As the Cyber Security Awareness month draws to a close, I felt compelled to write a short piece on my experience of client adoption of security related products and services to combat the ever-increasing threats that surround us all and the role in which Cyber Insurance may take in the future.
I think it is fair to say that during the last few years many have been caught short as an increase of organised crime and foreign nation state actors have been waging a war of disruption and fraud through the use of sophisticated technical means. The WannaCry outbreak of May 2017 and subsequent June 2017 outbreak, Not Petya, certainly awoke the consciousness of many to the reality in front of them and I certainly had meeting agendas pushed aside as clients became acutely aware of the potential risks and impacts that could directly befall them.
It must be noted that a devastating attack against a company or individual in not necessarily undertaken by organised crime or a nation state, with access to many tools and techniques being available for minimal cost both on the open and dark web, many ‘normal’ citizens have taken to exploiting those around them – it could be said that it is very easy to ‘go to the dark side’.
Certainly, I have seen an increase month on month across the board, in all industries, of adoption of cyber security related products, services and policies; but what does that mean? There is definitely no silver bullet, everyone’s ‘crown jewels’ are unique and there is a great disparity of knowledge within the industry as to the best approach to secure and protect valuable data and information. The sand is changing under foot almost on a daily basis – where will the next exploit be?
I have been a huge advocate of Cyber Essentials for many years and whilst uptake was slower than expected (or as it should have been), it has been gaining momentum with companies being required to gain it for contract award on an increasing basis. The controls contained within it will basically assist companies to protect themselves and reduce risk dramatically against common online threats. So why has adoption been slow? I believe for two reasons; firstly, an attitude of it ‘only happens to someone else’ and secondly, because there is no budget.
So, addressing the first, I have seen first hand the impact; financially, corporately and arguably more importantly – mentally and physically, the affect that being a victim of a cybercrime has upon an organisation and the individuals within it. A cyber compromise can happen to anyone and any company regardless of budget and intent. We have seen increasingly the evidence of this in the media which seemingly regales in the plight of others and yet does not show the wider impact to smaller companies and the individuals affected. In the immortal words of Admiral Mike Rogers, former director of the NSA – “it’s a question of when, not if” for us all.
The second – no budget. Traditional IT spend is easy, as with heat, light and power, we know we need to equip our staff with technology to enable them to operate and to be productive and this is easy to budget effectively, but protecting them both from threats and from themselves is often not addressed and therefore budget must be appropriated if security is to be maintained and the greater financial burden following a breach is to be reduced.
So where might Cyber Insurance assist and drive adoption of Cyber Security control within a business?
Certainly, we are already seeing that premiums of both Cyber and Professional Indemnity insurance may be lessened where a company can demonstrate that it has adopted security policies and implemented security controls. As Cyber Insurance evolves from where it is today, an example of where it might take us will be the mandated requirement to train staff and to demonstrate this along with continual assessment of our technical IT security posture. This will come at a cost, the saying that you get what you pay for and the apparent industry culture of stacking high and selling low will change as the volume of claims increase, which they will.
I believe that Cyber Insurance may also be driven by our customers and suppliers where data is shared between us. A requirement to demonstrate to partners the amount of cover in place to mitigate from a potential breach is inevitable as more business leaders understand and take on the risk that their decisions relating to security have a significant commercial impact.
I have more views, but my train is getting in and I have run out of time. I may well write more on the subject in the future as my interest in the subject is increasing, but whatever way one decides to engage with Cyber Insurance, I expect that engagement will be unavoidable and the devil in the detail about what is covered and more importantly, what is not, will make and break companies and their commercial relationships.