Increased risk coupled with a hardening market have made it more difficult to arrange affordable cyber insurance. But, as a cyber attack could leave a public sector organisation facing a multi-million pound bill, Andrew Millard, Public Sector Practice Leader for the North, and Heidi Dennis, Public Sector Practice Leader for the South at Aon, say it’s time to have a more informed discussion about cyber risk.
Cyber attacks are rarely out of the news, with each incident seemingly adding a new dimension to this risk. A recent example is the ransomware attack that forced the US fuel pipeline, Colonial Pipeline, to shut down its network, cutting the flow of oil to the East Coast of the US and forcing the government to step in to minimise disruption to supply.
Although it’s easy to dismiss cyber as something that happens in the US, or in particular industries, it’s a risk that every organisation needs to take very seriously. Cyber attacks are commonplace in the public sector. UK local authorities faced 263 million cyber attacks in 2019 (1) – that’s the equivalent of 800 attacks every hour. More recently, in 2020, two local authorities experienced significant denial of access attacks, with the worst case reported to have cost in excess of £10.4m.
New exposure
Committing to a new insurance spend is never easy. Until a loss is experienced, it can be difficult to appreciate the need for cover.
This is exacerbated by the fact that some data losses have been covered under other liability policies. But, as the risk and losses associated with cyber continue to increase, insurers are adding specific cyber and data breach exclusions to their liability policies, leaving organisations to face an even greater exposure in the event of a successful cyber attack.
For those organisations that do decide to take out cyber insurance, there can be further challenges. Against a backdrop of larger losses, insurers are taking a cautious approach. This can be seen in Aon’s Cyber Insurance Snapshot, which found that, throughout 2020, insurers reached, and in many instances surpassed, a tipping point as loss frequency and severity outpaced improved risk selection and limited rate increases
As a result, risks are being underwritten on a case-by-case basis reflecting activities, claims and breach information and cyber security posture and insurers now require much more information before they’ll offer cover. For an organisation that has never explored this area in any depth, this information-gathering exercise can be cumbersome and off-putting.
Understanding the risk
With the frequency and severity of cyber risk escalating, having a clear understanding of how cyber risk might affect your operations is increasingly key to establishing a strong culture of cyber resilience. Understanding the cyber risks an organisation faces, and the processes and security in place to defend it, enables it to manage the risk strategically and make informed decisions about its investments in this space.
At Aon, we work with public sector clients to support them through this exercise. This often starts with helping our clients to identify the scenarios that would give rise to a cyber loss. This might include loss of data from a cyber attack, potentially including sensitive data such as social services records; a denial of access attack that renders services unavailable to residents; or a ransomware attack that stops employees being able to access the system.
A variety of tools are also available to help organisations assess and quantify cyber risk profile. For instance, Aon’s CyQu* uses leading cyber data analytics to enable organisations to rapidly evaluate their cybersecurity posture and develop a data-driven risk management strategy.
We can also perform risk quantification and impact analysis through our Cyber Impact Analysis. This enables organisations to better understand their financial exposures under a range of different cyber scenarios.
As cyber is an enterprise risk, it’s also important that this process involves stakeholders from across the organisation. This includes IT, cyber security, risk managers, department heads and the CEO.
Managing cyber risk
With a full understanding of the cyber risks it faces, an organisation is able to make informed decisions about the way it manages this risk. Some of the risk may already be covered through existing insurance products but, for the rest, stakeholders need to agree the level of risk that can be accepted and any steps, including cyber insurance, that are required.
Risk management strategies take many forms and could include everything from phishing awareness training for employees through to investment in ransomware controls and cyber security.
Business continuity and response planning is also essential. If a cyber event happens, being prepared can make a huge difference to how quickly the organisation recovers and the extent of financial and reputational damage it suffers.
Any response planning also needs to consider what resources are available. An IT manager is unlikely to be experienced in dealing with ransomware or ransom negotiation, so it is worth having specialists on hand in areas such as forensics, legal and notification requirements and reputation management.
Undertaking this risk assessment exercise can also make it easier to secure cyber insurance. As well as covering off the more detailed underwriting information insurers require, it also helps organisations improve their cyber security risk posture and identify exactly what cover they need.
With the financial and reputational impacts of cyber attacks increasing, and insurers becoming more selective about the cover they offer, taking a robust approach to understanding and managing this risk is essential.
More information
With more than 650 global professionals dedicated to cyber risk management, cyber security and cyber insurance, Aon is able to provide your organisation with the tailored cyber solution it requires. For more information, speak to your Aon account manager or contact Andrew Millard at [email protected] or Heidi Dennis at [email protected].
Whilst care has been taken in the production of this article and the information contained within it has been obtained from sources that Aon UK Limited believes to be reliable, Aon UK Limited does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it. In any case any recipient shall be entirely responsible for the use to which it puts this article.
This article has been compiled using information available to us up to 27/05/21.
(1) Local authorities hit by 800 cyber attacks every hour (computerweekly.com)
*The following products or services are not regulated by the Financial Conduct Authority:
- Cyber risk services provided by Aon UK Limited and its affiliates
- Cyber security services provided by Stroz Friedberg Limited and its affiliates