Who can forget the famous lyrics to the 1968 Noel Harrison song “The Windmills of your Mind”? Mirroring many other facets of life, cybersecurity is “[L]ike a circle in a spiral, like a wheel within a wheel, never ending nor beginning.” As the threat landscape changes, as risk appetites shift, and as new regulations come into being, your organization’s approach to cyber risk also must continually adapt. Throw in the new European General Data Protection Regulation and it’s clear now is the time to be discussing these issues.
Oversight responsibility for cybersecurity has become a board-level responsibility. However, what cybersecurity actually means for a business is often still something of a mystery to some in this position.
Some corporate directors struggle to answer questions such as:
- What is our ability to prevent, detect, contain and respond to a cyberattack?
- How should our internal departments, such as information technology, legal, and communications—work together when an incident occurs?
- What is our overall risk tolerance?
- How does our level of preparedness compare to our competitors?
- What is the potential impact of a cyber incident to our balance sheet?
- What is the return on investment for additional security controls compared to the cost of obtaining cyber insurance coverage?
After last year’s major ransomware attacks, business interruption has become a topic for discussion in many corporate boardrooms. Total economic losses associated with WannaCry are estimated at $8 billion, with half a billion dollars attributed to business, or network, disruption. But there seems to be a lack of ideas on how to mitigate that exposure, how to assess and measure a potential business interruption risk, and how to evaluate this issue with suppliers.
One element of a mature cybersecurity program is cybersecurity insurance. While this is an important spoke in the wheel, it’s also important to understand that it is only one part of the whole.
There is a misconception about what cyber insurance actually is, and almost more importantly, what it is not. Recently, I talked with a medium-sized business about cyber insurance, and their thoughts before our meeting were along the lines of, “if we purchase cyber insurance, we do not need to invest in a cyber security program any longer. After all, we will be insured.”
Even though such a statement is issued infrequently, and would surely not come from any organization that has reached some degree of cyber maturity, it took me by surprise. Yes, risk transfer is important, but only as part of a broader approach to cyber resilience. In a world where systemic cyberattacks are becoming more frequent, nobody wants to be the low-hanging fruit.
In a nutshell, traditional cyber insurance is aimed at dealing with the financial impacts associated with a security or privacy event, including direct costs with managing the event, loss of income, paying extortion demands, as well as liability, including regulatory fines and penalties in jurisdictions where such costs are insurable.
Cyber insurance itself is not a single coverage. It can be packaged in a number of different ways to match an individual client’s insurance buying strategy and evolving cyber threats, risks, and emerging impacts. It can be a combination of first- and third-party offerings, responding to the direct losses of a cyber event as well as claims asserted by third parties.
It’s also important to say what this type of insurance does not address. Cyber insurance does not replace a cybersecurity program and does not negate the need for good security controls. In fact, some policies may require demonstration of certain best practices in cybersecurity in order to provide indemnification. In order for organizations to effectively manage cyber risk, they should have both an effective security program and insurance in place for when defenses fail.
Like all other risks, it is important to look at cyber risks as a continuous cycle of management, not just a one-time risk mitigation exercise. The cycle is one of determining the current risk posture, by looking at the likelihood of cyber threats and the impacts, as well as the current security controls in place.
Based on the internally-determined risk appetite, if certain risks are considered to be above the threshold, they need to be mitigated by additional controls. Once completed, this cycle will be carried out continuously, as the lyrics to “The Windmills of Your Mind” suggest.
As is the nature of risk, it is almost impossible to eradicate it completely, and there is always a residual risk. It is this residual risk that is picked up by cyber insurance, a necessity even for the most resilient among us.
For a useful summary of how to manage cyber risk at board level please see the NACD Director’s Handbook on Cyber-Risk Oversight.
Sebastian Hess is Cyber Risk Engineer for Austria, Germany, and Switzerland of AIG Europe Ltd. in Frankfurt, Germany.