Airmic paper offers advice on how to overcome common concerns

Data breach

Airmic has launched a report on cyber risk, addressing the main cyber insurance issues risk and insurance managers face. It argues that cyber risk is a strategic issue in which risk managers should play a leading role, and encourages organisations to revisit the cyber insurance market in light of significant developments in the past 12 months.

Cyber risk continues to be a number one worry for businesses, but only a half of companies have a cyber insurance policy in place. According to the UK risk management association, risk and insurance managers have a clear role to play in assessing and managing the organisation’s cyber risk as they should have:

  • The necessary understanding of the business at an enterprise level to visualise how a distinct cyber effect would be felt across the business and by its stakeholders
  • The internal connections with HR, audit, the board, finance etc, to manage cyber risk beyond technical controls
  • The understanding of the insurance market and its associated services to provide additional support and risk control beyond internal security

Airmic’s new cyber paper additionally argues that there has been a shift towards more relevant cover in the past year and offers advice on how to overcome common concerns.

Georgina Oakes, research and development manager at the association and author of the report, explains: “Our report offers practical guidance for risk managers on how to lead the cyber risk conversation. It includes advice on how to identify key cyber-related assets, the actors that may target these assets and the potential outcomes. We discuss the key considerations that contribute to successful cyber cover, including the kind of information insurers need and steps to ensure cyber claims get paid. We also give some advice on how you can get a better relationship with your IT team including how you can persuade them to give up some budget to buy some insurance.”

Airmic members report that they are concerned that cyber insurance policies may not pay for the losses ultimately suffered by the business. Members are also concerned about the challenges faced when notifying insurers of cyber losses. “Cyber policies might require circumstances to be reported within a few minutes but the business might not notice it for a much longer time,” Oakes says.

Other challenges are the difficulty of proving and calculating the impact of a cyber incident. Many corporates struggle to prove that they have lost a certain amount of money because of a cyber event.

Oakes urges insurance managers to have a much richer dialogue with their insurers to understand exactly what data will be required to satisfy a business interruption claim as a consequence of a cyber event. “Before they purchase a cyber policy, insurance managers need to be satisfied that they can actually supply that information and within the required timescales of the policy.”

Six steps in assessing your organisation’s cyber threat

  • Identify your critical cyber assets: which pieces of data or IT processes need to be protected beyond all else?
  • Understand the cyber vulnerabilities: where is the critical asset being held or where is that process sitting within the business, how is that process and data used, and how can it be accessed by different people who are either inside or outside the business?
  • Identify cyber actors: who might want to access that process or piece of data and for what reason?
  • Identify cyber attack methods, which are the different techniques cyber actors employ to access your company’s system. These include ransomware, trojan horse, phishing emails and DDoS.
  • Understand how you are protected against these type of attack methods. This could for example be done by benchmarking yourself against a standard to make sure you have the right cyber security controls in place
  • Understand what the loss would be, in case a cyber actor employs a cyber attack method and your protection doesn’t stop them. Will it be loss of funds? Physical damage? Business interruption? Intellectual property theft? Or just reputational damage?