Evolving cyber risk management: A broking opportunity

Cyber risk is not just an IT concern. And it is not only about prevention anymore, it’s also about the response, say experts at a recent cyber risk symposium. Are your clients up to speed?

Peter Sparkes, senior director cyber security services Asia Pacific & Japan at Symantec, says he sees three types of businesses: the blindfolded where no one knows what to do in a cyber incident; the aware, who have an incident plan and an idea that it’s not just an IT problem; and the prepared, who really understand that the whole organisation needs to get involved.

“We may have a majority who are blindfolded to aware, but not a lot are prepared,” he told the audience at a recent Aon Cyber Risk Symposium in Sydney.

This should be a concern since 37 per cent of businesses said they had a material or significantly disruptive security exploit or data breach in the last two years and studies have found 90 per cent have suffered a cyber attack of some kind, Aon reported in its One Brief publication.

Kevin Kalinich, global practice leader, cyber/network risk at Aon Risk Solutions, noted too that losses due to business disruption from intangible assets have surpassed that of tangible assets – $207 million compared to $98 million respectively.

Further, he pointed out that there was no direct correlation between exposure to cyber risk and the size of the company.

Clearly, brokers here have an important role to play. “I think the role of the broker can be to aggregate as many objective facts and provide intellectual capital to clients to educate them on what the potential losses are that could affect their financial statement,” Kalinich told Insurance Business.

One aspect that he emphasised at the symposium: “It’s not only about prevention anymore … it’s also about the response. A business should identify the people required in the response team, including the lawyer, IT staff … this can reduce the total cost … from an incident. There is a direct correlation between resiliency of a company and the communication of an incident.”

Aon notes in One Brief: “A cybersecurity plan which does not include ways to react to and recover from breaches is incomplete. Any plan needs to combine technology solutions with insurance, staff training, plans of action, and practice cyberattack drills.”

Importantly, cyber security needs to come from the top.

It has to be a boardroom issue, “with members of the C-suite developing overarching strategies to protect their company’s assets, reputation and bottom line”.

“In today’s interconnected world, preventing, mitigating and managing cyber-related fallout simply cannot be done in silos. Organisations need to solve these distributed problems with an integrated approach and solution,” Aon said.

“The key is a more holistic approach – making the risk manager the hub of activity across the assessment. This more holistic approach needs to start with the C-Suite – breaking down silos from the center to make their organisations more cyber-resilient.”