As we reported last week, Judy Selby has joined BDO Consulting from BakerHostetler to build up the company’s cybersecurity and cyber-insurance practice. As a managing director of technology advisory services for BDO Consulting, she will help companies address cybersecurity risks and transfer those risks through insurance.
Judy has a background as a litigator and e-discovery practitioner, which she has merged with her years of experience in insurance. Thanks to this somewhat unusual background, she is now an early leader in the emerging area of cyber insurance.
According to Fidelity Research, fewer than 10% of Fortune 500 companies are thought to have purchased cyber insurance today. Selby says that market penetration is increasing in light of recent high profile breaches, but not enough executives are yet aware of cyber insurance. We talked to her about why companies still ignore cyber risks, whether lawyers are a special risk, and how to get people to take the issue seriously.
So why have you made the move from a law firm to consulting?
I was still an active litigator, especially in the area of insurance, but my practice was starting to evolve to a much more consultative role in the areas around information and data. There is a lot of talk these days about the value proposition of Big Data, but there isn’t a lot of information about the legal risks, regulatory risks, and governance issues around the use of data. So my practice became much more consultative in those areas.
Cyber insurance is a new and evolving area. How do you explain its value to potential clients?
If you think of data as a corporate asset, it is really a valuable asset that needs to be protected as you do any other. That means you are managing risk correctly and there are policies and rules and procedures around it. With more traditional types of property, like a building, people understand the type of insurance they need, like for fires and whatnot. But with information people are not as savvy about the risks and coverages available. But getting people to the table is complicated by the fact there is no standardization of forms in the industry yet, so there’s a lot of confusion. But there are also still huge opportunities that companies could use to their benefit. But in order to do that they need to understand what their risks are and what their options are to protect themselves.
How did you get interested in this area? Was there a sudden realization or wake-up call?
I had been an insurance lawyer my whole career, and I had a number of big cases with extensive, ongoing, long-term discovery that would last years. So the firm asked me to start the E-Discovery and Technology team. So we wind up dealing with all of the emerging issues of discovery, including privacy regulations, The Health Insurance Portability and Accountability Act (HIPAA), and so on. So what happened is I married the expertise in data and security with insurance, which led to cyber insurance.
What are the fears scaring people away from cyber insurance?
There is a knee jerk reaction some people have that claims are not being paid. In my experience that is not true. If you have coverage for a claim with will be paid. But also, I think people are just becoming aware of the risk and realizing they need the coverage.
Believe it or not some people are not aware or don’t think they are a target. Someone once told me, ‘we don’t have to worry about that, because we fly under the radar.’ But they are ignoring the fact that there are internal threats as well as external threat that can kill you.
How do law firms respond to the cyber threats they face? Are they waking up to the threats since the Panama Papers and other leaks have exposed the threat cyber-attacks pose to law firms?
Law firms are unfortunately viewed as a soft target. Law firms are aggregators of their clients’ most sensitive information, including documents in litigation, merger and acquisition information, or other important, confidential papers. So law firms are holding this information as well as their own business data. And then they have their own employee information and business records. Getting lawyers to appreciate the risk can be challenging, but that is finally changing over the last couple years because of these well-publicized breaches involving law firms. A break in is bad enough, but if it involves other people’s data it’s a really bad thing.
Now that you’re a consultant full-time, does that change the way you interact with clients?
The goal is to get in and help companies appreciate that there are issues they need to deal with. I want them to know that there are steps they can take to transfer and mitigate risks and use their data in productive ways and set policies and procedures that fit with best practices.
Right now organizations are overwhelmed with data and trying to decide how to either find value in it or dispose of it. What is your advice?
Well, there is a lot of data people don’t need to keep. That is a given. One of the huge issues is still with email, which is becoming perpetual storage systems for employees. But email is a communications tool, not a permanent repository. It would be helpful if employees would adopt that mindset- information that needs to be kept should be stored, and information that doesn’t need to be kept can be discarded. For example, a friend of mine and I emailing 17 times over where to meet for lunch, I certainly don’t need to pay money to store and protect forever. But just as importantly, there are all kinds of things in email that have confidential information and need to be stored someplace. Unfortunately, email is not stored in a way that comports with the ways Personally Identifiable Information should be protected.
But is there value in data, or is it just a burden and risk?
It depends on the data. People are making incredible use of data. If you think about the most valuable companies on the stock exchange, they are many times companies that didn’t exist a few years ago and own very few assets. Airbnb doesn’t own a single hotel and Uber doesn’t own a single car. They are platforms and utilize data that is supplied by third parties. Yet they provide tremendous value.
It’s not about all of the assets they own but what they do with it. Data in my hands might not be worth much, but data in the hands of a data scientist can be worth a fortune, whether looking for insights, ways to improve customer relationships, and ways to cut customer churn. The telecom companies can predict based on data when a customer is thinking about leaving and going to a different carrier, so that’s when they send a special offer in the mail.
So how do we improve coordination between lawyers, information governance, insurance, and data scientists, who all have different agendas when it comes to data?
You have to remember that it’s all related. Some companies embark on a big data project, and when that happens, you want someone to ask, ‘did we removed the confidential information or mask it?’ If we embark on a plan to sell or monetize data, someone should ask, ‘do we own the data? Do we have the right sell it? What did we tell people when we collected the data? What rights do we have to use this data?’ I see the challenge with data is to think through its entire lifecycle from creation through how you secure it, use it, and ultimately dispose of it- whether to be destroyed or sold. If you think about these issues in advance you can prevent a situation where you get a call from a regulator telling you have been using customer data inappropriately or have lost confidential information.
So what is your biggest challenge as you take on this new role?
The headwind remains getting companies to actually take action, to appreciate the risk. When you are dealing with an issue that doesn’t have a deadline, people push it. If you get a complaint or a subpoena, you have a deadline. But if you ask people to make an expenditure of funds but there is no looming deadline, they are likely to push off even if they know they have a potential problem.
This was originally published on ACEDS.