Taking control of cyber risk
The pitfalls to buying business travel insurance for employees are plenty. But insurers have taken note and are offering blended but robust and bespoke coverage. From nat cat, criminalisation, crises, kidnap and ransom to pandemics, travellers are exposed to a growing number of complex risks, extending far beyond medical assistance. So how is the insurance industry helping?
Cybercrime is an escalating problem that demands constant attention to mitigate against financial and reputational risk. But what should boards do to ensure their organisation is protected?
When Facebook chairman and CEO Mark Zuckerberg faced the press after hackers stole data from up to 50 million social networking accounts last September, he said “we need to do more to prevent this from happening”.
It’s a typical response, the sort of reaction you get from CEOs when the data horse has already bolted. Unlike the CEO of Equifax, which saw 693,000 UK data records stolen in 2017, Zuckerberg kept his day job.The problem most boards have is that, following a cyber-attack and data breach, there is little more you can say other than “sorry”.
For Facebook and the many other businesses that suffered cyber-attacks in 2018, the real implications are still being felt: lost revenue, lost customers, fines (Facebook was fined £500,000 by the UK’s ICO) and ongoing reputational damage. The average cost of a data breach to a business is around $3.86m. For all businesses—even Facebook—it’s not just a case of “doing more” and expecting this will be sufficient in preventing further attacks.
Understanding the gravity of the cybersecurity threat and how to manage resources effectively to mitigate against it should be fundamental to boardroom decision-making
If 2018 proved anything, it’s that everyone and everything is a target, hackers are persistent and mistakes happen. This is why the forecast figures are always rising. On a global basis, cybercrime will cost $6trn annually by 2021, double the toll of 2015, according to the Official 2019 Annual Cybercrime Report from Cybersecurity Ventures. It’s one of many similar forecasts.
The important thing to remember is that it’s not someone else’s problem to solve. As AON revealed in its Global Risk Survey 2018, cybercrime is top of the charts when it comes to ranking risk, so businesses and boardrooms have to take control and minimise that risk where possible.
“There is no such thing as 100% secure,”says Mark Camillo, head of cyber, EMEA at global insurance organisation AIG. Understanding the gravity of the cybersecurity threat and how to manage resources effectively to mitigate against it should be fundamental to boardroom decision-making. It’s about top-down culture: if the boardroom takes it seriously and acts, the rest of the organisation will take it seriously too. A key part of that is being prepared for all eventualities.
Make a plan
A cybersecurity plan should be as much about cure as prevention. If you accept, in all likelihood, that at some point the business will be breached, the mindset has to be about continuity and recovery. No board wants to see all the hard work of a business be undermined within a few days due to a cyber-attack.
Every business should have a cybersecurity policy. This is essentially a plan for making sure the whole organisation pulls in the same direction when it comes to preventing attacks, but also knowing what to do post-breach. A comprehensive plan for
protecting data, networks and devices will ensure nothing is left to chance.
A cybersecurity policy should cover four main areas—compliance, infrastructure protection, recovery and employees.
- Compliance Detail what is expected of the business when it comes to managing data and how to adhere to the EU’s data protection rules in GDPR or US rules such as the HIPAA
- Infrastructure protection What and who will be protecting the data? Ensure that there is a coherent plan of protection, from a multi-layered software approach (antivirus, firewall, anti-malware and anti-exploit software) to comprehensive insurance cover. Who is in charge of this and how will software updates and patches be applied and data backed up?
- Recovery Who does what in the event of a breach? What is the action plan to isolating an incident and getting the business back up and running as quickly as possible? Who is going to communicate with regulation bodies, customers, partners and suppliers and deal with an insurance claim?
- Education The business needs a clear communication strategy to all staff about internet and email usage and best practice. Clear guidelines on what is acceptable usage, how to detect scams, how remote workers should access the network, social media regulations, password management systems and reporting incidents
Building a plan will focus the minds of the board. Cybersecurity is no longer a specialist field that concerns only the IT department or a chief security officer. A breach can affect the whole organisation and even put it out of business, so cybersecurity awareness training is now essential for everyone within the company. Human error is after all, the biggest culprit. According to Experian’s Managing Insider Risk Through Training and Culture report, 66% of the data protection and privacy training professionals questioned said employees were the weakest link.
The insurance safety net
More than ever, businesses need to protect themselves, physically, virtually and financially, from the threat of cyber-attack. By transferring risk to an insurer, boards can build a robust strategy to deal with threats.
Knowing where to start is often a problem, but risk can be measured. An insurance firm or broker should be able to model a company’s risk and provide feedback in terms of how their current risk level will translate in terms of premiums. This will also have recommendations on how to improve their risk score.
“We are modelling risk, looking at attack probability, claims data, internal security controls and so on to build a picture of a company’s risk,” says Camillo at AIG, adding that this data also builds a benchmark for vertical sectors. “This also helps with modelling risk costs and give companies clearer insight into what they need to do to reduce risk and insurance premiums.”
Interestingly, despite being one of the biggest safety nets for businesses, insurance is underutilised when it comes to cybersecurity. A survey in August last year by digital research firm Ovum found that only 38% of firms had cybersecurity insurance covering all eventualities. The survey also revealed a lack of understanding among companies of the impact a cyber-attack can have across an organisation.
A risk assessment goes a long way to educating both boardrooms and management, and bringing cyber intelligence into the business
A risk assessment goes a long way to educating both boardrooms and management, and bringing cyber intelligence into the business. “It’s an essential tool in giving more transparency and intelligence back to companies, and an entry point to more comprehensive cover that could also include incident response, forensics and legal and PR support from crisis management experts,” says Camillo at AIG.
A recent PwC report believes this is the future, and it’s already gaining recognition from organisations looking for solutions to the growing threat. PwC estimates that annual gross written premiums for cyber insurance will rise from roughly $2.5bn today to $7.5bn by the end of the decade. “Businesses across all sectors are beginning to recognise the importance of cyber insurance in today’s increasingly complex and high-risk digital landscape,” says the report.
However, the problem for the board is identifying policies that work specifically for cybersecurity and are not just bolted-on, often expensive, extras. As the Ovum study found, 62% of US companies reported they don’t believe their cyber insurer priced their premium based on an accurate analysis of their risk. This has to be an education for both insurer and insured, and demands more extensive risk modelling.
As with all specialist insurance sectors, cyber insurance cannot blanket cover a business and expect to be sufficient. Cover has to be designed to meet the urgent needs of a breach. It has to be 24/7 responsive, help cover investigations and fines, protect a business from the intensive costs of data recovery and reputational mitigation but also lost revenue.
Supplier and customer trust are fundamental to the ongoing success of a business. Few if any businesses can afford to jeopardise that trust. A cybersecurity breach, with potential loss of sensitive data is now one of the biggest, if not the biggest threat to that trust, placing more importance than ever on remediation, insurance and that often under-appreciated notion, peace of mind.
Top 5 recommendations for managing cyber risk
- Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue
- Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances
- Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular time on board meeting agendas
- Board directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget
- Board–management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.
For more details download the Internet Security Alliance’s Managing Cyber Risk: A Handbook for Boards of Directors.
This article first appeared in Board Agenda
This article may contain third party content or links to third party websites. These content and links are provided solely for your convenience and information. AIG has no control over, does not assume any liability or responsibility for and does not make any warranties or representations as to, any third party content or websites, including but not limited to, the accuracy, subject matter, quality or timeliness.
##
American International Group, Inc. (AIG) is a leading global insurance organization. AIG member companies provide a wide range of property casualty insurance, life insurance, retirement solutions and other financial services to customers in approximately 70 countries and jurisdictions. These diverse offerings include products and services that help businesses and individuals protect their assets, manage risks and provide for retirement security. AIG common stock is listed on the New York Stock Exchange.
Additional information about AIG can be found at www.aig.com | YouTube: www.youtube.com/aig | Twitter: @AIGinsurance www.twitter.com/AIGinsurance | LinkedIn: www.linkedin.com/company/aig. These references with additional information about AIG have been provided as a convenience, and the information contained on such websites is not incorporated by reference herein.
AIG is the marketing name for the worldwide property-casualty, life and retirement and general insurance operations of American International Group, Inc. For additional information, please visit our website at www.aig.com. All products and services are written or provided by subsidiaries or affiliates of American International Group, Inc. Products or services may not be available in all countries and jurisdictions, and coverage is subject to underwriting requirements and actual policy language. Non-insurance products and services may be provided by independent third parties. Certain property-casualty coverages may be provided by a surplus lines insurer. Surplus lines insurers do not generally participate in state guaranty funds, and insureds are therefore not protected by such funds.