Cybersecurity: no silver bullet
Responsibility for managing cybersecurity within companies, once the preserve of IT, is now rapidly moving to a broader and shared ownership with businesses with ultimate responsibility sitting with the board.
That approach is critical for companies, including re/insurers, to truly get a handle on this risk—but also increasingly a requirement of regulators who want assurance that the companies they are regulating have policies and procedures in place designed to initially prevent cyber crime. but also to effectively deal with any problems that arise.
That is how Kerr Kennedy, advisory associate partner, Financial Services, EY Bermuda, views a risk that now consistently ranks as one of the biggest concerns of companies of all shapes and sizes.
The Cyber Report 2018 published by the Bermuda Monetary Authority (BMA) late last year, outlines the regulator’s expectations for how companies should tackle this threat. This followed a notice the BMA issued in February 2018 outlining some expectations of licensed entities regarding the management and reporting of cybersecurity risks and incidents.
The regulator noted that, while most re/insurers have made efforts to enhance technology risk resilience, much work remains to be done before the BMA can achieve a level of assurance that the possibility of large-scale cyber attacks and financial and reputational loss is effectively mitigated. It outlined a number of things re/insurers must focus on (see box).
Kennedy acknowledges that re/insurers have implemented change. “As this risk has grown in stature, sophistication and potential impact, we have seen this responsibility move—quite rightly—away from just the IT teams, to a broader and shared ownership between the business and IT,” Kennedy says.
“Nowadays, we recommend, and are seeing, that ultimate responsibility for cyber has to sit with the board, as it is imperative that cyber risk is not viewed as some sort of IT risk or issue, but is in fact an entity-wide business issue. The board needs to set and drive the strategy for managing cyber risk in the organisation and we are seeing a continued uptick in both the levels of understanding and awareness of this topic.”
He notes that a cyber strategy should depend on the size and scale of an organisation, saying that it is not uncommon for companies on Bermuda to assign ultimate responsibility to their chief risk officer (CRO), for example.
“This is an appropriate place for this responsibility to rest. After all, cyber risk, while completely different from the more mature and common risks we are accustomed to, is still a risk and needs to be managed as such,” he notes.
“Applying similar risk management activities as you would to operational risk or other risk types is exactly how to approach cyber and having the correct owner, as well as the right organisational culture, will greatly assist an organisation’s efforts to mitigate this risk.”
Regulators drive standards
It is not just Bermuda’s regulator that is taking such a prescriptive approach. The New York State Department of Financial Services will now require a chief information security officer (CISO) to oversee and implement a company’s cybersecurity programme.
“This CISO role is becoming an increasingly vital role for organisations, and we are seeing a number of CISOs now being given a seat at the board level as well, which many security experts believe should be the case,” Kennedy adds.
He refers to EY’s Global Information Security Survey (GISS), which last year issued its 21st edition. This indicated that, of those 1,400+ respondents, 60 percent of those directly responsible for cyber are not board members.
He stresses that a robust cyber strategy should encompass (and involve) the entire organisation with clear ownership and oversight from the board assisting in delivering the consistent messages throughout an organisation.
“Business and IT teams must work together and break down the older, traditional siloed approach to risk management. Collaboration across the entity, with multi-functional teams working together with a common understanding and common goal, is critical,” he says.
“But the strategy itself should not be complicated or complex. Keeping things simple is key. A healthy combination of top-down activities, focusing on good governance and establishing appropriate policies and procedures, combined with more technical bottom-up type measures, such as risk assessments, attack and penetration testing and vulnerability scanning, etc.
“The strategy needs to have a strong focus on the basics; things like the data your organisation maintains and where that data goes, third party vendors, training and awareness levels of your staff and so on. As long as it is clearly defined and clearly articulated, the greater the chance the strategy has of meeting its objective.”
At the heart of this strategy, however, is also the question as to whether an organisation should enlist the support of external experts. Kennedy believes that this decision comes down to a question of expertise—and where organisations find that.
“One of the biggest risks in the area of cybersecurity is the lack of suitably skilled resources required across all industries to combat this risk,” he says. “Some of the larger insurance companies may have their own in-house experts, but it is much more common for the small to medium sized insurers to rely on external vendors to fill in the gaps.”
He says external advisers can be used in different ways. Some organisations may effectively outsource their security needs whereas others might use a combination of internal and external resources working together.
“It is also prudent for insurers to engage with external parties for periodic health-checks, or maturity assessments, as this provides a valuable, independent and unbiased view as to how the company is faring when it comes to cyber. This gives an organisation the strongest level of comfort with regards the robustness of its cyber strategy and I believe we will see such offerings become more commonplace,” he says.
Keeping pace with change
Whatever strategy a re/insurer uses, however, they can never stand still. Cyber by its very definition is constantly evolving and changing at a rapid pace.
Kennedy says the key to keeping pace with change is collaboration between all parts of a company and also the wider industry, sharing information and best practice. “The more teams work together, the more the industry works together, the greater chance we have of mitigating this risk to acceptable levels,” he says.
“There is absolutely no sign or indication that the cyber risk is ever going to go away, so it is going to take broad collaboration to truly get a handle on this risk.”
Kennedy also notes that the free sharing of information relating to breaches, suspected breaches, prevented breaches, etc, will increasingly be required and the right balance needs to be struck between mandatory reporting and voluntary reporting, which still maintains an organisation’s reputation, IP and/or brand.
He notes that, while the reporting of data breaches is mandatory under NYDFS and the EU’s General Data Protection Regulation, this does not account for the more common acts of business interruption.
“The more we can encourage data sharing on an enterprise scale, the larger the strides the insurance (and any other industry) will make towards keeping pace with the changing nature of cyber risk. Collaboration must first overcome the hurdle or stigma risk of being the victim of a cyber attack,” he says.
Kennedy stresses that as consumers continue to be more dependent on technology, this is only aiding the attackers. Attackers are identifying newer, subtler yet more damaging ways of performing attacks.
He suggests that the Target breach of 2013 was one of the first real large mainstream hacks, which resulted in the theft of 40 million credit card details and the personal information of around 70 million customers. That cost the organisation in the region of $420 million.
More recently, WannaCry and NotPetya in 2017 represented ‘game-changers’ for the industry. The former was a serious ransomware attack, but the latter started out in a similar fashion but ended up being nothing but an ‘infect-and-destroy’ attack, causing significant damage across the globe, the cost of which is estimated to be well over $3 billion and rising.
He notes that ransomware continues to be the most popular form of cyber attack, with social engineering and phishing coming a close second. The top two biggest cyber threats reported in EY’s 2018 GISS were phishing and malware (which includes ransomware). But he predicts that we will see an increase in hacks focused on IoT (internet of things), due to the current trend of more physical devices having an online presence.
“Many of these devices are deemed to possess numerous security holes, hence this could be an area where will see some significant breaches and fallouts in the coming months and years. One recent example of such an attack was the Iranian cyber attack of the Atlanta government last year, which impacted utility, parking, court services, etc. This also demonstrates that cyber is not just commercial, nor is it just about personal data,” he says.
Risk and insurance
Kennedy says that, for all companies, good risk management starts with a robust risk assessment, identifying all relevant risks to the organisation, and then working through these to work out the extent to which these are mitigated based on the controls which are in place.
He notes that with cyber risk, there is a quantification element to it whereby potential exposures to this risk can be calculated based on various scenarios which can be run.
“In conjunction with the risk assessment type work, organisations also need to work through and calculate their own risk appetite for the various risks it faces, including cyber,” he says.
At this juncture companies must consider what their exposure to cyber risk is and, what their appetite is for the same risk. If the exposure exceeds the appetite, cyber insurance can potentially fill this gap.
“The better the risk management practices, the more confidence an entity can have in its calculations, and therefore more confidently enter the cyber insurance market, should that be the course of action that entity decides to take,” he says.
He stresses that cyber insurance cover is becoming more readily available. Annual premiums are around $5 billion globally and growing. It is predicted that global premiums could reach around $20 billion by 2025. Kennedy characterises the product as relatively cheap for the buyer and relatively profitable for the insurer.
“However, there is a perception that while cheap in the buyer’s eyes, the buyer is not necessarily fully understanding of the risk—or what it is they are actually buying,” he says.
He acknowledges that it is often not totally clear what is covered in these policies, and there is general agreement that more needs to be done to assist would-be buyers. The industry lacks a standardised and consistent language. Kennedy refers to the GISS, which indicated that only 35 percent of those respondents who have cyber insurance, felt it met their needs.
He notes that another big area of concern is that cyber may be included as part of a wide range of different products. “We are seeing the introduction of specific exclusions in policies, but this is applied in some cases, not all. This adds further to the confusion for the buyer, as it is difficult to assess where they may already have cover, as well as identify what their potential uninsured exposures are,” he says.
From an insurer’s perspective, he notes, loss ratios are healthy, which has attracted new players to the market. Although this is positive for buyers, it could drive prices down further; some incumbent players worry some new players are focusing purely on revenue and do not have the right levels of understanding of the risk.
“The fear here is that this could have significant negative industrywide impact some way down the line,” he says.
Kerr Kennedy is an advisory associate partner, Financial Services, EY Bermuda. He can be contacted at: kerr.kennedy@bm.ey.com
