Cyber is everyone’s responsibility

Everyone is responsible for cyber risk management because we all rely on IT, according to Richard Taylor, managing director at HDI Global, UK and Ireland, sponsor of this year’s European Risk Frontiers survey. All individuals need to be keenly aware that they could prove to be the weak link in the chain by simply clicking on the wrong attachment: vigilance is all, he said.

“In the world we live in, virtually everybody uses IT as part of their working life on a daily basis. With this in mind, responsibility falls to us all to ensure we are reducing our exposure to cyber risk by being aware of the threats that are continuously seeking out the weak link in the chain. Vigilance is the key word, from not clicking on ransomware-infected emails through to awareness of insider threats,” said Mr Taylor.

The identification and management of cyber risk really needs to be carried out by the c-suite and IT department working together. The development of contingency plans to minimise the impact of a cyber incident is also important, as is cyber insurance and the related services that can come with it, Mr Taylor said.

“There is also external assistance available, and this is where cyber insurance – with its ability to act both as a risk transfer mechanism and also provide clients with access to specialist cyber-risk-related services – can greatly support a business’s risk strategy,” he added.

Peter Hawley, specialist cyber underwriter in Mr Taylor’s operation, said that questions over what cyber risks are, or not, insurable, are to some extent dependent on the buyer’s risk maturity.

Cyber choice

“If the threat is acknowledged, if preventative measures have been enacted, if contingency plans have been created, and education has been disseminated, then most areas of cyber risk will find options in the insurance world,” he said.

“What is important to keep in mind is that not every event that involves IT is a cyber risk. For example, social engineering of an employee to enable the theft of data or funds from a company is not a cyber risk simply because a computer is used by the compromised employee; it is a straightforward crime. An awareness of this will ensure buyers know what their cyber insurance does for them, and just as importantly what other products they may need to supplement their insurance portfolio and avoid disappointment,” added Mr Hawley.

Mr Taylor said cyber capacity is currently adequate in the London market and pricing is becoming “more attractive” for customers. The market is “buoyant”, he said.

“There are still new insurers entering the cyber arena, with some offering specialist support and others pure excess capacity, while a large amount of US-domiciled business continues to come in. As the US is acknowledged as the most developed cyber market currently, this is indicative of the London market’s ability to meet customer’s expectations,” pointed out Mr Taylor.

“It’s an exciting time for the London market as expertise is developing in line with an understanding of the risk, so new and innovative cyber insurance solutions are appearing. This then leads to the capacity being deployed more easily by the correct insurers for the correct risk, and this in turn benefits the buyers who will be able to obtain the cover they desire,” he added.

Insurers can help risk managers manage and prevent cyber risk by facilitating “early engagement” from all stakeholders, said Mr Hawley. “Early engagement is key, and buy-in from all of the stakeholders is critical to success. A cyber insurance policy shouldn’t just be a promise of indemnity, it needs to be a risk mitigation tool and provide access to the types of service provider who are going to help lessen the impact of a cyber event should one occur,” he explained.

“This means spending time building a team made up from the insured, their broker, their insurer and the specialist breach response service providers – including for example breach response navigators, digital forensic experts, specialist legal counsel, public relations support, and credit monitoring services – in advance of an incident,” added Mr Hawley.

The cyber expert advised that trying to put this together in the middle of a crisis is not a great idea. “Risk management shouldn’t only be something up for discussion around purchasing time, but a constant dialogue between insurer and buyer – something which is made ever more critically important with such a fast-developing threat landscape as we see in cyber,” he explained.

All participants in this year’s European Risk Frontiers survey were asked what proportion of cyber risk is currently covered and what coverage gaps need to be filled. Mr Hawley said that, in his view, cover for property damage and bodily injury that results from a cyber-related incident will become more readily available as the market matures. “This is already available in some cases, but certainly isn’t the norm as yet,” he said.

Holistic approach

For this reason, a “holistic” approach to a client’s needs is very important. “Cyber risk exists in almost every area of the modern world, and therefore the same can be said about it existing in almost every area of a modern business. The London market is rapidly moving to understand this vast threat landscape and lead the way in providing solutions for clients, who understand the impact a cyber event could have on their business both in the short and long term,” added Mr Hawley.

The cyber expert advised, however, that the industry should look to ensure that cyber remains the trigger for a covered event and avoid a drift towards the less technical realm. “Cyber risk shouldn’t be an afterthought, as the failure to assess and take steps to limit the likelihood of a loss could have existence-threatening consequences for an unwary business,” he pointed out.

Mr Taylor does not believe that governments should step into the cyber market. The market can cope and is responding well, he believes. But there could potentially be a role for the state as the potential systemic risk becomes clearer, he added.

“The UK market traditionally has sought to find a commercial response to risks where it feels it can influence the outcome. Cyber very much fits into this, and as understanding of the risk grows then it will become clearer as to what systemic risks the market can take and where the state may be needed to offer assistance above and beyond,” said Mr Taylor.

“Cyber is not of course geographically limited, as is often the case with the risks referenced in the question. A business’s employees, servers and infrastructure can be located all over the world, so a government answer may have potential issues,” he continued.

“The cyber insurance market is vibrant; the level of development of innovative solutions to the ceaselessly ingenious ways attacks can be leveraged demands that we rise to the challenge. London, as the global insurance centre, is at the forefront of this and HDI is actively playing its part here,” concluded Mr Taylor.

This text was first published by Commercial Risk Europe in its “AIRMIC Conference Daily”.