Airmic 2016: Understanding cyber risk landscapes

Director Dr Marco Gercke and his colleague Peter Hacker, partner at Distinction Global, a specialised unit of the Cybercrime Research Institute, demonstrated a cyber attack simulation involving a mock-board under pressure to make real-time decisions during the Airmic conference 2016.

Attendees heard how stress levels needed to increase to get the board ready as "you can't prepare for a cyber attack if you do table-top exercises".

"Cyber crime is board-level catastrophe management" continued Gercke, who explained that a cyber attack wouldn't take place on a Monday morning when the company would be ready for it, but most likely some time at the weekend.

Speaking later to Post, Hacker said insurance companies needed to "understand their risk landscape" and assess the value of a company in terms of digitalisation, disruptive technologies such as cloud computing, and artificial intelligence.

He explained how these aspects are "all built around aspects such as brand, reputation, IP, customer base, data" and that company boards needed to understand that connection and equip themselves with the appropriate protection.

"Whether it's a small company or a bigger company, the process remains the same, which is an enterprise risk approach. This risk class is a risk class you can't prevent. We can't prevent it so let's talk about mitigation from a technical point of view which might mean IT security or risk management or insurance.

"Many companies are buying for many different lines of businesses today and they don't match these lines of businesses to their overall exposure in the lines of cyber," said Hacker.

Hacker strongly recommended investment in enterprise-wide risk management. Insurance, he said, "is a little cherry on a cake and all the cake ingredients are the ones in the ERM chain itself".

For companies that take the route of insurance, there is only one viable method to consider, according to the cybercrime expert: an all-risk approach.

"This is the best way of doing it," stated Hacker who explained that stand-alone cyber policies were "not possible" because "technology develops so quickly, you can't name the risks".

Hacker called for the insurance industry to invest more in quantitative claims data and stress-testing, and to create products which are sustainable: "If there is a cyber claim, normally, in a real incident, it's a big one. It's not a small one. Cyber has a high potential severity risk - it can be very big, and it has the potential of high frequency as well, so it's the nightmare for any insurer to price because you can have both."

"The conundrum at the moment is: the insurers have products which are responsive rather than proactive; they are not based originally on the risk of the [company], they are based on how they perceive the risk based on the way the lawyers develop the policies.

"And corporates have the conundrum that the risk manager very often is still not perceived as a party which belongs to the [board] table or is respected by IT security, for instance, to have a proper conversation around cyber crime and cyber security."

Hacker continued: "This type of risk is a board decision risk because with enterprise-wide risk management, if you don't cope with your fiduciary duties you expose yourself, you expose your company at the end of the day, because your shareholders will come after you."