Digital transformation and the impact of insurance
Once an organisation has deployed robust technology defences, educated staff about the risks of cyber- attack, and promoted policies about how to react and respond to cyber events - it has laid important foundations for its protection.
Those people, process, and technology foundations provide a platform from which the organisation is able to negotiate appropriate and cost effective cyber insurance.
By analysing the potential impact of an attack on the financial statement the organisation can determine what coverage it requires.
Kevin Kalinich, Aon’s global cyber practice leader, advises organisations to look at the industry in which they operate and benchmark the range of losses that could arise, knowing the value of data assets held and the impact of a cyber-attack in terms of business interruption, the impact on supply chains, on SCADA industrial control systems, on reputation and brand.
The anticipated introduction of mandated data breach notification should spur action, and organisations with international operations need to ensure that they are properly protected in all the geographies in which they operate. Based on international experience mandated breach notification leads to significant costs associated with legal services, regulator notification, customer notification, forensics, remediation and potentially, compensation claims.
“Take steps to mitigate, to allocate liability or minimise your own liability. This is not all about prevention – it is about your response. If you have prepared a response, there is data that shows you can reduce the total cost of an incident,” says Kalinich.
He also warns that organisations should not assume their existing insurance policies provide any coverage in the event of a cyber-attack, nor that a third party information systems provider, such as a cloud computing vendor would have them covered. Similarly, existing directors and officers policies, and professional indemnity coverage might prove inadequate should a cyber-attack take place.
In order to properly analyse the risk profile Kalinich advocates risk quantification modelling in combination with Monte Carlo evaluation techniques. The resulting macro level understanding of the challenge allows an organisation to then work with an insurance broker to craft appropriate risk coverage.
Off the shelf policies have limited value; base cyber insurance policies can cover external hacks, malicious code and internal mistakes – but may not cover the impact of a bug in the system. Consequential – punitive, incidental – costs are excluded from all base insurance policies as is tangible property damage, but can be negotiated in a customised policy.
Effective cyber insurance policies also cover costs associated with legal support, communications costs, forensic analysis, notification and remediation services.
Kalinich warns however that given the changes in the legal landscape and the technology terrain, this is not a set-and-forget requirement, noting that risk assessment needs to be both thorough and regular.
Armed with that insight the organisation can work with an insurance broker to find, tailor and stress test a cyber insurance policy to ensure the effective reduction of enterprise risk.
Cyber risk; are you properly prepared?
There are four key questions that every organisation needs to address regarding cyber risk and protection:
- What can go wrong?
- How bad can it be?
- How am I protected?
- Will my insurance work?
Assessing the organisational risk profile requires input from multiple stakeholders including the Chief Financial Officer, Chief Information Security Officers, risk management head, and legal counsel. External consultants can also provide a fresh lens through which to explore exposure.
Knowing the risk is one thing – dealing with it effectively also demands the support of the most senior management and board. Effective security requires a whole-organisation commitment from the top down.
The anticipated mandatory breach notification legislation will require organisations to alert authorities not only when they are aware of a breach but when those organisations “ought reasonably to have been aware” which suggests regulators may penalise companies found to have inadequate security systems. It is also not yet clear whether there will be any extra-territorial implications of the legislation for organisations operating overseas branches or subsidiaries.
Cyber security is a critical issue for organisations of every scale and in every sector. Robust and comprehensive security frameworks, a well-crafted response plan, and effective cyber insurance, developed in concert and reviewed regularly delivers the maximum protection and an important competitive edge.
Aon cyber security summit, Aug 16
Aon’s Cyber Risk Symposium held across Australia recently, delivered important clarity regarding the global threat environment. Working with partners DLA Piper and Symantec, and leading cyber security experts, Aon reflected on the legal influences on the cyber risk landscape and the technology solutions and strategies available. It also explored the growing role played by cyber insurance in underpinning safe and sustainable business models.
Aon plc (NYSE:AON) is a leading global provider of risk management, insurance brokerage and reinsurance brokerage, and human resources solutions and outsourcing services. Through its more than 72,000 colleagues worldwide, Aon unites to empower results for clients in over 120 countries via innovative risk and people solutions. For further information on our capabilities and to learn how we empower results for clients, please visit: http://aon.mediaroom.com.