the entire supply chain. It’s important to remember that airline management is held responsible when a component or components fail. There may be a degree of culpability lower down the supply chain, but it’s up to airline management to put a contingency plan in place to ensure they can function in the event of a supply chain issue.

4. Product Liability Risk: Take it Seriously

Demand for air travel has increased over the past two years, straining aviation capacity and components. Surprisingly, while insurance protects aircraft operators on a ‘per occurrence’ basis, manufacturers of aviation products have to live with aggregate limits on their policies. This means that manufacturers may not be protected by their insurance if a number of liability losses erode the coverage limit over time. To provide true protection for manufacturers, AIG has recently introduced an innovative aerospace liability product that offers up to $50M in coverage per occurrence, with no aggregate limit, for manufacturers of non-critical aviation components. To learn more about Non-Aggregated Aerospace Product Liability from AIG, click here.

AIG aerospace specialists partner with our clients to provide products and services that can help reduce these risks.

The content contained herein is intended for general informational purposes only. Companies and individuals should not solely rely on the information or suggestions provided in this article for the prevention or mitigation of the risks discussed herein.
Date Published: 6/22/2016

How to Reduce the Risk of a Cyber Attack


Cybercrime is on the rise, and the impact can be significant.  In 2015, there were over one million web attacks against people each and every day according to Symantec.1 And, over the past year, Norton reported that consumers lost nearly $358 on average per person.2 The cost to businesses is even greater, and experts expect the cyber crime costs to quadruple from 2015-2019. According to research conducted by Juniper, it is predicted that by 2019 the cost of data breaches will rise to $2.1 trillion globally. 3 And, of course, beyond the dollars, the cost in reputational damage, consumer confidence in the brand, and time to recovery can be enormous.

While major high-profile security breaches, such as those suffered by Target and Home Depot, make the biggest splashes in the global news, the attacks are not limited to national and multinational companies. For example, the largest online breach targeting credit card data in Australia’s history occurred in December 2012, when criminals attacked 46 small and midsize businesses – the majority of which were service stations and individual retail outlets.4

The principle lesson to be learned is that companies of all sizes are vulnerable to cyber-attacks. In fact, Microsoft research found that “20% of small to medium sized businesses have been targeted for cyber crimes.”5 Unfortunately, many don’t view themselves that way because they believe they are too small to be targeted. But from a risk management perspective, that is exactly the wrong attitude to take.

Because of the potentially devastating impact that a major breach can have – on both the top and bottom lines, on the brand, and along many other dimensions of the business – and because of the increasing likelihood that such an event may one day occur, it is prudent to rank cyberthreats as one of the three largest areas of exposure for essentially every business. According to Symantec, in 2015, a record-setting total of nine mega-breaches were reported. These breaches exposed 191 million records.1 As such, thwarting cyber attacks, as well as planning for how the company will respond in the event of a successful major breach, should be a C-suite-level concern, and not something relegated to the IT department and then promptly forgotten – until it’s too late.

An Ounce of Prevention

A first step in assessing your company’s exposure to cyberthreats is to conduct a thorough inventory of your data collection and data storage protocols. What kind of data do you have? How is it being protected? In addition, what does the threat environment look like for your company and industry? How frequently are your systems being attacked? Your competitors?

Fortunately, the majority of attacks are not as sophisticated as those that Target and Home Depot in past years. Most cyberthreats do not target a specific company, and they may be stopped by the use of basic IT security measures, including up-to-date antivirus software and robust firewalls. However, as noted above, it is highly prudent to be prepared to defend against more dangerous efforts and think about what to do should a major breach occur.

Business Continuity and Risk Transfer

A key step is to build cyberthreats into your company’s business continuity plans, alongside other kinds of potential major disruptions. How would your business function if it suddenly lost access to critical data? What kinds of plans are currently in place for dealing with a major data breach? Running scenario-based drills to test the impact and response times to various types of breaches will aid in identifying where your company’s greatest weaknesses are, so that they can be adequately addressed. As Home Depot’s example demonstrates, it’s never too early to start.

There may still remain areas where, for various reasons, risk cannot be managed internally. In this case, the best decision may be to transfer the risk via a cyber-liability policy. These policies should be viewed as a supplement to, and not a replacement for, good risk management policies. But they can provide a vital source of liquidity in the days following a successful attack.

By taking cyberthreats seriously and building them into your business continuity plans and practices, your company will be better positioned to survive a major cyber-attack and get back to normal business operations quickly.

1 “2016 Internet Security Threat Report.” Symantec, April 2016. Accessed online on July 7, 2016 at

2 2015 Norton report, published by Symantec Corporation.  Accessed online on July. 1, 2016 at

3 “Cybercrime Will Cost Businesses Over $2 Trillion by 2019.” Juniper Research, May 2015. Accessed online on June 21, 2016 at

4 Matthew Clarke. “Cyber attacks: It’s not a matter of if but when.”  Insurance & Risk Professional, June/July 2014.  Accessed online on Sept. 12, 2014 at

5 Jennifer Warnick. “Digital Detectives.” Microsoft. Accessed online at July 7, 2016 at

Date Published: 7/15/2016

7 Steps to a Cyber-Resilient Business


Cyber security is the most prominent risk issue facing company Boards of Directors and executives worldwide. We are inundated almost daily with accounts of major corporate data breaches and compromised networks. Recent high-profile attacks such as the targeting of point-of-sale terminals at Target, Home Depot and Staples, server software at JP Morgan, and employee databases at Sony, demonstrate how vulnerable even the largest and most sophisticated companies can be. In this highly challenging environment, board members and executives are, not surprisingly, unsure of how best to protect themselves.

Proactive prevention with a focus on cyber resilience: A “how to” guide

The first and most important step is to take measures to prevent intrusions from occurring in the first place. Just as a proper diet, exercise, hand-washing and regular flu shots are important to minimizing your odds of developing the flu, maintaining standard systems hygiene is critical to protecting your organization from being infiltrated by hackers. In fact, the Center for Internet Security claims that up to 80% of cyber attacks can be prevented by:

  • Maintaining an inventory of authorized and unauthorized devices
  • Maintaining an inventory of authorized and unauthorized software
  • Developing and managing secure configurations for all devices
  • Conducting continuous (automated) vulnerability assessment and remediation
  • Actively managing and controlling the use of administrative privileges1

Unfortunately, blocking four out of five attacks still leaves open the possibility that a substantial number of attacks might succeed. And today, it’s more a matter of when rather than if you will, eventually, be successfully attacked. What happens then?

Even well prepared companies may not know immediately that they have been breached. But those that have prepared for such an event will be much better off than those that have not. Just as conducting fire drills can save lives in the event of a real fire, preparing for the aftermath of a cyber attack can make an enormous difference in how quickly your company gets back on its feet and how well officers and board members do in the limelight after a major breach becomes public.


The good news is that building a cyber-resilience action plan is a step-by-step process that any company willing to commit the time and resources can accomplish. And, after ensuring you have good system hygiene, the next step is to put the right group together to work out the details. This working group should include a cross-functional collection of senior managers (Sales & Marketing, IT, Finance, Legal, Risk, HR, etc.) each of whom is willing to meet regularly to discuss cyber security, monitor evolving threats (as seen from his or her unique perspective in the company), and participate in modeling and analyzing hypothetical attacks.

Once formed, the group can begin to map out the plan by, first, assessing the company’s cyber risk profile. A recent study from Verizon has concluded that 95% of all cyber attacks can be analyzed in terms of nine basic patterns.2 A thorough study of the patterns, facilitated perhaps by the help of an external cyber security expert, can help the group determine the types of attacks their company is most vulnerable to; preventive measures can then be tailored to these patterns.

To go deeper, the team should then develop hypothetical scenarios, based on the most relevant patterns identified above, to help identify in detail possible attack modes, targets, vulnerabilities and impacts. There is no need for, and it is in fact a detriment to require, great precision in this exercise. No one can know for certain, ahead of the event, how much damage a successful data breach will cause in terms of lost revenue, reputational harm, or stock price declines. All that is needed are rough estimates that give enough sense of scale and types of potential harm to enable the team to put together a risk mitigation strategy.

Such a strategy will involve steps to mitigate the damage to the most relevant targets in an attack. For example, if a company determines that its greatest threat is malware installations in point-of-sale software systems, directed by domestic operatives, via vendor access rights, then it might consider investments in end-to-end encryption, Application White Listing (AWL), File Integrity Monitoring (FIM), system access software, vendor access controls and regular reviews of all vendor access logs.

It is important to realize that cyber-attacks cannot be fully mitigated. In these instances, having the right cyber insurance coverage in place can make all the difference in how your company performs in the days, weeks and months following a successful attack. Cyber insurance can provide critical capital and expert assistance when a cyber-security event occurs.

Companies may also want to acquire Directors and Officers (D&O) liability insurance to protect board members company officers against claims of negligence following a breach. In addition, they may want to review their property, casualty and business interruption coverage to ensure that sufficient protection exists in the event of a successful cyber-attack on the company’s infrastructure. Fortunately this type of attack has, to date, been rare. But such attacks are not unheard of, and the potential for them is growing more likely given current geopolitical instabilities, especially for multinationals with exposure in more sensitive countries around the globe.

By taking the steps outlined above, a company can increase its cyber resiliency and be much better positioned to quickly recover from a successful cyber-attack.

Cyber Series: Intro

Constantly monitoring the cyber landscape, we keep insureds at the forefront of the industry as cyber risks continue to evolve. Our preventative tools provide our clients with the knowledge, training, security, and consultative solutions to help them stay ahead of the curve.

Cyber Risk: The Board’s Role

On this edition of NACD BoardVision, Chris Clark, publisher of NACD’s Directorship Magazine and Lou Lucullo, Chief Underwriting Officer, Financial Lines, Americas Region at AIG, discuss what directors can do to mitigate cyber risks, and who are the most vulnerable targets.