Risk managers have stepped up to the plate on cyber, says Marsh

Ben NorrisAugust 5, 2023
Handshake. Abstract handshake isolated on blue background. Business agreement, teamwork, partnership deal, businessman cooperation, corporate meeting, contract, friendship concept vector illustration
Credit: Shutterstock/CoreDESIGN

Marsh’s Brian Warszona is very impressed by how quickly UK risk and insurance managers have stepped up to the plate on cyber risk management and got to grips with the extremely difficult insurance market over the last few years.

He told Commercial Risk Europe that some of this work is reflected in much improved cyber claims records among large companies. But the broker stressed there is always room for improvement and gave top tips on how risk managers can further boost performance.

“I am very impressed with how far UK risk managers, in particular, have come with managing cyber risk and getting to grips with insurance through cybersecurity controls. Having lived through cyber insurance being rolled out in the US it took a lot longer for the US to grasp the severity of appropriate controls needed to procure cyber insurance,” began Warszona, cyber, media and technology practice leader in the UK at Marsh.

“I am impressed that UK risk managers will now say they don’t know and loop in their IT experts whereas previously they were reticent to say that and thought it was their job to know. The ability for risk managers to bring in other stakeholders that do know – like CIOs, CTOs, CISOs or anyone on the IT side of things that can help out – is a big step forward. They have also helped smooth over communication gaps between insurance and IT. So they have come a long way and I genuinely mean that. I am very impressed with how they have handled the last five years as they began to dip their toe further into cyber risk and insurance,” he added.

Much of this came against the backdrop of a rapidly hardening cyber insurance market where prices jumped almost overnight, capacity fell and restrictions mounted.

“They have gone through a global hardening market so it couldn’t have been fun for risk managers who stuck their neck out to buy cyber insurance and two years later it costs significantly more,” said Warszona.

He pointed to the improving claims trends among large organisations as proof that many have “bolted the door and done their risk management”.

But he was quick to stress that despite this good news story there is always room for improvement. Not least because cyber is such a fast-changing risk and the fact that hackers only have to get in once while companies must defend attack after attack.

“When you look at organisations that are constantly dealing with new technologies it moves the goalposts in terms of what you have to do to be considered a good risk. But remember there is never a perfect risk out there. Some organisations get close, like defence contractors, but even they are being attacked by the most sophisticated methods,” said Warszona.

He added: “You need to think of this in three different ways. You have hardware changes, you have software changes and then you have the attack factors that change. So when you have all three of those changing on an annual basis, or more frequently, there is no way to have perfect security. I always say this to CISOs – you have to be right all the time but the attackers only have to be right one time. They have the ability to try thousands of attempts to penetrate an organisation.”

The cyber risk expert then gave key pieces of industry agnostic advice to help companies further boost their cyber defences.

Number one is incident response testing and exercising. “Go through the scenarios that you are most worried about. Communication is a big part of that. Those go hand in hand,” said Warszona.

He also advises trying to understanding your exposure from a number of standpoints.

“Get several third party opinions. If you have a serious illness you get multiple different opinions so you need to think about doing the same here. If you get one opinion it is going to be biased towards areas that the third party has data on or understands best,” he said.

And finally, Warszona encourages risk managers to use their cyber insurance renewal as an ongoing cyber risk assessment and mitigation process.

“I would also encourage companies to make use of the cyber insurance buying process to better understanding your risks. There are so many different facets to a cyber policy and understanding how you get to buying the policy from a cyber exposure standpoint. Don’t think of it as just risk transfer. Think of it as a yearly learning session on cyber risk and exposure for your organisation. Don’t let it just happen once a year. Have multiple touch points with your broker and consultants, as well as with internal IT,” he said.

Ben NorrisAugust 5, 2023
Back to top button