Insurers need to find a better way to assess cyber risk
Due to the ever increasing utilisation of digital technology and the volume of data being processed and stored electronically, every business needs to become much more aware of the risks that they face. We have all heard of the high profile data leakages by Sony and Ashley Madison but how many data leakage events have occurred in the last 12 months that we have not heard about? In both cases it is thought that the leakage was caused through a socially engineered attack or weak internal systems control but this is now outside the interest of mainstream media and forgotten about. It is often the case that the reputational costs of a data breach are higher than the monetary value of the data leaked and, as a result, businesses should not focus purely on data that has a perceived high value.
The loss of access to data, rather than its disclosure through poor data management practices and system failures, could have a major impact on a business in both financial and reputational terms and probably is a more likely scenario. The Royal Bank of Scotland, Lloyds Bank and Nationwide Bank have all had online payment processing delays as a result of computer system failures following updates. Equally there have been disruptions to business services from within the Cloud with Office 365, Amazon, Dropbox, Google Apps and iCloud suffering prolonged periods of disruption as a result of internal planned maintenance and external communication failures. Some of the services have also suffered from denial of service attacks where external users disrupt normal service operations through generating excessive network traffic to prohibit service users from accessing the system. It is a sad fact that there are still many businesses that do not carry out regular data backups or have in place good backup management frameworks but that would be heavily impacted with a period of downtime due to their high dependency on their computer systems.
Cloud services offer SMEs a big financial benefit over traditional on premise computer systems and, as a result, Cloud service adoption has become a high growth area. We would suggest that in the main, businesses moving to the Cloud believe that they are offloading the business risk of managing their data systems to the Cloud provider. We fully recognise that there are significant gains in system reliability from using the Cloud but there are still risks that the business needs to address that existed before the move and there are new risks following the move. A failure in the Cloud service delivery supply chain or data access route could result in a business not being able to access their Cloud service delivered data systems, resulting in possible major disruption to their services and reputation. Due to the complexity of the Cloud service supply chain, there may be limited financial compensation from the supplier. Typically, clients on the Cloud have very limited business continuity risk management in the case of their business data systems as they have assumed that the Cloud will always be available.
Businesses need to recognise that the Cyber risks are not all about hacking and data leakage and, whilst these are important, there are many other areas of risk that they need to be aware of and that they should not be complacent of them. We would suggest that a holistic digital security strategy is needed which encompasses data security and integrity to protect data services rather than focusing on point problems and their solutions. Business may insure against ‘Cyber risks’ through purchasing ‘Cyber cover’ but in our view the naming of such policies is outdated and adds mystique and complexity which only serves to confuse clients resulting in this issue failing to feature high up the majority of boardroom agendas, particularly for SMEs.
The HM Government Cyber Security Breaches Survey 2015 shows that only 11% of businesses changed their business data handling after a data security breach. The Data Protection Act 1998 requires that controls are implemented to protect the data but only if they are registered with the ICO.
The Cyber Essentials scheme provides businesses with clarity on good basic Cyber security practices to offer better protection against the most common Cyber threats but it does miss some data risks. 51% of respondents in the HMG Cyber Security 2015 survey said that they do not plan to implement Cyber Essentials with only 6% certified in one of the two Cyber Essentials levels.
Businesses can purchase risk insurance for Cyber Security, Computer, Business Disruption and Professional Indemnity that is relevant to their business to mitigate their Cyber risks. The range of products available from the market create a perceived overlap in cover in the eye of clients. This often results in clients not being insured for what they thought they were or they choose not to take out insurance at all. 62% of business do not insure against Cyber security data breaches and 21% only insured after a breach whilst they also reported that they were not aware that Cyber risks could be protected by insurance.
We would suggest that in the majority of cases, SMEs that have it, this insurance could be the only protection that is in place with businesses not reducing the risk through training and management controls with this internal risk being the highest risk. Businesses do not see the Cyber risk as being of high importance as only 10% of businesses surveyed are releasing budget for information security to meet statutory laws or obligations. Of those who are releasing budgets, the top three drivers for decision makers are to protect customer data, business reputation and preventing downtime.
This lack of observance of statutory legislation and obligations is a concern but shows how businesses perceive the Cyber risks faced. We would suggest that the smaller the business, the easier it would be to implement policies and controls to protect the business data but this is typically where budgets will be the tightest. The only way that we see businesses investing in reducing the Cyber risk and the associated impact to their business is through education. Typically, advertising and marketing collateral for Cyber risk management seeks to make a direct sale and, as a result, alarm tactics are used rather than educating the reader on the benefits of maintaining business operations and the differentiation that managing this risk gives over competitors who choose to ignore it.
A major problem facing the insurance sector is how it increases awareness of Cyber risks whilst managing their exposure. As the insurance product offerings in this area are immature, most businesses with their current perception will believe that Cyber risk insurance is not relevant to them. A lot of SMEs will perceive the Cyber risk as being one of virus protection, credit card data or personally identifying data. They will only look to control the areas where they feel it is appropriate whilst ignoring the problem of unplanned maintenance and the impact that downtime brings. Planning for failure is a critical change in direction for a lot of businesses as, without having implemented systems to recover from the failure, the costs and pains of the recovery will be much higher. Whilst insurance can cover these costs, the business will still be heavily disrupted when it happens. The insurance market has a portfolio of long standing products that it sells to address computer risks but these are not adapting quickly enough to protect against the non‑material damage caused by, say, a Cloud service outage or data leakage. Business sectors need to be more aware of risk management relating to portable devices, Internet of Things and other automated and connected data services and the management of these risks. How these risks can be assessed and how the customer can be guided in ensuring that the risks to the business are known about and addressed in an appropriate manner by both parties is what the market needs to resolve. The challenge that we see for the industry is that this is a rapidly changing market with a lack of Cyber risk awareness and control within many businesses that will be looking to manage their risk.
The specialist knowledge needed to advise the customer on how they could proceed will typically be through their internal IT support department if they have one or from an external service supplier. In both cases we would suggest that the party has a vested interest to either confirm that things are configured for optimum protection or will be interested in selling more services. We would suggest that some external and independent verification process needs to be implemented in order that the risks to the business are thoroughly assessed when selling insurances that protect against Cyber. Schemes like Cyber Essentials will allow the market to assess how a business manages the data risks typically covered by ‘Cyber Security’ products but reputational risk and business disruption insurance may not have obvious Cyber risks and we would suggest that this is all dependent upon how the business manages their computer systems and which sectors they may be operating within.
We would suggest that the market develop flexible and dynamic digital survey systems which allow risks to be better assessed but without the need for a detailed engagement of IT professionals. Such a digital survey should ensure that appropriate protection is applied to address the assessed risks and meet the business requirements allowing for the rapid deployment of new measures and risk assessment as they are identified, whilst equally ensuring that only relevant questions are asked by those completing the assessment. Such a survey system could be completed by both technically and none technically competent staff within the business as it should be focused on the business risk management position rather than a technical one. The development of digital surveys will allow risks to be managed by exception against the norm for the sector, size of business or other factors that are deemed to need a detailed collection of evidence. Through the process of a better understanding of the risks we would suggest that both the client and the insurance sector will be better prepared to deal with their exposures.
We are in the position today where we are carrying around a lot of data with our mobile devices in documents, emails, contacts, CRM data sets and all the applications that we use. The devices that we use for business purposes are not all owned by the business who may have data on them and there are typically limited or no controls in place to take back the data when the employee leaves the organisation. Many businesses perceive that the Cyber Security risk is only relevant to large organisations and as a result have little or no management framework in place to manage the risk, with many not reacting to the future risk even after they have suffered a loss of service or data through a Cyber failure. Businesses are now storing an ever increasing level of data and are increasing their storage capacity to accommodate regulatory data retention requirements or to empower them to understand their business and customers better through Business Intelligence systems. Businesses are pushing data onto the Cloud without considering any change in the risks to the business, in some cases they wrongly perceive that these risks are lower.
In some cases where a business is aware of the risks, they are not sure about what they should do to address them as their IT advisor is ambiguous or is trying to sell them something that makes the whole process more costly. The business might seek protection from the insurance market but is confused by what they find or in the worst case are unable to claim on insurance as they have not met and maintained the requirements of the insurance as, for example, their computer systems have been updated. We would suggest that the market needs to make simpler product offerings that are aligned to the changing needs of the market. In order for these products to work, we would suggest that there does need to be some detailed assessment of the risk through an industry management framework on all the Cyber risks. A framework that can rapidly to react to the changing market and the risks that such development brings so that customers’ unique needs can be identified and managed internally or through insurance as is appropriate.
In collaboration with Abingdon Risk Consulting