Cyber risk: “Risk managers should resist being driven by what insurers want to insure”

Despite a growing awareness of cyber risk among the European risk management community, the sheer volume of information and incidents can render if a daunting task to make the background noise relevant to the circumstances of a particular company. It may seem that, just as we begin to grasp the implications of one type of attack, the story changes and we need to be concerned about a new threat, but such is the nature of cyber risk. The attack surface for a hacker – the underlying technology upon which a business depends – changes over time, known vulnerabilities are patched and new ones emerge, security standards that were best in class when implemented are superseded. How can a risk manager cut through this noise, find what is relevant to their business and stay ahead of the game? 

The risk manager is a natural central point for the co-ordination of cyber risk management efforts, but they need the ongoing co-operation from key stakeholders within the business in order to successfully fulfil the function. Central to their task is to establish precisely what the material exposures to the firm are in the event of cyber attack, while not being too distracted by what is in vogue in the media or even within the insurance industry. This means communicating with the business and with the multiple functions within the business. However, the view of the risk held by the general counsel is likely to be materially different from that of the marketing director or the chief information security officer (CISO). The most concerning cyber risk items for one business division or group company could be materially different from another. Obtaining a rounded view of the firm’s risk allows the risk manager to prioritise and focus their efforts where the impact is greatest and mitigation controls can have the most effect. It also allows for the formulation of a definition of requirements for purchasing insurance.

While it can be tempting to get drawn into worrying about the latest hacking threats, it is the role of the CISO to understand the detail of the specific techniques deployed by hackers and ensure that the company is in the best place (insofar as its IT security budget will allow) to resist such threats. This CISO can provide a view on how likely an event is to occur, based on the company’s existing controls, but they are not necessarily the right person to describe the impact of the event for the company. A single security breach can lead to a range of different outcomes, such as regulatory sanctions, litigation with customers or suppliers, loss of key contracts or increased customer churn, and damage to property or even loss of life. Once the risk manager has identified the IT asset(s) at risk and determined whether the event is a loss of availability, confidentiality or integrity, then it is the communication with those key stakeholders that will bring to light the impact.

The steep learning curve experienced by risk managers is also true in their relationship with insurance industry. Insurance products that were put on the shelves a few years back were often rejected by potential clients as unfit for purpose or too expensive. The level of recent innovation has been rapid, and for those risk managers who may have rejected insurance previously, now is the time to take another look. The European market is very vibrant and the majority of insurers are willing to tweak their products to reflect a specific company’s risk profile where there is a reasonable fit with the underwriting appetite. 

Risk managers should resist being driven by what insurers want to insure, likewise they should not attempt to replicate or replace the knowledge already held by the CISO. Instead they should focus on becoming the central point within a corporate structure that can comprehensively identify, quantify and prioritise the actual cyber risk exposures faced by the company. Only then can they really know whether insurance could play a reliable and cost-effective role in the company’s response to these threats.

Stephen Wares, leader of Marsh’s cyber risk practice in Europe, the Middle East and Africa