How can insurance help bridge the gaps that traditional cyber defence and IT spending can’t?
27 July 2017
Can you answer these questions:
- How would a cyber-attack affect your bottom line?
- What kind of attack would hurt you the most?
- Where does your cyber risk come from?
If you can’t, you’re not alone. Against a recent backdrop of increasingly frequent and severe cyber events, PwC and (ISC)² (International Information System Security Certification Consortium) jointly hosted a seminar addressing these questions and how to be a better insurance buyer.
An expert panel, including a cyber insurance underwriter, security expert and modeller, talked through some of the key steps and considerations that should be taken by companies to put them in the best possible position to understand their own cyber risk profile and how insurance can help them plug the gaps that traditional cyber defence and IT spending can’t.
Conversations on the day reflected an ongoing theme in the market - businesses and their boards are unsure of how cyber insurance is priced and how they can confidently approach their brokers and underwriters to ensure they purchase the correct covers at prices that accurately reflect their risk profile.
Below are some initial steps individual businesses can take to understand the risks they face and begin a collaborative, constructive discussion with their brokers and underwriters on how best to mitigate those risks:
- Understanding the threat landscape – every company faces their own unique set of threats, from cyber criminals to hacktivists, who may wish to attack them for a range of reasons. Understanding how the industry you work in and the public perception of a business can impact who may pose a threat is the first step in quantifying and mitigating cyber risk exposure.
- Identifying exposures – analysing the company’s key revenue-generating systems and processes, in particular those that require cloud computing, storing sensitive client data or IP and interconnected systems, focuses attention on where cyber-attacks could be most detrimental to the business.
- Scenario generation – assessing the circumstances under which the key exposures identified could become accessible to a malicious attacker highlights specific scenarios where the company could face large losses and severe repercussions. Knowing which events could cause the most damage should then inform the prevention and mitigation strategy to reduce the likelihood or severity of these events taking place.
- Impact assessment – finally, being able to quantify the expected impact of each scenario allows for appropriate allocation of resources to prevention efforts. It also allows companies to understand which cyber insurance coverages are most important to them and to communicate this effectively to their broker or underwriter.
What issues did seminar attendees encounter in relation to purchasing cyber insurance? And how might their approach change in future?
- Attendees felt that no level of IT capability can fully protect against the likelihood of being a victim of a cyber- attack, no matter how much money is spent on IT infrastructure and defence.
- Unlike traditional commercial insurance products, attendees agreed that cyber insurance should be reviewed on an ongoing basis to ensure the purchased cover remains relevant to the company’s threat landscape and key exposures, both of which can change at short notice.
- Cyber insurers can add value beyond simply offering insurance by also giving ongoing advice about how companies can reduce their exposure and by comparing companies against their peers, delegates agreed.
- Finally, written premiums are expected to grow rapidly over the coming years, especially with the introduction of the new EU General Data Protection Regulation (GDPR) from May 2018, which is expected to significantly raise awareness of cyber threats at Board level.
To better understand the threats and identify exposures, please get in touch with Domenico del Re.