StrategicRISK’s survey results indicate that risk managers are increasingly turning to insurance to stem the flow of concern around cyber attacks
A majority of Australian risk managers are considering an insurance investment in the next 12 months to protect their cyber and technology exposures, according to a recent StrategicRISK survey.
Some 54.5% of respondents are considering insurance for targeted cyber attacks, both internal and external; 38.9% are considering cover for a non-malicious loss of critical/ customer data, while 20% are considering cover for failure of critical IT systems.
The results echo the findings of Aon’s 2015 Asia-Pacific Cyber Impact Report, which found that Asia-Pacific companies are only protecting 13% of their information assets compared to 49% of property assets.
“The results from StrategicRISK’s survey reinforce that cyber is a complex risk issue that has become a leading concern for many organisations,” Aon cyber risk practice leader Eric Lowenstein says.
“With its potential to cause major financial and reputational damage, cyber is a boardroom issue, not simply a problem for the IT department.
“There is a significant need for organisations and boards to become more aware of the threat that cyber risk poses to their bottom line, and brand and reputation.”
Lowenstein says some overseas cyber criminal networks have sophisticated business models with established business strategies, executive management teams and even employee health plans and performance reviews.
“[Cyber risk] is not going away, particularly as Australia moves up the ranks to become a number one target.
“The [StrategicRISK survey] results emphasise there is an appetite for more information and solutions around cyber- related issues,” says Lowenstein.
But not all risk managers are convinced about the merits of cyber insurance.
Lend Lease group head of risk and insurance Kevin Bates says that although cyber risk is one of his top concerns, he’s never seen a cyber insurance product “that does anything I need it to”.
“There are a number of other lines – be it your ISR (industrial special risks insurance), property (insurance), GL (general liability insurance) – you will have some level of coverage for a cyber risk if it’s an infrastructure-related issue,” he says.
Bates warns that a cyber attack could impact the personal information of clients and an insurance product is not going to solve problems caused by that breach.
“I’m a big fan of the human firewall in terms of educating your staff. The human firewall is the first line of defence and that’s what everyone has got to get better at,” he says.
Lowenstein suggests four key steps when developing a cyber-risk mitigation strategy: manage the process, identify the risks, understand the risks, then work closely with partners such as insurers and specialist lawyers.
“Cyber is an exposure that exists across many parts of the organisation. The development and implementation of an effective insurance programme requires a project champion who can manage the process across every level of management,” says Lowenstein.
“A comprehensive and analytical approach is required to identify the number of potential cyber exposures within the organisation.
This article was first published in the Rims Australia Special Report, published by StrategicRISK. To read the full survey results, click here.
Expert view on cyber
By Costa Zakis, general manager Pacific, Marsh Risk Consulting
Cyber risk is considered by some as a new risk to be managed. I have a differing view that cyber-related risk has been with us for some time but it is certainly more front-of-mind for many today as we are becoming more technology dependent in our work and personal lives.
Access, interest and reliance on technology has never been greater so we should rightly broaden our views to cater for this change in technological and cyber reliance. But, in a sense, cyber is only a medium, whereas the risks of data, information and system security have been there for some time.
In a broader sense, the evolving risk landscape needs to take into account our ability to adapt to change in the way we work, the clients we service, the people we work with, the resources available to us and the overall environment we are in.
We have always considered assets, people, services, finance, governance and the like, but the evolving landscape needs to look at how all of these are changing, the impact this has on our business environment and how we manage more concurrent and interconnected risks.
Our traditional risks are still there, but the evolving risk environment will consider items such as managing the rate of technological and societal change; managing a highly mobile and physically separated workforce; recruiting; training and maintaining a suitably skilled contemporary workforce; managing the ever-growing volume of information that we generate and collect; and understanding the increasingly complex world of international governance and how it relates to how we conduct our business, manage and protect our information and delivery of services.
Not one of the risks is simple and easily solved, but each has a significant bearing on how we operate our businesses and each is a good example that risk is never static but always evolving.