{"id":70209,"date":"2020-05-22T12:32:48","date_gmt":"2020-05-22T11:32:48","guid":{"rendered":"https:\/\/www.commercialriskonline.com\/?p=70209"},"modified":"2021-07-15T16:35:11","modified_gmt":"2021-07-15T15:35:11","slug":"cyber-security-setting-the-tone-at-the-top","status":"publish","type":"post","link":"https:\/\/www.commercialriskonline.com\/cyber-security-setting-the-tone-at-the-top\/","title":{"rendered":"Cybersecurity: Setting the tone at the top"},"content":{"rendered":"
An organisation\u2019s approach to cybersecurity must be embedded within its overall approach to enterprise risk management, with boards responsible for enabling the right culture and frameworks, explain Sebastian Hess and Stephen Morton.<\/p>\n
Companies and their boards are faced with a highly dynamic cyber risk landscape, including more targeted ransomware threats and, more recently, exposures associated with increased remote working. The latest handbook<\/a> from the European Directors\u2019 Association (ecoDa) and the Internet Security Alliance (ISA) offers European corporate boards a series of strategic recommendations and guidance with which to establish an enterprise-wide cyber risk management framework.<\/p>\n Under constant bombardment<\/strong> Three years on from the WannaCry attack, which impacted businesses in 150 countries, ransomware losses are becoming more frequent and severe, according to AIG claims statistics. This is backed up by an external study (2), which shows the number of ransomware attacks has indeed increased each year since 2017. It is not just the prevalence of ransomware that poses a threat, notes Mark Camillo, head of cyber, EMEA at AIG. It is also the fact that attacks are becoming more deliberate, with ransom demands that often begin with six or even seven figures.<\/p>\n As companies improve their approach to cybersecurity, this raises the bar for attackers, who need to become more targeted in order to maintain their revenue streams. \u201cBefore, it used to be blanket malware where the cybercriminals were asking for fairly low amounts,\u201d Mr Camillo says. \u201cNow they\u2019re taking the time to carry out more targeted attacks, and they are basing the ransom payment on how many servers they\u2019re able to encrypt. So, you\u2019re definitely seeing the quantum on these ransoms increase fairly dramatically.\u201d<\/p>\n The profile of potential ransomware victims has broadened over time, as illustrated by AIG\u2019s proprietary data within its Cyber Claims Intelligence Series<\/a><\/em>. Financial institutions, retail firms and others holding significant amounts of sensitive data continue to be targeted by cyberattacks, but the modus operandi has shifted, with a resulting impact on the risk landscape. Many of the more severe claims being reported to AIG are coming in from businesses that traditionally did not take out cyber insurance, including manufacturing and transportation logistics.<\/p>\n A boardroom liability<\/strong> The handbook is intended to promote the continued adoption of uniform cybersecurity principles for corporate boards, not only in Europe but across the globe. It recognises that an organisation\u2019s culture surrounding cybersecurity is set at the top and is not simply a technical issue that can be left within organisational silos. \u201cBoards need to own this risk and sufficiently challenge executive management on cyber to make sure that whatever their approach is to cybersecurity, it appropriately reflects what the business needs are,\u201d says Mr Camillo.<\/p>\n The following is a summary of the five principles for managing cyber risk, along with key recommendations.<\/p>\n Principle 1: Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue<\/strong><\/p>\n Key recommendations:<\/p>\n Principle 2: Directors should understand the reputational and legal implications of cyber risks as they relate to their company\u2019s specific circumstances<\/strong><\/p>\n Key recommendations:<\/p>\n Principle 3: Boards should ensure adequate access to cybersecurity expertise and appropriate reporting, at both board and committee level<\/strong><\/p>\n Key recommendations:<\/p>\n Principle 4: Board directors should ensure that management establishes an enterprise-wide cyber risk management framework which encompasses culture, preventive, detective and response capabilities, and monitoring and communication at all levels. Resources should be adequate and allocated appropriately by the strategies adopted<\/strong><\/p>\n Key recommendations:<\/p>\n Principle 5: Board discussion about cyber risk should include strategies on its management (mitigation, transfer through insurance or partnerships, etc)<\/strong><\/p>\n Key recommendations:<\/p>\n The role of risk transfer<\/strong> It is the role of the board, together with the executive management, to find the right equilibrium between the risks that will be shared with the insurer and other expenditures made to enhance the organisation’s cybersecurity, and mitigate its exposures.<\/p>\n There has been a natural progression towards multinational cyber insurance. For multinational organisations, deciding where to implement a local policy can be complex. It is important to understand where they have potential cyber exposures, including from customers, suppliers and servers, as well as where coverage may be required by local counterparties and whether a claim will need to be paid in country. As the cyber insurance industry continues to grow and mature, with an increasing emphasis on affirmative coverage, it is important to ensure there are no exposures not contemplated and as a result, left uncovered.<\/p>\n Captives are more and more frequently being used as retention vehicles for cyber risk and it is one of the fastest-growing captive business lines. Captives are another important potential tool to use in an enterprise-wide cyber risk management framework.<\/p>\n (1) https:\/\/atlasvpn.com\/blog\/number-of-breached-records-surged-by-273-in-2020-q1<\/a> Contributed by Sebastian Hess, cyber risk adviser, EMEA at AIG, and Stephen Morton, head of multinational at AIG Europe.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":" An organisation\u2019s approach to cybersecurity must be embedded within its overall approach to enterprise risk management, with boards responsible for enabling the right culture and frameworks, explain Sebastian Hess and Stephen Morton. Companies and their boards are faced with a highly dynamic cyber risk landscape, including more targeted ransomware threats …<\/p>\n","protected":false},"author":10,"featured_media":46372,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_uag_custom_page_level_css":"","footnotes":""},"categories":[327,232,144,197,198,202,1,207],"tags":[407],"acf":[],"uagb_featured_image_src":{"full":["https:\/\/www.commercialriskonline.com\/wp-content\/uploads\/2017\/06\/0_cyber-security-awareness.jpg",700,400,false],"thumbnail":["https:\/\/www.commercialriskonline.com\/wp-content\/uploads\/2017\/06\/0_cyber-security-awareness-150x150.jpg",150,150,true],"medium":["https:\/\/www.commercialriskonline.com\/wp-content\/uploads\/2017\/06\/0_cyber-security-awareness-300x171.jpg",300,171,true],"medium_large":["https:\/\/www.commercialriskonline.com\/wp-content\/uploads\/2017\/06\/0_cyber-security-awareness.jpg",700,400,false],"large":["https:\/\/www.commercialriskonline.com\/wp-content\/uploads\/2017\/06\/0_cyber-security-awareness.jpg",700,400,false],"1536x1536":["https:\/\/www.commercialriskonline.com\/wp-content\/uploads\/2017\/06\/0_cyber-security-awareness.jpg",700,400,false],"2048x2048":["https:\/\/www.commercialriskonline.com\/wp-content\/uploads\/2017\/06\/0_cyber-security-awareness.jpg",700,400,false],"image-publication":["https:\/\/www.commercialriskonline.com\/wp-content\/uploads\/2017\/06\/0_cyber-security-awareness-390x223.jpg",390,223,true],"image-publication-large":["https:\/\/www.commercialriskonline.com\/wp-content\/uploads\/2017\/06\/0_cyber-security-awareness-476x272.jpg",476,272,true],"jannah-image-small":["https:\/\/www.commercialriskonline.com\/wp-content\/uploads\/2017\/06\/0_cyber-security-awareness-220x150.jpg",220,150,true],"jannah-image-large":["https:\/\/www.commercialriskonline.com\/wp-content\/uploads\/2017\/06\/0_cyber-security-awareness-390x220.jpg",390,220,true],"jannah-image-post":["https:\/\/www.commercialriskonline.com\/wp-content\/uploads\/2017\/06\/0_cyber-security-awareness.jpg",700,400,false],"featured-2":["https:\/\/www.commercialriskonline.com\/wp-content\/uploads\/2017\/06\/0_cyber-security-awareness-530x340.jpg",530,340,true],"editors-pick":["https:\/\/www.commercialriskonline.com\/wp-content\/uploads\/2017\/06\/0_cyber-security-awareness-219x115.jpg",219,115,true],"archive-thumbnail":["https:\/\/www.commercialriskonline.com\/wp-content\/uploads\/2017\/06\/0_cyber-security-awareness-375x375.jpg",375,375,true],"mobile-thumbnail":["https:\/\/www.commercialriskonline.com\/wp-content\/uploads\/2017\/06\/0_cyber-security-awareness-375x300.jpg",375,300,true],"single-feature":["https:\/\/www.commercialriskonline.com\/wp-content\/uploads\/2017\/06\/0_cyber-security-awareness-700x400.jpg",700,400,true],"square-thumbnail-s":["https:\/\/www.commercialriskonline.com\/wp-content\/uploads\/2017\/06\/0_cyber-security-awareness-100x100.jpg",100,100,true]},"uagb_author_info":{"display_name":"Tony Dowding","author_link":"https:\/\/www.commercialriskonline.com\/author\/tony-dowding-2\/"},"uagb_comment_info":0,"uagb_excerpt":"An organisation\u2019s approach to cybersecurity must be embedded within its overall approach to enterprise risk management, with boards responsible for enabling the right culture and frameworks, explain Sebastian Hess and Stephen Morton. Companies and their boards are faced with a highly dynamic cyber risk landscape, including more targeted ransomware threats …","_links":{"self":[{"href":"https:\/\/www.commercialriskonline.com\/wp-json\/wp\/v2\/posts\/70209"}],"collection":[{"href":"https:\/\/www.commercialriskonline.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.commercialriskonline.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.commercialriskonline.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.commercialriskonline.com\/wp-json\/wp\/v2\/comments?post=70209"}],"version-history":[{"count":0,"href":"https:\/\/www.commercialriskonline.com\/wp-json\/wp\/v2\/posts\/70209\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.commercialriskonline.com\/wp-json\/wp\/v2\/media\/46372"}],"wp:attachment":[{"href":"https:\/\/www.commercialriskonline.com\/wp-json\/wp\/v2\/media?parent=70209"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.commercialriskonline.com\/wp-json\/wp\/v2\/categories?post=70209"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.commercialriskonline.com\/wp-json\/wp\/v2\/tags?post=70209"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nA world in lockdown has become a world in which attackers are seeking to exploit fears and potential weaknesses in security introduced by remote working. The latest research figures paint a stark picture. Even in an age of more stringent data protection regulations and increasing cybersecurity expenditure, companies remain vulnerable to breaches of sensitive data. The number of breached records globally surged by 273% in the first quarter of 2020 compared to Q1 2019, according to Atlas VPN (1).<\/p>\n
\nISA\u2019s cyber risk oversight handbook, developed in partnership with ecoDa and AIG, aims to support European corporate boards as they seek to protect their businesses and people from cyber threats. It acknowledges that cyber risk is a board liability, with reputational and legal consequences when breaches and other cyber incidents occur.<\/p>\n\n
\n
\n
\n
\n
\nCyber insurance plays an important role in sharing some of the financial risk of a cyber loss. But it is just one part of an organisation\u2019s cyber risk management approach. The role of cyber insurers and brokers is to work proactively with clients to mitigate the chance of a loss occurring. With clients currently highly exposed to ransomware attack, AIG is focused on loss prevention by providing services such as training, vulnerability scanning and threat intelligence to help clients avoid a loss from occurring.<\/p>\n
\n(2) https:\/\/www.infosecurity-magazine.com\/news\/rise-in-ransomware-payments<\/a><\/p>\n