Dave Woodfine from Cyber Security Associates Limited (CSA) on why comprehensive cyber audits and health checks are the key for the future of cyber risk and exposure management
Take it from an ‘outsider’ looking in, while there’s no doubt that cyber coverage will continue to grow and be one of the most promising areas of innovation in the insurance market, right now, it’s just not where it should be.
Consider this: the global cyber insurance market is projected to reach US$ 15 billion in value by 2022. And yet, thanks to the complex interconnections of supply chains and businesses, current modelled cyber insurance payouts in the event of a significant cloud service provider outage come in at US$ 14.3 billion alone.
Remember, these are losses stemming from just one cyber event. Anyone see an issue with that?
At the same time, with little established market practice in respect of insured risks and exclusions for cyber, there have been a number of recent high-profile denied cyber claims and reputation has been at stake.
Huge data breaches and far-reaching ransomware attacks in recent times have necessitated a rethink of cyber risk wordings, the overall exposure of the insurance industry, and the risk mitigation services encompassed within the products available.
The risks that cyber criminals present are not exaggerated. My 28 years in the Royal Air Force as an engineering officer paved my way into cyber security, spending the last six to eight years of my service directly involved with military cyber security.
This experience has allowed me to view the front line of cyber security through a unique lens. And when I look into common practices in the corporate world, I’m concerned that businesses are not as prepared as they should be, and that insurers are more exposed to cyber risk than perhaps they think they are.
From what I’ve seen, despite the risk evolving and people talking about it evolving, businesses are still falling for basic attacks so there needs to be more action.
Yes, the implementation of GDPR did its best to focus people’s attention from a UK/Europe perspective but there is still a misconception out there that if the right technology has been put in place, then no more work needs to be done.
The next frontiers
This couldn’t be further from the truth. When I think about the next frontier of cyber risk, I think about how it will penetrate supply chains and cause disruption from all angles.
And with the exponential rise of the internet of things, biological printers, drones and other autonomous vehicles soon to become ubiquitous, you don’t have to stray far into the realms of science fiction to find a very real systemic threat from cyber risk.
External hackers continue to successfully demonstrate their ability to cause physical damage
through attacks, while regulators are demonstrating that they are serious about imposing public
fines for privacy breaches.
Indeed it is not just external threats – insider attacks are on the rise thanks to internal operational vulnerabilities. In fact, it’s estimated that 60% of cyber attacks are now carried out by insiders.
Proactive risk mitigation
Cyber insurers can’t be cyber security experts themselves, but they should be working with them not only to make sure their own house is in order, but also to help the corporates they insure to implement comprehensive gap analyses and be proactive about cyber risk.
To comprehensively understand what cyber risk a company might be carrying, the processes, the technology and people have to be carefully monitored. Too often, businesses think the risk of cyber just comes from the IT team, but this isn’t the case. There are almost always other factors outside of the IT team that play a part.
The reality is that anyone can be carrying cyber risk so to become more resilient as a company, the cyber risk management approach has to be integrated into the culture and it has to come from the top.
Pro Global Partnership
Our cyber audit services have been carefully considered to ensure our approach can help deliver an integrated cyber risk audit, with the end goal of companies being more resilient and viewed as a better risk in the eyes of insurers, subsequently leading to improved levels of cover.
By providing round the clock cyber security across a number of networks; direct cyber security audit and health checks with recommendations; awareness training; emerging threat discovery advice; preventative measures; and possible business interruption loss calculations, among other things, we are able to help businesses and insurers transform the way in which they look at and manage cyber risk.
In addition to providing the appropriate set of tools and expertise to do this, as a partnership, we are able to help collate valuable insights from the information gleaned from these audits to help improve insurer’s cyber risk decisions, including pricing decisions and exposure management.
Cyber – no golden egg
Cyber is identified as one of the biggest risks facing businesses, societies and indeed the financial system, and as such it is only natural that the demand for cyber insurance is increasing.
But this is no golden egg, and insurers must ensure they are assessing the risks they face as accurately as possible. Together, we can help develop a market-leading cyber audit that keeps pace with the rapidly changing world around us, helping insureds better understand and mitigate their risk, and helping insurers get a handle on the exposure they are underwriting.