He shared his thoughts on managing the frequency and impact of cyber claims and the importance for risk managers to understand how to quantify cyber risks.
The number of cyber claims seems to be increasing,as well as the costs. Should it continue, do you think companies really understand the likely impact of this trend on their business?
Many companies have yet to fully understand what it means to be exposed as a business to cyber risk – they approach cyber risk from a technical point of view, rather than a business one.
Companies tend to look at high-impact cyber risks such as a malware attack from a technical perspective and adopt fancy measures to protect themselves in order to reduce the probability of an attack – but do they also assess the potential business implications?
From a business perspective, you need to understand what could occur and why people might target you. Will production be interrupted? Will you lose the ability to keep track of orders from customers? There will be a huge impact. If you can assess this type of cyber risk from a business point of view, you can translate the cyber risk
impact into cyber insurance quantification. This will provide the insight needed to work out how to avoid or reduce the risk and focus on the right protection and impact reduction – which I believe will reduce claims in the future.
To summarise, businesses need to improve their understanding of how a cyber attack can affect all aspects of their business in order to translate the risk into financial quantification and plan the most effective ways to prevent a high-impact attack.
With the market suggesting that the frequency and severity of cyber claims will continue to increase in the next 10 years, how do you suggest companies manage these across their entire business and workforce? Does there need to be a change in thinking to cater for this increased threat? Have you any guidance in terms of calculating the financial impact?
There are two very different parts to this question – frequency and impact.
To tackle frequency – it is necessary to upgrade your protection to avoid ‘internet pollution’ to prevent an attack reaching the business. In my opinion, this is the best way to reduce frequency. You can make an attack ineffective, but if someone really wants to attack you, they can do it anytime they want – and it is very hard to avoid.
It is easier to take action to reduce the impact.
You can define where the impact lies and how much it will cost to you if the attack reaches completion. Then you are able to put in place protection, detection, response and recovery measures to tackle a small part of the frequency and a large part of the impact.
You use the phrase ‘internet pollution’. How would you describe this?
Internet pollution refers to all attacks that have been made by a specialised group of attackers that try to target unprotected devices. Anything that is connected to the internet without the proper protection is open to an automated attack – especially in a business scenario where employees have access to targetable devices on which they could help the attacker to go deeper into your network.
Other automated attacks physically target the user – for example, an email containing malware which is activated when clicked. The most efficient attack is an attack that targets a user, with some attackers using specific email templates for dedicated sets of companies in order to appear legitimate and encourage clicks. Let’s say they send this email to 1,000 users. On average, at least 100 users will click on the infected link and activate the malware.
The only way to reduce the frequency of these types of attack is to raise the awareness of the threat and the resulting impact.
The change in thinking required, therefore, is the need to invest where necessary in automated devices to respond to this internet pollution, and the need to educate members of staff.
Companies need to be a lot better at advising staff on these threats and what to look for. Sophisticated phishing mails are difficult to detect, so education is the key element here and staff must adopt an air of caution before clicking on links in emails.
Organisations should also take measures to reduce the impact of malware spreading through a network once a user clicks.
Why do you feel it is important for risk managers to better understand how to quantify cyber risks?
Cyber risk is not a new risk. It’s a new way for business risk to happen and it is posing a bigger threat. In order to assess and reduce risk, you must first understand and accept it.
To gain a strong overview of all aspects relating to your company’s cyber risk, the first step is to identify how a business risk can occur through cyber means. It is important to assess how your cyber exposure will evolve over time as your company uses more and more digital technologies and strategies. This will all contribute to a growth in your company’s cyber exposure, and so must be evaluated at regular intervals.
If you can assess this type of cyber risk from a business point of view, you can translate the cyber risk impact into cyber insurance quantification.
You also need to assess your cyber security maturity and benchmark your level against that of your competitors and business sector, and assess the potential impact of your cyber risk. It may be worthwhile to obtain an impact assessment from a cyber security company.
This process of developing a risk manager’s understanding of how to quantify cyber risks can help in upskilling and polishing communications between risk management and IT. Typically, IT plays a key role in any cyber-related issue, yet IT technicians do not take a business-focused approach to the tasks they undertake and to the wider picture. Meanwhile, risk managers are focused on the business outlook, but don’t tend to speak the language of IT. Integrating cyber risk management with IT processes ultimately results in long-term benefits.