[BreachExchange] Cyber insurance: Creating a culture of risk management

[Destry Winant]

http://www.dailymirror.lk/article/Cyber-insurance-Creating-a-culture-of-risk-management-159699.html

In today’s interconnected financial system, it is impossible to remain
isolated from online communications and commerce or immune from
network outages and data breaches. Cyber risks exist everywhere.


While difficult to quantify, the Centre for Strategic and
International Studies estimates that cybercrime may have cost the
world US $ 600 billion in 2017. That is nearly twice the US $ 337
billion lost from natural and man-made disasters reported by Swiss Re
Institute.


Earlier this year hackers breached Under Armour’s MyFitnessPal app,
compromising the usernames, email addresses and passwords of 150
million users. In 2017, the personal data of 3.7 million Hong Kong,
China voters were compromised.


US credit bureau Equifax was likewise targeted, revealing 149 million
Americans’ credit information. The WannaCry ransomware virus led to
57,000 computer infections in 99 countries, many of them in small and
medium-sized organisations. And in 2016, a cyber heist on the
Bangladeshi central bank resulted in a loss of US $ 81
million.Organisations clearly need to embed cyber security risk
management at all levels. This can be difficult for the uninitiated or
unprepared, yet inaction is no option amid the intense scrutiny of
regulators, shareholders and media in the current marketplace.


Given the risks and vulnerabilities, it is critical organisations
match their implementation of technology with their risk profiles.
Every organisation should have a technology strategy that spells out
strategic intent and tactical delivery.


Implementation will only be successful if it occurs alongside
well-considered risk management that contains protective measures that
identify key information assets and transactions. A targeted approach
is required.


In this, monitoring and ongoing risk analysis must be the highest
priority and be dynamic, constantly scoring the enterprise’s
information assets amid timely implementation of controls. This could
be anything from “application patch management”—which stops security
vulnerabilities from executing on a system—to changing user controls
due to risks associated with “bring your own device” practices.


As cyber attacks proliferate, companies are increasingly turning to
insurance. Cyber insurance can help companies recover from the data
loss of a security breach or other cyber events, including network
outages and service interruption.


Statista, a market and consumer data provider, estimates that global
cyber insurance premiums for companies will reach US $ 7.5 billion by
2020, from US $ 2.75 billion in 2015. Yet, although this figure also
represents newly insured companies, the trajectory is unsustainable
for bottom lines.Cyber insurance, an important component of business
continuity, nonetheless should be part of a larger comprehensive suite
of controls to ensure effective cyber security practices, operational
resilience and peace of mind.


Many insurers struggle to understand cyber security risk and how to
structure effective and affordable cyber security policies and
insurance executives are uncertain about the level of risk they are
comfortable absorbing. As cyber threats are complex and rapidly
evolving, insurers struggle to quantify cyber security risk with
limited experience and limited relevant claims data.


In addition, the data that companies collect can be inconsistent,
complicating the aggregation of information, the study of industry
trends and quantification of risks. The fact that many jurisdictions
are reluctant to implement data breach notification legislation
exacerbates this problem.
Another problem is that the onus for assessing risk lies on the
underwriters, who need to use modelling, data and analytics to
understand potential exposures and to tailor coverage. Data science
and modelling tools can give organisations and their insurers, risk
evaluations based on technical and behavioural data, providing new
insights into those risks using machine-learning techniques.


Although it is challenging to pinpoint the cost of such risks, they
would be enormous. The insurance market Lloyd’s of London recently
estimated that a hypothetical blackout leaving 93 million people
without power in the northeastern US could cost insurers anywhere from
US $ 21 billion to US $ 71 billion.


Many organisations are beginning to understand the need to model their
cyber risk profiles and invest in appropriate controls. But it would
be foolish to see cyber insurance as the only needed measure and hope
to never have to claim. After all, even though we insure our vehicles,
we always lock them and hide our valuables when we leave them
unattended.


We need to embed this culture into business systems by identifying
information assets based on their value to the organisation, their
value to customers and the appropriate legislative and regulatory
requirements from markets operated in. Only then can a cyber insurance
policy be accurately sourced and priced. This process will create the
best policy to provide value to organisations’ risk management
postures.