‘Too many businesses focus internally with respect to core IT systems’

This is the opinion of financial lines manager at Zurich Australia Kym Beazleigh (pictured), who spoke to StrategicRISK about the findings of an Advisen report on cyber risk management practices in the Asia-Pacific region.

Sydney-based Beazleigh explained that these pillars included ensuring that a written information security policy was in place and informing all staff about their responsibilities under privacy legislation.

Penetration testing of system vulnerabilities should be conducted at least annually, he advised, “to ensure that firewalls, system security and data breach response plans are up to date and more importantly effective when an attack occurs”.

Encryption of all mobile devices used externally to the office environment was also vital, he added.

“Too many businesses overlook this key risk function and focus internally only with respect to core IT systems,” Beazleigh said.

A formal, written business continuity plan that was communicated to all staff and updated regularly could help to ensure everyone was aware of how the business would operate in the event of a data breach or privacy event disabling IT access, Beazleigh suggested.

“It is important to understand how the business will continue to function post a denial of service type attack,” he said.

Lastly, the creation an established partnership with a third-party IT security firm could establish “a framework to report on the effectiveness of all of the above risk management controls and provide tangible data to work with an improve on moving forward,” Beazleigh said.

Slower with strategies

The Advisen report 2014 Network Security & Cyber Risk Management: A survey of enterprisewide cyber risk management practices in the Asia-Pacific region, found that APAC companies were generally slower than those in Europe and the US to adopt certain cyber risk management strategies, including threats associated with social media, cloud computing and mobile devices.

Beazleigh said that cloud computing was an emerging exposure as more and more businesses looked to outsource certain data security functions to ‘specialist’ cloud providers.

“Given that most market-leading cyber polices in the APAC market extend to include coverage for outsourced service providers under certain scenarios, then it is clear to appreciate the need to fully understand the implications of outsourcing such functions to a cloud,” Beazleigh said.

“It is critical that all risk managers seek to vet any cloud providers to ensure that they adopt the same rigorous framework highlighted above as a minimum requirement in order to consider the outsourcing of grouped services.”

Beazleigh told SR that a large corporate customer recently advised Zurich that it had undertaken a cyber risk audit with an external consulting company and would adopt all recommendations for risk improvements within a six-month period.

“They will continue to utilise the consultancy services on an annual basis for cyber risk management advice and have asked us to consider a discount on premium at this renewal to put towards a three-year risk management improvement plan, which they feel will improve them as an overall cyber risk,” he said.

The Advisen report found that 96% of respondents believed cyber risks posed at least a moderate threat to their organisation. However, as Zurich Australia’s chief information officer Scott Watters explained, less than one third of organisations surveyed currently had cyber liability insurance as part of their risk management strategy.

“This mindset has to change,” Watters said.

“Risk professionals need to talk to their broker or insurer and understand how they can protect themselves against specific risks.

“We know the market hears it all too often but reputational damage can be one of the most serious and lasting impacts of cyber risk. Just one attack on a vulnerable system can undo years of reputation and brand building.”

Stacking sandbags

In related news, a recent industry paper on future cyber risks for the global IT industry compared implementing preventative cybercrime measures to the hopelessness of forever stacking sandbags to protect against a severe hurricane.

The April 2014 report Global interconnections of cyber risk: impact on the information technology industry is part of a series on global aggregations of cyber risk from Zurich and the Atlantic Council. It warns that a single set of principles alone will be insufficient if anticipated global internet failures hit.

It finds that no company, not even in the IT sector, can completely secure itself against interconnected and complex cyber shocks.