Cyber-Risk Insurance—an Interview with Judy Selby
Sitting down with the in-demand author and speaker
Judy has over 25 years of experience in insurance coverage litigation. She has particular expertise in cyber insurance and coverage under various policy forms for today’s emerging risks. As well, she is a prolific author and sought-after speaker on insurance, cyber, technology, and compliance issues. She has been quoted in leading publications, including the Wall Street Journal, Fortune, Forbes, Reuters, Directors & Boards, and numerous others.
InfoGov World: Where did you grow up?
Judy: I grew up in Brooklyn, but way before it was the cool place to be. My old neighborhood is famous for great Italian food, Saturday Night Fever, and over-the-top Christmas lights.
How did you develop an interest in cyber-risk mitigation and cyber insurance?
I started working on insurance coverage matters right out of law school. I handled very large and complex cases that went on for years and involved tremendous volumes of paper––and later electronic data in discovery. Because of my background, some former colleagues asked me to head up the eDiscovery and technology practice at my last law firm; I was responsible for managing the eDiscovery and data-handling processes for the massive Madoff litigations. I later co-founded the firm’s Information Governance practice as well. I concurrently studied cybersecurity, Big Data, IoT, and crisis management at MIT to develop a deeper knowledge of key issues affecting my practice. All this coincided with the emergence of cyber insurance, so it was a natural to marry my two areas of expertise and focus on cyber-risk mitigation and insurance. A lot of people are struggling to understand and deal with these issues, and I enjoy being in the position to help them.
What types of consulting work have you recently been engaged in?
I’ve been engaged in some really interesting consulting projects. I often work with companies to help them get appropriate insurance across a variety of traditional insurance lines, including Directors and Officers, Employment Practices Liability, Generally Liability, Property, Crime, etc. However, I’m most often retained to advise companies about cyber insurance. I negotiate for better policy terms, help companies select the right coverages, advise them about coverage pitfalls, assist with completion of the application, and help them to understand their obligations under the terms of the policy. I’ve supported technical teams doing cyber-risk audits. I review the results of the audit and work with the company to get insurance coverage for the identified risks. I also conduct insurance due diligence in the context of corporate mergers and acquisitions, and consult with private equity firms about insurance issues.
Over the past few months, I’ve become more involved with regulatory compliance engagements, particularly around the GDPR. I also advise corporate boards about insurance, privacy, cybersecurity best practices, and privacy/data protection compliance issues.
Has GDPR had an impact on cyber-risk in the U.S.? How?
Yes, but it’s not just GDPR. The New York State Department of Financial Services (DFS) cybersecurity regulation, the model cybersecurity law approved by the National Association of Insurance Commissioners (NAIC), and the recent cybersecurity guidance from the SEC are all requiring companies to adopt a much more mature approach to the governance of their information––recognizing that it is an incredibly valuable corporate asset to which a variety of serious risks are attached. The import of these new regulatory developments is that data security and privacy risks should be incorporated into the company’s enterprise risk management program. Information needs to be appropriately managed throughout its entire lifecycle, from its creation or acquisition until its ultimate disposition. Because data touches virtually every part of modern enterprises, reliance on a siloed approach to Information Governance is bound to create compliance problems and increased risk.
An additional impact of these new regulatory developments is the elevation of cyber-risk management to the board level. Going forward, I expect to see increased accountability on corporate boards concerning their oversight of these issues.
Do you see risk considerations as playing an increasing role in Information Governance programs?
Yes, I don’t think it’s possible to effectively govern information without knowing the company’s unique cyber and privacy-risk profile. After the company’s risks have been identified, steps can be taken to prioritize issues for remediation and to build processes to mitigate those risks on a going-forward basis. But unfortunately, despite best efforts, not all risks can be eliminated, so companies also should take a hard look at risk transfer through insurance.
Do you see more companies addressing risk management and creating risk management departments?
Yes, but I haven’t seen a uniform approach to the issue across the board. The “owner” of cyber and privacy-risk management within any particular organization might be a CISO, CIO, Chief Risk Officer, Risk Manager, or an assortment of other positions. Regardless of the title of the designated person, it’s important to take an enterprise view and obtain input from a cross-section of relevant stakeholders––including legal, compliance/privacy, procurement, IT, human resources, and marketing. Adoption of this type of approach will enable better risk identification and formulation of appropriate and effective comprehensive risk management policies and procedures.
What steps can companies take to reduce their cybersecurity risks in the near term?
I’m a big believer in getting an independent third-party risk assessment as a first step towards cyber-risk reduction. That way, the company can get a good understanding of what its exact risk profile is. No two companies are the same, so identifying the precise risks that impact the organization is vital in order to implement an effective cybersecurity and privacy program, develop an appropriate incident response plan, prepare any required regulatory disclosures, and obtain the right insurance coverages.
What do cyber-insurance companies look for in assessing the risk posture of a company?
Right now, there is no standard industry approach to this issue, but, generally, insurers will want to know the types and volumes of data the company handles (e.g., credit card data, PHI, PII, etc.), practices around data security, such as encryption, passwords, firewalls, adoption of cybersecurity and privacy policies and procedures, use of third-party service providers, data-retention practices, in-house cybersecurity and privacy personnel, any history of prior incidents, etc. Great care should be taken when responding to insurance policy applications because material misrepresentations, even if unintentional, may jeopardize coverage in the event of a claim.
How can companies reduce the cost of cybersecurity insurance?
One of the best ways to do this is to adopt and implement a sound and comprehensive Information Governance program. A company with demonstrably sound practices around data protection, regulatory compliance, and data hygiene will likely be viewed as a better risk to insurance underwriters, which should result in better rates and policy limits.
What do you like most about New York City?
I love the diversity of the people and pace of the city. It’s a place of both long-standing institutions and cutting-edge innovation. And being a huge sports fan, I love having access to all the major sports, particularly my beloved Yankees!
What is your pet peeve?
I’m certainly not a perfect grammarian, but I do have some grammar pet peeves. For instance, it drives me nuts when people say “Me and Joe went to the movies” or “None of us are going” or “between Joe and I.” I guess my elementary school English teachers in Brooklyn did a good job of hammering home those concepts when I was a kid.
recent posts
You may already have a formal Data Governance program in [...]