Technology increases risk threshold ‘exponentially’

As companies strive to enrich their customer experiences through a spectrum of endpoints, ranging from mobile devices to automobiles, the attack surface has increased dramatically. With this ever-growing threat landscape comes a proportionate increase in the impact that cyber attacks have on enterprises, and the customers they serve.

A cyber incident can be financially crippling – with costs ranging from business interruption, major security impacts, incident response, third party claims and legal costs, to customer notification expenses, damage to data, fines – not to mention damage to brand and reputation.

Former head of cyber security business services at Australia Post and now co-founder and chief wayfinder at Cynch, Susie Jones says: “The surface area of a cyber attack absolutely increases as the company adopts more technology, whether this be for the purpose of improving customer experience or for realising efficiencies within their operations. Particularly as more businesses utilise third party software-as-a-service (SaaS) or platform-as-a-service (PaaS) solutions, a business finds themselves with more things they need to manage and secure, as well as more vendors they need to assess and negotiate with. All of this increases the surface area of attacks, which should be weighed up against the potential benefits of adopting the technology.”

Aon’s cyber insurance practice leader, Michael Parrant agrees: “We have got vehicles now which are becoming more and more reliant on technology. In fact completely driven by technology and the threat surface from that is exponentially bigger than what it was. We are talking about a world which could be potentially be weaponised very quickly and very easily if things got out of hand,”

When it comes to cyber attacks, size doesn’t matter says Jones. “All businesses, big or small, should work towards having a clear understanding of all technologies utilised throughout the company (whether sanctioned by the company or introduced by employee-direct actions), and how they are interconnected.

“They should then prioritise the systems that are most critical to their business, and work to protect them. Simultaneously their assurance teams should work with procurement and legal to ensure the third party contracts they are agreeing to provide the right level of protection and access to data and information in the event the third party is breached.

“Finally, without the ability to detect a breach has occurred the company is flying blind, so it’s important to also begin monitoring any technology being utilised that touches critical data or operations so you know as soon as you have to respond.”

“At Cynch, we recognise the expertise and methods required to do this in a small business is very different to an enterprise, so our membership has been designed to support the business owners themselves throughout this journey and educate them on the steps they need to take along the way,” Jones adds.

From an insurance industry perspective, Parrant says the industry has traditionally been treating cyber attacks as a “new world issue with old world challenges,” meaning they have had to completely change the way risk is transferred.

“We are talking about things that you and I use on a daily basis, however, our interaction with those items is now completely different so it takes a different thought process to manage these sources of exposures. Traditional insurances aren’t necessarily the right solutions all the time.”

Parrant said the current process of getting a fully-equipped cyber policy placed can take a very long time. “These are concepts that haven’t necessarily been considered in full by the insurance market yet. What we are doing from a cyber cover reach perspective or from a cyber insurance perspective is we are taking cyber as a threat, and starting to treat it as a proper peril because many insurance policies are predicated on a peril basis.”

Parrant said the benefits of a standalone cyber policy mean the business is isolating a risk that could potentially be devastating financially.

“The benefit of this type of policy is that you are reassessing your cyber exposure separately with certainty you’ve got other policy lines that treat your traditional risks. You also know that, as best is as physically possible, you’ve got an insurance policy which treats these new age, new world exposures which are not yet quantified.

“By doing this, you’ve isolated your limited indemnity so you’ve still got your whatever it may be, a billion, 2 billion, 5 billion, limits for those other lines of insurance and you’ve got this ring fenced protected limited indemnity just for that fibre exposure.