On a panel at Risk-!n dedicated to risk managers sharing lessons from throughout their careers, SITA Switzerland’s Paul O’Dwyer told the tale of two risk events and what he learnt from them

Paul O’Dwyer, head of risk & insurance at SITA Switzerland Sarl, was in Ireland playing golf when he first learned about the collapse of AIG from a Sunday Times headline.

The news came as something of a shock, given the company he worked for at the time had all of its insurance with AIG.

Paul O'Dwyer

He told the audience at the Risk-!n conference: ”It was quite a crisis for me because I had all my eggs in one basket… I looked at the headline ”AIG on the point of collapse”, and I literally could not understand what I was reading.

For the next six months, O’Dwyer had weekly reporting to the chief financial officer, which added to the pressure that he was facing.

He said: “In fact, on a Monday morning when I got back from Ireland, he was on his way to the canteen and he passed at my door and said, ’Paul, don’t tell me that we’ve got all our insurance with AIG’.

“It was pretty stressful, and then I connected with a lot of risk managers. And I was frantically saying, how much have you got with AIG? What are you doing?”

Eventually he learned that AIG Europe was very secure and not affected by the crisis, but warned attendees; “it caused chaos, and it was very stressful… Don’t put all your eggs in one basket.” 

His next risk lesson comes from a cyberattack on his emloyer in 2020. Fortunately, the company had cyber insurance, following a protracted campaign from O’Dwyer.

He explained: ”I spent 4 or 5 years lobbying the CFO. Can you give us money for cyber insurance? We need to get this eventually. I got the money in 2017. A few years later, what happened? We had a cyber event.”

Despite having £50million of cyber insurance, the firms was facing what looked like an £110million event.

Luckily before taking out the cover, it had also beefed up its cyber controls with intrusion detection systems,  privileged access management., and multi-factor authentication across most platforms and systems.

He said: “That was very good and we handled it very well. But I’d been writing down the value of replacing credit cards, passports, potential regulatory fines, and I came up with £110 million. Luckily, we finished it at £3.5 million, so it wasn’t anywhere near as bad but that was because we had encrypted all the credit cards.

“And when the ICO commissioners and the regulators see that you’re doing risk management. They won’t penalise you. And of course, at this time GDPR was already in. And we were thinking they’re going to use us as an example.”

He says the key lesson learned from this is that you need to do risk mitigation before you put insurance in place. Particularly in capacity constrained areas like cyber.

He concluded: “We now spend £20 million a year, and we we spent an extraordinary expense of £40 million on improvements. And don’t forget, we encrypted all those cards. We were good at cybersecurity and yet we were hacked.

“It is totally about loss prevention and mitigation, making sure your CSO privacy team are separate and the SOC team is separate too.”