Holistic cyber approach needed to tackle fast-emerging risk

The decision about who to place in charge of cyber risk is not simple and needs careful thought. Currently, IT fulfills this critical role in most French organisations but it requires a more senior and enterprise-wide focused approach, according to Dominique Guérit, managing director of European Risk Frontiers survey sponsor HDI Global in France.

“In France, when it comes to cybersecurity, in many corporations the IT department is in charge. Obviously, it makes sense. But there could be a conflict of interest there; having the department in charge of the cybersecurity budget and decision-making all in one may not be that effective. As a matter of fact, budget security spend gets lost among other priorities. Carving out cybersecurity as a separate function could lead to better, more independent information security overall,” he told Commercial Risk Europe.

“But cyber security is not only a matter of technology, it goes far beyond: from educating and involving people to taking that responsibility and making it a cross-department top issue, meaning that all the employees of a given corporation have an active and crucial role in cyber risk prevention,” he added.

Mr Guérit believes cyber security needs to have its own senior representative outside the IT department.

“Ideally, the chief information security officer (CISO) would be jointly, but independently, working with the IT department of the company and reporting to the board members,” explained the insurer.

Two of the big questions for risk managers currently are whether there is adequate cyber insurance capacity and if it is fairly priced. Mr Guérit feels the coverage is fairly priced, but explained that the European cyber insurance market currently offers less than €500m in capacity. In France, the estimated available capacity is €300m. The market in the US offers $2bn to $3bn in capacity.

Despite the relative lack of claims history, Mr Guérit believes the current cost of cyber insurance is “very attractive” for clients, compared to the real risk exposure they face.

Mr Guérit said risk managers have a key role to play in cyber risk prevention. They must work with their insurers to come up with more effective solutions, he added.

“Risk managers today are highly expert and know a lot about how to assess their companies’ risk. Identifying and mitigating vulnerabilities is the primary stage. Cyber insurers are able to come up with insurance solutions that are embedded with the assistance of cyber experts to deploy pre-incident plans. Going further, simulating and analysing attack patterns can be part of the crisis plan to be developed or completed with cyber risk insurance,” he said.

External partnerships with other expert service providers have been identified by risk managers in this year’s survey as a useful development. The insurer agrees.

“At HDI, we cooperate with a number of professional partners in order to provide customers with valuable additional benefits that round off the support available for risk and crisis management. These include, among other things, forensic investigations, public relations work in a crisis situation and support for the recovery of data and programmes. Such services can be very cost-intensive; for example, if it is necessary to hire external consultants in the event of a data breach or after data theft. In the context of efficient corporate action, it is our view that these services constitute a particularly significant value-add,” Mr Guérit said.

Gaps in cyber coverage remain, so there is still plenty of development to come, he conceded.

“To date, the market is commonly offering business interruption and liability coverages following a cyber event, as well as fees and expenses related to crisis management. The consequences of loss of reputation are still difficult to assess and thus the market has some difficulties to quantify its exposure and deliver appropriate covers. Financial institutions have a big risk exposure and not all providers of cyber insurance are targeting those clients,” he said.

This text was first published by Commercial Risk Europe.