Are you prepared to meet the serious challenge of cyber threats? Visesh Gosrani blogs on a key issue facing global business.
“It won’t happen to us!”
“How many insurers have you seen affected by cyber risk events?”
“We don’t have the budget to spend.”
All the above are real reactions to the risk that has been labelled by the World Economic Forum as the risk of the highest concern when doing business in many of its member countries. However, on the converse many insurers are waxing lyrical about the growth potential for cyber risk insurance and even going so far as to proclaim this as a new area of insurance expertise in its own right. Somewhat difficult to reconcile!
Information is king! Get to know where your risks lie
It doesn’t cost a lot to get an understanding of your cyber risk posture. The uncomfortable part of the exercise is the initial inertia and then reacting to the information you now know.
The Institute and Faculty of Actuaries (IFoA) Cyber Risk Working Party has just released its paper on modelling Cyber Operational Risk; Cyber operational risk scenarios for insurance companies. The paper doesn’t try to teach you about cyber risk - there are many other resources out there that already do this, instead, it paints an enlightening picture of potential cyber events insurers are exposed to and the possible costs from these events.
This area of risk is evolving quickly
There are three key lessons which were learnt by the working party during this research. They included:
1. What you know today about Cyber Risk may be disproved tomorrow
The Working Party was surprised by the pace of change in the cyber risk environment and the limitations in their cyber knowledge. What brought this to life was the way that rationalised explanations were questioned by new Working Party members and the extent to which new cyber events changed initial expectations of the types of attack that might have the largest impact.
- 2017 saw huge losses for companies that were collateral damage in Russia’s cyber-attack on the Ukraine with the release of the NotPetya virus.
- The impact of Wannacry was significant despite it weaponizing an aged exploit for which a patch had already been released could have been significantly greater if a cyber analyst had not investigated the code and both discovered and activated a hidden kill switch, or, worse still, if no kill switch had been inserted.
2. Don’t start from scratch, use an existing framework
There are multiple frameworks to assess the Cyber risk of your organisation. The NIST framework provides a large amount of detail, structured in an easy to use way, which helped the Working Party gain a much better appreciation of the likelihood and impact of events.
3. The assessment is significantly improved as a group effort
When assessing your Cyber Risk posture, relevant scenarios and their impact, involve a wide range of people within your organisation. This will increase the understanding of the cyber risk within your organisation and raise awareness around your organisation.
The variation in types of cyber events that can impact your organisation is huge. The three scenarios in the paper are very different in every aspect. this shows how varied the sources of Cyber Risk and their impacts are.
Neither be the dodo nor closest to the bear
Sailors hunted and ate the dodo to extinction after finding that the bird was incredibly easy to catch due to the fact it had no fear of humans. Once you have recognised this is a real risk, the exercises that you undertake to better understand your cyber risk may raise a large number of areas to be addressed. Whilst the different types of cyber actors have varying motivations for their targets, many will pick the path of least resistance. Therefore, it is not so important that you tackle every area of cyber risk to perfection, more that you are not one of the closest to the predatory bear.
Make sure you’re not closest to the bear – download your copy of cyber operational risk scenarios for insurance companies.