full screen background image

Cyber Risk and Cyber Insurance – Insurance challenge to the CIO as corporate Cyber Security Effectiveness manager

[By Cesare Burei, Margas on courtesy of @CLUSIT – Rapporto Clusit 2017 – All right reserved]

Until the corporate Risk Managers dealing with Cyber Risk, and there are not many of these, start working at all levels, who shall be entrusted with the management of Cyber Risks and, more specifically, with the transfer of risk to the Insurance Companies? The answer is a joint round table driven by the CIO.

The Clusit Report 2016 provided the basics of the terminology, key features and usefulness of cyber policies in a Focus On dedicated to insurance in support of the so-called Cyber Risk management. The authors implicitly addressed the CFO, the position that usually supervises the insurance issues in a company.

One year after, the daily dealings between businesses, insurance brokers and ICT consultants have highlighted the following elements:

  • Cyber Risk includes the accident/attack and all its direct and indirect consequences
  • Awareness of the pervasive nature of Cyber Risk well beyond the walls of EDP, in a digital ecosystem made of interconnections and process, people and now objects (IoT) interdependence has increased
  • Risk Management, meaning risk analysis and mitigation and insurance transfer, has become increasingly important.
  • Business interruption, loss of reputation and data loss/unavailability are the most frequent issues for businesses.

This gave rise to a double investigation in the North-East of Italy, which ended in the “Enterprise Cyber Risk Exposure & Insurance” 1 report by Via Virtuosa, in collaboration with Margas for the insurance part, published on line at the end of 2016, hereinafter, the “White Paper”.

The first survey outlines, through the answers given by CIOs and Systems Administrators, the risk exposure of companies, so that CFOs and CEOs can become aware of the central role of the Cyber Security activity, managed in-house or outsourced. The second survey, also carried out with the help of the CIO, who has to assess the risk or the protection levels in place, tries to assess the level of knowledge and sensitivity of the insurance transfer.

The results highlight some aspects that show the key role of the CIO in the transition phase from the management of ICT security to cyber risk management for the whole company; the transfer of the so-called “residual risk” to the insurance company is an ultimate, fundamental component of such management. For this reason, the white paper includes some basic information on the Italian insurance market and, above all, thanks to the 18 questions that three CIOs accepted to ask, it also includes 18 useful answers that allow people to find their direction in the purchase of an insurance policy with increased awareness.

1 *The “Cyber Risk Exposure & Cyber Risk Insurance” white paper is the result of the joint efforts of Luca Moroni and Cesare Burei. It also includes the contributions by CIOs E. Guarnaccia – BPV | M. Cozzi – Hypo Bank |A. Cobelli – ATV| and the answers to their 18 questions on cyber-insurance. The risk exposure survey was carried out in the 2013-2016 three-year period, while the one on Cyber Risk Insurance in summer 2016. The white paper can be downloaded free of charge from: www.viavirtuosa.com/whitepaper and supports the “Generation Z” survey on online security and the prevention of risk for minors https://www.facebook.com/ProgettoGenerazioneZ/

Cyber Risk Insurance. Why?

The certainty that it is not possible to defend oneself completely from Cyber Risks requires such risks to be managed and the relevant tools to be correctly assessed in terms of costs and benefits. In short, it is a matter of balance between the impact of a cyber or cyber-related adverse event, the money spent in the management /insurance process and the maintenance of business margins.

Source: L. Moroni – “Cyber Exposure & Cyber Risk Insurance” White paper presentation at Infosek 2016 – Slovenia

On the occasion of the Security Summit and thanks to the Clusit Report, a lot of figures and percentages were made known, the better to describe the overall cyber un-safety, as they all underscore that there is no 100% safe system.

Source: CHUBB Claim Trends 8/2016

It is possible to be proactive, with effective and appropriate investments on the reduction of corporate risks, in order to be prepared to deal with accidents and the costs/damages that they engender. Insurance policies turn an uncertain, often unsustainable cost/damage into a programmed and sustainable cost/premium. The choice, therefore, must be based on a careful assessment, in the prevention phase, so that the policies shall truly act as a financial and economic parachute, allowing the company to avoid the closure and be still competitive after the incident, providing the appropriate tools for compensate balance sheet losses and recover the brand reputation.

Source: CHUBB Claim Trends 8/2016

Cyber Risk Exposure and Cyber Risk Insurance

Speaking about Cyber Risk Insurance, a policy or set of policies that “cover” the damages and costs generated by a cyber or cyber-related adverse event, it makes no sense if there is no awareness of one’s risk exposure and thus there is no attempt to adopt measures to mitigate such exposure.

The risk exposure survey results

The risk exposure survey carried out by Via Virtuosa in the course of 3 years, synthesised in the White paper, “rather than highlighting an individual company’s positioning and risk exposure, focuses on the statistical trends of the interviewed sample, in this case, companies in the North-Eastern part of Italy, as against a reference Base Line (Red Line). The measuring method used in this case is strictly objective (as was the case for the 2700x) and the same for the whole sample group, even though it was considerably simplified. The method in question is the one adopted by the European Union Agency for Network and Information Security (ENISA).

Those who fall in the yellow section at the top right (yellow) have a significant risk exposure, with a potentially disruptive impact on their business. Those who find themselves in this section are invited (as per the Method) to “outsource their risk.”

This research highlighted the following aspects:

  • There is a high level of corporate Cyber risk that has a direct impact on business continuity.
  • The IT department is usually aware of the issue, but is faced with an almost total lack of managerial attention from the corporate board, which translates into a dearth of investment.
  • There is no objective measure of the Cyber risk on the part of enterprises.
  • Objective indications of the need to transfer the Cyber risk outside the company emerge.

The results of the CIOs and Cyber Risk Insurance survey

The sample of this second survey contained a prevalence of subjects from the industry and services sectors (40% and 35%, respectively), with turnovers exceeding 20 million Euro (75%) and with over 100 employees (50% between 100-500 and 30% > 500).

This presupposes that aspects such as Reputation, Business Interruption and Sensitive Data management might be critical.

In the survey, IT Managers were asked, first of all, about the best case scenario in terms of board commitment to the creation of a corporate security team, and whether ICT security is considered an integral part of the general security approach or just as a possible source of costs and damages (questions 1,4).

Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016

Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016

Then, the same subjects were asked to do something that was probably unusual for them: interact with their respective CFOs, in order to answer the question on the presence of some insurance policies that ought to be taken into consideration with regard to the criticalities highlighted by the risk exposure analysis. (question 3)

Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016

60% of the interviewed CIOs were involved in a wider approach to security. Again, in 60% of cases the CIO had not, to that point, taken an interest in insurance policies (q.2), and even though in 80% of cases no one in the company thought to ask him about the impact of a possible accident (q. 4), he had a clear idea of its origins (q. 4) and was able to identify the sector that might suffer the most from a business interruption (question 8).

Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016

The CIO deals with ICT security: he monitors vulnerabilities (60% of cases) and the Business Continuity and Disaster Recovery plans (50-60% of cases), but deals very rarely with reputation crisis issues (18%), procedure/policy formalisation (28%) or the standardisation of issues (12%).

It is a positive sign that the CIO receives requests for information concerning ICT security management (question 7) first of all from inside the company (+70%), then from external auditors (+28%) and from customers and ICT suppliers in equal measure (23-24%). The latter percentages might increase in future, leading to a supply chain control in terms of virtuous management and also of insurance, and in any case they may constitute a good foundation for a Cyber Risk Management policy.

Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016

39% of them state that they know of security accidents occurred in the last 5 years. An analysis of the causes shows that such accidents are substantially attributable, in equal proportions, to (external/internal) attacks, with a prevalence of Ransomware (as more than 50% declared), to (internal/external) human error and to failures (question 9).

Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016

 

 

What question 8 revealed concerning the CIO’s opinion of the worst impact of a stop of the ICT activities on the Administration/Accounting (+ 80%), logistics and deliveries (73%) and sales (60%) departments, makes it possible for the authors to go back to the value and meaning of insurance outsourcing: failure to pay the suppliers, failure to make orders or failed deliveries can assuredly cause problems for the bottom line in the short-, medium- or long-term.

“Virtuous” companies, that is to say, those that have adopted Cyber Risk Management policies, can therefore deal with the insurance companies with a full awareness of the residual risk that needs to be transferred, especially with regard to business interruption, intentional/accidental cyber issues and issues of general or professional third-party liability, and correctly assess also the reputation risk, if necessary.

With the CIO at the Cyber Risk Management round table

The results of the survey show that the CIO can act as a “cultural mediator” for the company, with the help of a competent insurance broker.

Below is a brief synthesis of the activities of a hypothetical operational round table on the management of cyber risk:

Cyber Risk Exposure and proactive approach: knowing the extent and nature of the exposure

  • Identify and quantify the assets and their value
  • Identify the exposure and its value, that is to say, the operating and financial consequences of an adverse event
  • Identify and quantify the investment in mitigation activities
  • Check the insurance coverage of the company and of its suppliers

Now the necessary tools and knowledge to deal with the insurance issues are in place, so it is time to TRANSFER THE RESIDUAL RISK.

Cyber Risk Insurance: transfer the residual risk to an Insurance Company

  • Identify a skilled insurance partner and analyse the corporate insurance stand.
  • Check the traditional policies purchased by the company to which the cyber coverage might be added.
  • Choose and structure a Cyber insurance policy that specifically deals with the risk to be transferred and the relevant costs (business interruption, general and professional third-party liability, violation or improper use of assets, defence of reputation, reaction and analysis countermeasures, etc.)

For further details, please refer to the Focus On feature in the 2016 Clusit Report.

The results of the “dialogue” between the CIO and the Insurance Broker – Answers concerning Cyber Risk Insurance

We asked the CIOs of three important companies in the North-East of Italy to ask any questions they could thing of in order to make the layman understand the opportunities and limitations of the insurance policy. Here is a synthesis of the answers to the most frequently asked questions (18):

It is necessary to analyse the existing policies and check whether they cover also the ICT issues identified during the analysis;

To date, there is no requirement for a shared standard measure of exposure. Any best practices, certifications for risk mitigation can promote the successful transfer of risk to the insurance company at better coverage conditions;

GDPR and insurance: it will be essential to know whether the company is in possession of Sensitive Data according to the expanded definition of the new Regulation, in which country and which measures it adopts to defend against data breach. If the company’s own or Third-Party Sensitive Data are entrusted to a third party, it shall be necessary to analyse the existing contracts with the relevant supplier and check the contractual indemnities, in order to transfer the cost of the GDPR mandatory actions correctly. If the company writes or customises code, the extent of the corporate (professional, general, product) liability is to be assessed quite thoroughly;

Simulate the impact of a Cyber adverse event on the bottom line, in terms of cost increases and loss of gross profit. This is maybe the most critical and underestimated field, one that is known to insurers as Business Interruption.

To conclude, it is clear that the Cyber Risk Management approach must be based on a close cooperation between the corporate risk owners and the CIO and CFO and on a virtuous supply chain that includes customers and suppliers, the help of IT professionals expert in Cyber Security management and implementation and brokers expert on cyber matters who can support the Company in the choice of the right balance between costs and insurance guarantees.

Contents on http://www.clusit.it/rapportoclusit

Get the full report contacting rapporti@clusit.it

Copyright 2017 @ CLUSIT

All rights reserved to the authors of the Opera and Clusit

Any reproduction even partial publishing without the written permission of CLUSIT is forbidden.

 

 

MNb3WYb.png

QwAFf7V.png

dfIK0AV.png


Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Part-Time Hacker || Child Pornography & Sexual Abuse Combat


Leave a Reply

Your email address will not be published. Required fields are marked *