In this oversubscribed session at Airmic 2017 Adam Peckman from Aon and Tracey Skinner, Director of Insurance & Risk Financing, BT discussed strategies for developing an enterprise-wide approach to identifying cyber risks, how to de-mystify the concept of cyber, and offered guidance to support Risk Managers and Business Leaders tasked with managing their organisation's cyber risk profile
What does cyber risk mean to business - Evolving threats to the Industrial Revolution 4.0
The competitive environment in ‘Industry 4.0’ has driven increased application and reliance on digital technology. Digital transformation, the strategy to optimise business processes through leveraging digital technology, is just as relevant for a Telco utilising of Big Data to predict customer behaviour as it is a Widget Manufacturer automating a product line with robotics. However, with this trend to connect and automate the business model more complex & more impactful exposures to cyber risks have emerged.
Accordingly, whilst Business Leaders acknowledge that digital technology is a key enabler of competitive advantage, they also perceive Cyber Risk to be an emergent strategic threat to the balance sheet. In 2017 the risk was rated #5, up from #9 in 2015, and #18 in 2013 (Aon Global Risk Management Survey 2013, 2015, 2017)
What does Cyber Risk represent to Financial Performance
Today the Digital Economy is losing $450bn (USD) from Cyber Crime, growing to an estimated $2-$6 Trillion by 2021*. Despite the growing frequency and scale of cyber attacks and increasing management focus, more than half of companies surveyed in the Aon’s Cyber – The fast moving target survey, 2016.
Cyber is such a Distributed problem – how can the Risk Manager take ownership?
One key reason for Cyber Risk Financing and Insurance strategies lagging behind the pace of digital transformation and emerging security threats is is due to the fragmented approach many businesses employ when measuring and managing the risk across various functional silos. Accordingly, Risk and Insurance managers need to solve this problem by positioning Cyber as a Business Risk through facilitating a more integrated and collaborative approach to evaluating, mitigating and transferring cyber-related exposures.
In a similar manner to how Risk Managers have approached evaluating and transfering traditional property and casualty risks, attention is now required to understand the commercial implications if mission critical technology is in some way compromised by a cyber event. Thereby understanding cyber risk within the business context.
To achieve this involves building a committee or working group that extends beyond security subject matter experts within the business. TAs with any other business risk, the Risk Manager’s, should assemble a team that represent all key areas of the business that understand the role of information technology and the commercial implications when those key assets are impacted.. Understood in this way, the Risk Manager facilitates the risk management process with the correct subject matter experts to drive a consensus about the size and priority of the cyber risks and exposures facing the business in a structured and thorough manner
Navigating the nascent and complex market
The external challenge facing Risk and Insurance Managers is to understand and articulate the potential role of cyber insurance to decision makers due to the evolving and complex nature of the market.
Simple benchmarking of policy limits, retentions, premiums is of limited value if used as the single source of data when evaluating the role and value of cyber insurance. This is not only due to the nascent nature of the market, but more specifically due to every organisation having a unique technology profile, risk appetite, and legacy insurance programme with potentially elements of coverage . Consequently the peer group benchmarking, management intuition, and advisor recommendation are lagging indicators. These at best only can help to identify an industry buying pattern, but does not accurately reflect an organisation’s individual technology or cyber threat profile requirements.
Evaluating the balance sheet impact
The risk management process can help generate financial models that articulate the potential value of risk associated with the variety of cyber exposures facing the organisation. This process enables management to deploy capital toward optimal risk mitigation strategies and appropriate levels of insurance limits.
Adding value to cyber readiness and resilience
Risk Managers can therefore help unlock the value of risk financing and transfer strategies through aligning the organisational needs to the range of available solutions
- Educate the business on potentially insurable exposures and opportunities to reimburse expenses via the commercial.
- Utilise insurer panels and vendors to augment existing cyber incident response arrangements.
- Align ITDR, Security Response, BCM, Crisis Communications, and Claims protocols.
Sources: McAfee, Locke and Lorde, FTC, IP Commission, Insurance Information Institute, Lloyd’s, Global Herjavec Group, Cybersecurity Ventures; analysis by Aon Benfield Analytics. Aon Cyber Captive Survey and Report 2016.