Immature cyber risk management placing UK business at risk
These were some of the key conclusions drawn from Marsh’s Digital Threats conference held in Brighton at the end of May.
Despite an apparent lack of appetite for transferring cyber risk, underwriters at the conference stressed that there has never been a better time to buy cyber insurance products and risk managers would be well advised to take advantage of what is currently an under-priced product.
Although there are mounting concerns about the consequences of a cyber attack on customers and reputations, many leading European organisations are still taking an immature approach to cyber risk and have yet to fully embed cyber threats into their risk management strategies as a result, Marsh said in a statement following the conference attended by risk professionals.
hide
According to the findings of a survey conducted during the event, 71% of respondents said that their concerns around cyber risk have increased in the last 12 months.
Furthermore, 54% stated that their organisation had recently been subjected to a cyber attack.
While 17% of respondents believe that the financial impact of a cyber attack could potentially cost their organisation in excess of $5m, 22% admitted that their organisation had not conducted a dedicated cyber risk financial impact assessment.
Only 23% believed that management of cyber risk is fully embedded and optimised within their firms.
Stephen Wares, EMEA Cyber Risk Leader at Marsh, commented: “The spectre of a cyber attack evidently looms large among the risks that risk managers believe could threaten the continued success of their organisations. Despite this, it would seem that in the majority of firms, cyber risk is still largely misunderstood and many struggle to implement a clear strategy to tackle it effectively.”
Marsh’s survey also found that only 12% of respondents stated that their organisation currently purchased cyber insurance cover, despite 76% saying that they were familiar with the products available.
Mr Wares added: “The fact that so few respondents buy cyber insurance, despite high product awareness, is a clear indication that the insurance industry has more work to do in educating clients and developing cover that will adequately respond to their needs.” But, according to underwriters at the event, a lack of actuarial data, high capacity and competition are all helping to reduce rates for what is a new insurance product with a relatively low take-up.
However, this may change as underwriters become better acquainted with cyber exposures and once new EU rules governing data protection and the introduction of fines and mandatory notification in the event of a data breach likely increase claims, coverage and, consequently, price.
“Cyber is a new book of risk and it is evolving all the time,” said Neil Arklie, Senior Underwriter at Swiss Re. “We are learning, gathering data and trying to assess risks and give an accurate price. But there is too much capacity in the market and this is forcing the price down. Right now it is probably underpriced so as we learn more and gather more data, don’t be surprised if the price goes up.”
The implementation of new data protection regulations will also be pivotal, said James Tuplin, Senior Tech PI underwriter at Allianz, which is about to launch its own cyber insurance product, thereby adding to the capacity in the market.
“Rates are falling through the floor at the moment,” he said. “There is a lot of capacity and no new EU regulations yet so in the next two years, and provided there are no large claims, cyber insurance will be as cheap as it can be. We are still not at the bottom because there are new entrants coming in and it is all about supply and demand. But when the EU data protection rules are fully implemented in 2016, prices will start to go up.”
Despite the favourable pricing, take up of cyber insurance in Europe still remains low. One reason for this may be the inconsistent way cyber insurance products are offered. As one delegate remarked, insurers are going to great efforts to promote their new stand-alone cyber products but they continue to offer extensions to existing policies and clients are consequently confused about which direction insurers will go.
According to Geoff White, Underwriting Manager Cyber, Technology and Media at Barbican Insurance, insurers’ preference is for stand-alone products, as is the case for a number of small and mid-sized firms.
“There is a resistance to a broadening out of existing policies. I don’t think it is right,” he said. The concern, said Mr White, is that underwriters looking to extend policies are doing so because of a lack of understanding of cyber risk and they will suffer as a result.
The challenge for insurers is to try and predict where the insurance market is going, said David Legassick, UK & Ireland Technology Manager at Chubb. “Our model is to offer the lot—both extensions and stand-alone. Cyber insurance is challenging because it touches on so many other areas—first and third party, property and liability and so on. The only way around this is to sit down with clients and work it out. I don’t think insurers should be afraid to make cyber insurance bespoke as long as both the insurer and the insured are on the same page.”
Another key message from the event was the need for cyber risk to be communicated in a different language in order to grab the full attention of senior management.
“When asked who deals with cyber risk we are often told that it belongs to IT and we are inundated with information about new hacks and new vulnerabilities but this information tells us nothing about risk,” said Conor McGovern, Chief Design Officer at Information Risk Management, a UK-based security consultant. “We need to express these cyber risk issues in a different way because the message does not always get through to senior management.”
Mr McGovern said that responses from CEOs to warnings about cyber risk often range from ‘way too techie’ to ‘internal audit takes care of it’ and ‘we’ve already spent millions on it so we must be safe’.
The failure to communicate the threat of technology-based risks is not helped by the lack of quantification tools, said Mr McGovern. “We need an elegant way to link all of these risk issues and articulate them in a meaningful, top-line risk statement,” he said.
Many companies are throwing more technology at the problem of cyber risk. But the absence of a mature methodology to measure the risk and express it in monetary terms, or as an annualised loss expectancy, means it is difficult to ensure that mitigation spend is commensurate with value, said Mr McGovern.
“Operations officers do not have unlimited budgets and they have to prioritise risks. But many companies are continuing to spend without properly defining the risks they are addressing. This spend also creates the misconception that these risks are covered,” he said.
The need to find an alternative means of articulating the threat of cyber risk was also noted by Jonathan Shaw, Practice Director, Defence and Cyber Security at consultant Digital Barriers and former cyber tsar at the UK’s Ministry of Defence. “We need to convince CEOs that cyber risk is a risk issue and not a technical issue. It is not a technical issue that can be fixed, it is a risk that has to be managed.”
Mr Shaw also urged companies to address the human side of cyber security. “The better your IT security, the more likely it is that hackers will turn to the human side and social engineering. And a difficulty with cyber security is that so many people hold keys. We need leadership to ensure that staff members do their cyber hygiene,” he said.