URMIA Matters

Higher Education Risk Management Hot Topics 2021 vs 2109 – Cyber, Compliance and Small Office Support

December 29, 2021 URMIA Season 3 Episode 4
URMIA Matters
Higher Education Risk Management Hot Topics 2021 vs 2109 – Cyber, Compliance and Small Office Support
Show Notes Transcript

Join guest host Ronna Papesh as she chats up Steve Stoeger-Moore, President of Districts Mutual Insurance and Risk Management Services about what 2019 hot topics look like with 2021 insight and what valuable resources are available for Technical and Small Colleges with offices of one.  Check out these valuable insights, listen for words of wisdom, and reflect on the challenges had recently.

Show Notes  [member login required]

Connect with URMIA & URMIA with your network
-Share /Tag in Social Media @urmianetwork
-Not a member? Join ->www.urmia.org/join
-Email | contactus@urmia.org

Give URMIA Matters a boost:
-Give the podcast a 5 star rating
-Share the podcast - click that button!
-Follow on your podcast platform - don't miss an episode!

Thanks for listening to URMIA Matters!

Show Notes
URMIA website
Ask Lou
Call for Volunteers

Guest
Steven Stoeger-Moore - President, Districts Mutual Insurance & Risk Management Services

Host
Ronna Papesh- Website & Database Administrator, URMIA

Ronna: Hello and welcome to URMIA Matters - programs to advance the profession of risk management in higher education. I'm Ronna Papesh coming to you from the URMIA national office in Bloomington, Indiana.

I'm pleased to be your guest host today. As a reminder, you can find materials referenced during this program in the show notes. I'm meeting with Steven Stoeger-Moore, President of Districts Mutual Insurance and Risk Management Service. Steven is a long time URMIA member, and in fact was our very first URMIA Matters guest when we launched the series back in 2019. I invite our audience to listen to season one, episode two for more details on Steve's background and organization. Welcome back, Steve.
 
 Steve: Ronna, it's great to be here. Thanks for the opportunity. 
 
 Ronna: Oh, you are welcome. Now, Steve, I don't know if you've noticed, but the world is not quite the same place as it was in 2019. I'd like to revisit a couple hot topics from your earlier podcast and see how risk managers are dealing with them in light of the coronavirus pandemic and leadership changes in Washington, DC. You shared that cyber liability was a concern in 2019. Now I'm hearing that the cyber liability insurance market continues to be challenging. Can you explain why this is the case? 
 
 Steve: Ronna, cyber liability marketplace is significantly challenging and there are a number of reasons I'll try and articulate. Since we last spoke, there's been a significant increase in frequency and severity of loss. Predominantly around ransom and as the bad actors get better at what they're doing, it creates more and more of the exposure associated with data ransomware. Because that frequency and severity has spiked and continues regrettably to go up, that's created some significant challenges within the marketplace. 
 
 So let me explain a little bit more if I can. Underwriters are being more and more restrictive with their data needs in order to consider an application for cyber liability coverage. So the underwriting guidelines have gotten more and more restrictive. For example, if a prospective insurer does not have multi-factor authentication, it's very difficult for an underwriter even to pick up the file to give that any more due diligence. 

So there's some really exceptional kinds of things going on in the marketplace including that restricted underwriting. We're seeing a decrease in limits, which is known as a capacity. For example, if you had $10 million of limits upon renewal, you may not be able to get. Maybe I will only to be able to get five. There could be some significant changes in your deductible layer, meaning it's likely to go up in some cases, very significant, right?

A policy oftentimes contains a number of different sub limits. Those may very well have lowered limits on them or some of those sub limits may very well, no longer be included in our policy. With the frequency and severity of loss and those other kinds of conditions that creates a very hard market for the cyber liability and as such potential insureds have to be very, very cognizant of how difficult it is now to underwrite cyber liability insurance. So anybody who's a prospective policyholder has to have a very, very strong application, has to have very strong data that shows the sorts of losses they've had. And if there's significant losses, that's going to be detrimental to that potential insured and underwriters are looking for several different things as kind of a baseline in order to write coverage like multi-factor authentication comes immediately to mind. That's considered sort of a must now for an underwriter to look at. 

Ronna: How do you think that the pandemic effected the insurance market? 
 
 Steve: Well, the pandemic had a very interesting, unfortunately negative impact with home-based employment, becoming ubiquitous that created a significant exposure for cyber liability, because most of the individuals who were discharged from work on a Friday to work at home on a Monday really did not have the right kinds of protections on the equipment that they took home to try and be productive from a home base. So lots of opportunities, unfortunately, there for hacking and for data breach. 
 
 Ronna: I've wondered about that.
 
 Steve: That has had a significant negative effect on the insured. And when underwriters look at again, what's happening in the marketplace, if there's a large cadre of individuals who are still working from home without more significant cyber protections in place, that will be a very problematic underwriting exercise.

Ronna: So what advice can you give to institutions regarding cyber liability?

Steve: I think the first thing that everyone needs to be cognitive of, it's not a matter of if you're going to be breached, it's a matter of when. So the protections that are necessary to be in place really ought to be considered essential components with immediacy - like multi-factor authentication is oftentimes talked about as being kind of a baseline now. 
 
Work with your insurance. If you're going to be a commercial insurance holder, you're working through a broker and typically the brokers have very, very good information on what you need to have in place to have a favorable review of your cyber application. 

If you're a new, potential, cyber liability policy holder, you have to be very, very conscious of the amount of information underwriters are looking for now. So the underwriting process has gotten more and more complex as the marketplace has gotten harder and more difficult to access. 
 
 Ronna: Wow. That one, it sounds like it's really challenging. Another hot topic you discussed in 2019 revolved around compliance requirements for institutions. How have recent events added to that burden? 
 
 Steve: That's a great question, Ronna. Colleges and universities are required to become compliant with a number of different pieces of legislation. Like the Cleary Act,  Violence Against Women Act. There's a campus security report that has to be done. All of these reports typically by the department of education require significant time and talent for the university or the college to invest in order to do those properly. What's at risk, frankly, is a reduction of, or actually a withdrawal of any kind of federal funds to the college university.

Well, that means that you may not have dollars to disperse in financial aid. Those dollars come through to department of education. So the colleges must be compliant if they want to continue to have the resources available through the federal government. And again, that requires time and talent. The unfortunate part about that is once that time and talent is having to be utilized to compliance, you don't have those resources to use for education.

Ronna: Which is the reason for universities and colleges to exist. 
 
 Steve: Exactly. The primary reason is to provide education and when education or the ability to deliver education is compromised, that becomes problematic because you're no longer fulfilling a primary mission, which is the delivery of high quality education.

Ronna: Wow. I wasn't aware of that. You work with 16 community and technical colleges across Wisconsin. Is it true that only a few of those institutions have a full-time risk manager?
 
 Steve: That is true Ronna, uh, high quality individuals that work at the technical colleges, but not everyone is a formal risk manager by title or training, frankly, a number of those individuals have multiple responsibilities.

Ronna: Well, it sounds like those administrators are stretched thin regarding risk management responsibilities. Why does your website describe you and your team as collaborators in risk management? 
 
Steve: Uh, Districts Mutual Insurance Ronna, was actually formed by the 16 Wisconsin technical colleges.

They are our exclusive members. We're not a sales and marketing organization, but what we are is a service organization to the technical college members. So the collaborator in risk management byline really expresses the relationship we have with our 16 college members. We support their local risk management initiatives, and we have insurance products that are sold, we collect premium for those insurance products. But I think the key thing that we do is we support the colleges local risk management and mitigation efforts through a variety of ways. We have a consultant team, my team members that work exclusively with the colleges to support their environmental health and safety, business continuity, and campus security requirements or needs. So our consultant staff works with the colleges on those specific areas of expertise. And my teammates really are subject matter experts and they devote their time and talent to support the colleges at no cost to the colleges. We conduct a, a monthly newsletter electronically called the Incident Report, which is really a way to deliver more hot topic information to the colleges. It's kind of an instructional piece, but it's done monthly via electronic distribution. 
 
 Um, we host quarterly meetings with our members to talk about what's happening in the marketplace. Here's what's happening with new insurance products. We talk about how to do claims so, much of what DMI has set up, frankly, is all best practices for the colleges to follow.They don't have to reinvent something then because we utilize it as a best practice or as a template, if you will. 
 
 We have a very robust website. That's a growing resource for our colleges. Its password protected so any of the colleges can have access to it. That's where we have all of our proprietary information that's either been prepared by legal counsel by one of the consultant team or a, another consultant that we might engage on a specific topic. So all of the resources that DMI has are available to the college at no cost. And once again, the collaborator name is really how we view our selves. We do not comply or expect the colleges to comply. We advise, we consult, we, we try and be proactive. We try and be an advocate on behalf of the colleges. And we offer our resources to the colleges to support all of their local efforts. 
 
 Ronna: I bet those Wisconsin institutions really appreciate that help. 

I was looking at URMIA membership demographics the other day. For roughly 20% of our member institutions, risk management responsibilities fall to just one person - often along with many other responsibilities. So what advice do you have for others in that situation? 
 
 Steve: One of the things that DMI adopted many years ago, Ronna, was to watch the philosophy that everyone's who risks. Not just the party who holds that title or who has those responsibilities. Now that's a bit of a cultural change, so that's not going to happen overnight. But if you look at adopting that sort of philosophy, that everyone's a risk manager, then that means that people who are in the chemistry lab or in the auto shop or in the welding lab, they're risk managers. The best manager of a particular classroom or lab, frankly, as that lead instructor. They're expert in their field. 
 
 So we look at trying to multiply the role of the risk manager to multiple individuals and creating a top down buy-in on the importance of risk management. And by top-down I mean, the philosophy of everyone's a risk manager really has to start with the college president or the provost or someone in a significant senior leadership role that begins to have the understanding that everyone is a risk manager because higher education is risk producing, not risk adverse. 
 
 But one of the things that we also want to be is that is the office of know K N O W not the office of N O. So when you're a risk manager, you're trying to protect the interests of the college or the university - reputation risk or financial risk or whatever you want, want to think about there, but at the same time, we want to be able to figure out ways to allow process, to move forward in a manner that protects the college. So what are the risk management steps you put in place in order to protect the college? So instead of just unilaterally saying NO or something, let's figure out ways to get to yes. To be the office of know as in K N O W.
  
 Ronna: I like that the let's find ways to get to Yes. So how does URMIA factor into this? How can URMIA help these people? 
 
 Steve: Well, URMIA has just a marvelous resource. In my opinion, it is the go-to resource for higher education risk management issues. 
 
 URMIA, as an organization is very inclusive, has wonderful volunteer opportunities and has a marvelous resource base to draw. The website is replete with documents and templates and other kinds of information that could be very useful. And because higher education tends to have some similar kinds of exposures like residence halls or athletics or, um, driving vehicles, and the list just goes on and on - there's very much an opportunity when you network with colleagues to learn how other people address a similar issue.

And there's no such thing as a copywrite among the URMIA members. URMIA members are very willing to give you their documents as a resource base, and oftentimes are simply invited to put your name on it and call it your own. So it's a wonderful organization that shares vital information about higher education risk management.

Ronna: So, what I'm hearing is that risk managers don't have to go it alone, that everyone is a risk manager and URMIA membership gives them a wealth of information and best practices. 
 
 Steve: Yeah. It's very well set. Yes. When you work, when you work in commercial insurance and the colleges and universities would be considered a commercial exposure. There’s a wide range of resources available through the broker that you might work with and the resources that broker could bring to the table. So there are numerous resources that you can turn to if you feel like you're quote “stuck” end quote on a matter turned to URMIA and I'll bet someone will be able to be of assistance.

One of my favorite components of the URMIA website is the red button that says, Ask. Lou is going to do some research on your behalf. If you have a question or if you're just not familiar with how to navigate the website, because it has a tremendous amount of resources associated with it, Ask Lou, and he's very timely in his response to you. Um, and then also be aware of the daily URMIA website, uh, listings that you'll get as an institutional member, because there's always people volunteering information there on hot topics. 
 
 Ronna: All right. Thank you. So I'm curious, what excites you about your time on URMIA’s board of directors? 
 
 Steve: It's a wonderful opportunity to learn more about how the organization works kind of a behind the scenes opportunity if you will. The volunteers who are on the executive committee or on the board of directors are really wonderful, wonderful experts in their field. And that expertise is brought to the URMIA organization and shared with the URMIA team. And there's a wonderful team of professionals who run the organization, yourself and your teammates, terrific, terrific talent. 

But when we work together collaboratively and cooperatively, we can achieve some wonderful, wonderful things that are focused on higher education risk management that really focus on the needs of, and the hot topics of higher education risk management. That being said, Ronna, it's, it's fun to be able to utilize some of the skillsets that I've developed over the years and try and help another organization or another college or university.

So I'm certainly very open to the opportunity. It's been a wonderful experience so far.

Ronna: We sure have appreciated you. 

Steve: Thank you. 
 
 Ronna: Well, that's about all the time we have for today's episode. Steve, is there anything else you'd like to share that we didn't cover? I appreciate the opportunity to revisit a couple of topics with you, Ronna, and it's always a great fun to be at the home office here in Bloomington, Indiana. Looking forward to the executive committee meeting later today. 

Ronna: All right, great. I'd like to thank my guest, Stephen Stoeger-Moore for joining me on this episode of URMIA Matters.

Thank you, Steve, for sharing your insights on behalf of small technical and community colleges, it has been wonderful to talk with you. 
 
 Steve: Oh my great pleasure Ronna, thank you. Have a great day.