Cyber: a board responsibility
“Determining the desired level of cyber security is about how much it’s worth to the company to protect their reputation, business continuity and intellectual property. For that reason, weighing off the value of these items against the costs of cyber security can only be done by someone closely involved with the strategy of the company, being a member of the board,” he said.
Listen to experts
But this does not mean the board member should act alone, because cyber risk management requires dedicated professionals, added European Risk Frontier sponsor HDI Global’s Mr Willeboordse. The board member should be advised by the data protection officer, IT manager and the risk and insurance manager, he added.
Mr Willeboordse said that to manage cyber risk effectively it is important to balance out prevention, detection and incident response measures. All three aspects are essential for sensible cyber risk management, he added.
“We usually tend to focus on prevention but, especially for cyber risks, detection and response are just as important since incidents will occur and good detection and response can diminish the ultimate damage substantially,” he commented.
Awareness among employees is key to implementing proper prevention management, said Mr Willeboordse.
He pointed to a recent report from the Dutch Data Protection authority that has again shown human error is the basis of most data breaches.
“In other words, if awareness is absent all other prevention measures might become useless. As an underwriter, I’m happy to see more and more companies organise awareness campaigns for their employees. One of the driving factors of this trend is the increased availability of online cyber awareness training tools. With these tools, companies are able to educate their employees about cyber risks very efficiently,” Mr Willeboordse told Commercial Risk Europe.
The insurer said that auditing, testing and reviewing procedures and protocols are other important elements of IT security.
“These might look good on paper but are they actually used, do they work and are they still up to date? This is probably the hardest part of cyber risk management and often overlooked,” he said.
Mr Willeboordse said the insurability of individual cyber risks basically depends on whether the level of IT security is sufficient compared to the risk exposure.
“Some companies, such as energy providers, face huge cyber risks but generally have also implemented the highest level of IT security possible, making them insurable risks. Other companies with very low cyber risks can turn out to be uninsurable if they don’t even have the basic security measures in place. The rule of thumb here is that a cyber insurance policy should be the closing piece of risk management and not an alternative for taking adequate security measures,” said Mr Willeboordse.
He agreed with most others in the market that insurers have a big role to play in helping risk managers prevent and manage cyber risk.
He said that HDI Netherlands, for example, organises “brainstorm” sessions with risk managers, together with underwriters, risk engineers and external IT security specialists.
Collaboration
“Because every participant contributes with its own expertise, these sessions are very useful to capture the cyber risk exposure as accurately as possible. We as an insurer can provide the risk and insurance managers with loss examples and scenarios that can be helpful to their understanding of the risk, but also to create awareness among the board members. In return, we receive valuable insights in the organisation of our clients, the barriers they encounter in the management of the risks and their biggest fears as it comes to cyber risks,” explained Mr Willeboordse.
All participants in this year’s European Risk Frontiers survey were asked if governments should create cyber pools to help foster the growth of a more vibrant cyber insurance market. Mr Willeboordse believes they are not needed for now.
“For the international insurers that already offer cyber insurance, there doesn’t seem to be a direct need for a cyber pool. The current Dutch cyber market already offers sufficient capacity and broad wording for the majority of risks, so the absence of a cyber pool is probably not the biggest obstacle to foster growth within the cyber insurance market. The complexity of cyber risk and the lack of risk awareness is a much bigger obstacle for growth and this can only be solved by education and experience,” he said.
This text was first published by Commercial Risk Europe.
Diese Unternehmensmeldung enthält zukunftsgerichtete Aussagen, die auf bestimmten Annahmen, Erwartungen und Ansichten des Managements der Talanx AG beruhen. Diese Aussagen unterliegen daher einer Reihe von bekannten oder unbekannten Risiken und Ungewissheiten. Eine Vielzahl von Faktoren, von denen zahlreiche außerhalb des Einflussbereiches der Talanx AG stehen, beeinflusst die Geschäftsaktivitäten, die Geschäftsstrategie, die Ergebnisse, die Leistungen und die Erfolge der Talanx AG. Diese Faktoren bzw. ein Realisieren der Risiken und Ungewissheiten können dazu führen, dass die tatsächlichen Ergebnisse, Leistungen und Erfolge der Gesellschaft wesentlich von denjenigen Angaben abweichen, die in der zukunftsgerichteten Aussage ausdrücklich oder impliziert genannt worden sind. Die Talanx AG garantiert nicht, dass die den zukunftsgerichteten Aussagen zugrundeliegenden Annahmen frei von Irrtümern sind, und übernimmt dementsprechend keinerlei Gewähr für den Eintritt der zukunftsgerichteten Aussagen. Die Talanx AG übernimmt ferner keine Verpflichtung und beabsichtigt auch nicht, diese zukunftsgerichteten Aussagen zu aktualisieren oder bei einer anderen als der erwarteten Entwicklung zu korrigieren.