But this does not mean the board member should act alone, because cyber risk management requires dedicated professionals, added European Risk Frontier sponsor HDI Global’s Mr Willeboordse. The board member should be advised by the data protection officer, IT manager and the risk and insurance manager, he added.
Mr Willeboordse said that to manage cyber risk effectively it is important to balance out prevention, detection and incident response measures. All three aspects are essential for sensible cyber risk management, he added.
“We usually tend to focus on prevention but, especially for cyber risks, detection and response are just as important since incidents will occur and good detection and response can diminish the ultimate damage substantially,” he commented.
Awareness among employees is key to implementing proper prevention management, said Mr Willeboordse.
He pointed to a recent report from the Dutch Data Protection authority that has again shown human error is the basis of most data breaches.
“In other words, if awareness is absent all other prevention measures might become useless. As an underwriter, I’m happy to see more and more companies organise awareness campaigns for their employees. One of the driving factors of this trend is the increased availability of online cyber awareness training tools. With these tools, companies are able to educate their employees about cyber risks very efficiently,” Mr Willeboordse told Commercial Risk Europe.
The insurer said that auditing, testing and reviewing procedures and protocols are other important elements of IT security.
“These might look good on paper but are they actually used, do they work and are they still up to date? This is probably the hardest part of cyber risk management and often overlooked,” he said.
Mr Willeboordse said the insurability of individual cyber risks basically depends on whether the level of IT security is sufficient compared to the risk exposure.
“Some companies, such as energy providers, face huge cyber risks but generally have also implemented the highest level of IT security possible, making them insurable risks. Other companies with very low cyber risks can turn out to be uninsurable if they don’t even have the basic security measures in place. The rule of thumb here is that a cyber insurance policy should be the closing piece of risk management and not an alternative for taking adequate security measures,” said Mr Willeboordse.
He agreed with most others in the market that insurers have a big role to play in helping risk managers prevent and manage cyber risk.
He said that HDI Netherlands, for example, organises “brainstorm” sessions with risk managers, together with underwriters, risk engineers and external IT security specialists.
“Because every participant contributes with its own expertise, these sessions are very useful to capture the cyber risk exposure as accurately as possible. We as an insurer can provide the risk and insurance managers with loss examples and scenarios that can be helpful to their understanding of the risk, but also to create awareness among the board members. In return, we receive valuable insights in the organisation of our clients, the barriers they encounter in the management of the risks and their biggest fears as it comes to cyber risks,” explained Mr Willeboordse.
All participants in this year’s European Risk Frontiers survey were asked if governments should create cyber pools to help foster the growth of a more vibrant cyber insurance market. Mr Willeboordse believes they are not needed for now.
“For the international insurers that already offer cyber insurance, there doesn’t seem to be a direct need for a cyber pool. The current Dutch cyber market already offers sufficient capacity and broad wording for the majority of risks, so the absence of a cyber pool is probably not the biggest obstacle to foster growth within the cyber insurance market. The complexity of cyber risk and the lack of risk awareness is a much bigger obstacle for growth and this can only be solved by education and experience,” he said.
This text was first published by Commercial Risk Europe.