Risk managers need to run tabletop exercises and facilitate discussions across their organizations to better understand their cyber risk and prepare for attacks, a risk manager said Wednesday during a session at the Risk & Insurance Management Society Inc.’s Riskworld conference in Atlanta.
Carey Almond, Atlanta-based director of corporate insurance at Colonial Pipeline Co., said risk managers should ask for cross-functional discussions to determine what their organization’s major risk is in the event of a cyberattack.
“For us, shutting down our pipeline was our key risk, but for your companies I’m sure it’s different,” Mr. Almond said.
In 2021 Colonial Pipeline was hit by a ransomware attack and shut down its pipeline, disrupting fuel supplies in the southeastern U.S.
Better understanding of the risk scenario will drive what insurance coverage is important to organizations, he said.
Companies should also run drills to prepare for what they would do in the event of an attack, Mr. Almond said.
Running a short tabletop drill internally is helpful so that risk, legal and IT teams are on the same page and know who will be doing what if there’s an emergency, he said.
For example, it’s important for everyone to know if the company’s cyber insurance policy specifies the vendors it is allowed to use after a breach, he said.
Cross-functional discussions are also helpful to answer questions such as: “If we were subjected to a ransom attack, would we pay the ransom? Do we have a policy on that? Are we going to debate it in the heat of the moment, or do we want to have some guidelines and establish the policy?” he said.
Many cyber underwriters now require that companies run tabletop exercises, said Andrea DeField, Miami-based partner and lead of cyber insurance practice at Hunton Andrews Kurth LLP.
“If you’re doing them at your organization, that’s something you want to highlight as part of your application and underwriting renewal process, because it shows you are being diligent and thoughtful,” Ms. DeField said.
“I see a lot of disconnected organizations where the IT team, the CSO and his team are running drills like this, but they’re not involving the risk team, so it’s not very helpful,” she said.
Companies need to have all parts of the organization involved, she said.