Cyber attacks can be ‘predictable’

Cyber risks are predictable if firms do a proper risk assessment, according to Trend Micro chief technology officer Raimund Genes.

Genes told a recent gathering of risk and insurance professionals at Singapore’s Westin Hotel, that firms needed to stop focusing on “rubber stamping” and being PCI compliant and instead accept that being breached is inevitable.

“Every day we now see in our lab 300,000 new malware. This clearly tells you that the traditional antivirus systems do not work,” he said.

But Genes cautioned against believing the hype that antivirus is ‘dead’.

“[Antivirus] isn’t as efficient any more but you do still need it as it filters out all of the noise of spam and malware,” he said.

Genes said firms needed to do a proper risk assessment to identify where its core data is and what could happen if it’s compromised.

“Based on the risk assessment, you then need to see what the risk appetite is of the board: what [data] could leave the company and it stays alive. What can absolutely never leave?” he said. “When you have done this, then you can pick the tools for your risk mitigation.”

But the biggest mistake is choosing a one-size-fits-all approach for cyber protection, Genes said.

“Forget about treating all of your systems as the same. Desktops, notebooks, mobile devices, servers all need totally different types of protection,” he said.

Genes also recommends using a breach detection system.

“It will not stop a breach, but the average time from a breach to a detection of a breach is over 250 days nowadays and that’s way too long. You want to know as soon as possible that your organisation has been breached and which systems have been breached so you can take action.”

Emerged risk but an emerging insurance product

In a subsequent panel discussion chaired by StrategicRISK’s Asia-Pacific editor Jessica Reid, it was said that cyber could no longer be considered an ‘emerging’ risk, but it was still an emerging insurance product.

It was agreed that cyber insurance policy uptake was still low in the region, especially compared to that in the US.

This is due to a lack of historical data for actuaries to price the risks accurately and the potential systemic nature of cyber, delegates heard.

Zurich Global Corporate global broker relationships leader Steve Robertson said: “There are certainly challenges for insurers when it comes to cyber insurance, with many organisations complaining about the price and whether it provides the right coverage given the rapidly changing nature of cyber threats.

“One of the key items we help our customers with is a cyber risk assessment - to identify where the vulnerabilities are and to see what can be done from a risk management perspective to improve the risk profile. In this region we currently use third party expertise to provide such advice.

“A further challenge is that currently there’s not enough history. The reality is that insurers require large premium volumes and large policy counts so that the actuaries can better price the exposure. Apart from North America, uptake of coverage has been relatively low. It’s a bit of a catch 22 situation – we need more organisations to take out policies so we have more claims data in order to then appropriately price an organisation’s cyber risk.”

Other topics discussed included how risk managers could incorporate internal stakeholders into their programme and achieve buy in; breaking down the silos and bringing functions together; and how to reduce the disconnect between boards and their IT departments.

The StrategicRISK Singapore risk forum was sponsored by Zurich.