As South Korea investigates a suspected cyber attack that hit its major banks and broadcasters this week, the need for companies to adequately address their cyber risk has never been clearer.
Imminent changes to data protection regulations in Europe mean that the cyber market could soon experience rapid growth similar to that seen in the U.S., according to views expressed recently at an Advisen Cyber Event hosted by Willis.
Speaking at the event, Peter Foster and Tom Srail from Willis’ financial and executive risks practice (FINEX) explained how U.S. regulations requiring companies to have adequate insurance protection against cyber risks had rapidly expanded the breadth of cover available in the US cyber market.
The pair concluded that the insurance industry has learned from mistakes in the U.S. and it is now well equipped to help companies in Europe to mitigate their risks.
Future of the Cyber Market
European insurers are seeking to improve cover and create consistent cyber risk products. Businesses are now beginning to benefit from the protection and confidence provided by quality cyber insurance products.
But as recent research conducted by Harvard Business Review and Zurich in association with the Federation of European Risk Management Associations (FERMA) highlighted, information security and privacy has become a significant concern for companies over the past three years. This was a view echoed by speakers at the Advisen Cyber Event.
Hardly a day goes by without another high profile company reporting a serious cyber security incident. According to recent estimates cybercrime costs companies around the world roughly $388 billion – that includes direct costs as well as the time lost to business as a result of cyber attacks. And yet—according to some—there is still complacency around cyber risk.
What Good is a Padlock on the Door?
Kevin Jones, Professor of Dependability and Security at City University London expressed concerns about “off-the-shelf” hacking software that is more sophisticated than off-the-shelf defence software. Until this imbalance is addressed, he said, the risk of cyber-attack will only intensify.
Jones also explored the notion that if the value of today’s company is in its data, rather than its bricks and mortar, what good is a padlock on the door if there is a lack of appropriate, adequate and up-to-date cyber-security? This was a message that resonated with me.
He added that there is no such thing as one hundred per cent cyber security—businesses will always take an element of operational risk. And he urged chief information security officers to be proactive about cyber security. A cyber security policy, for example, should be a short, simple and easy to understand set of procedures and standards.
The Four Cs
Another session that I found interesting involved a panel of insurance and PR experts discussing the very real threat of reputational damage as a result of a cyber attack. Businesses should understand the risks and vulnerabilities of their systems and processes, and “plan for the worst”. These are the four key priorities, said Amanda Pierce, from PR firm Burson-Marsteller:
- Concern for what has happened.
- Control in terms of how to manage the problem.
- Commitment to prevent the problem happening again.
- Communication which should make up the response to any cyber-crisis.