How can your business better manage cyber risk?

Almost anywhere you look, the news on cyber risks and data disruptions is disheartening. Report after report indicates that the number and cost of cyber incidents are rising rapidly. (The latest such report, the 2015 Cost of Data Breach Study: Global Analysis, from the Ponemon Institute, claims that malicious attacks are the root cause of 47 percent of data breaches, up from 42 percent last year, and that the associated costs to businesses have increased 23 percent since 2013.) Cyber experts from every part of the world are joined in the now common refrain: If your business hasn’t already been hacked, it’s just a matter of time before it is compromised.

As unsettling as the cyber risk news is, businesses cannot simply close their eyes and hope for the best. On that front, there is a bit of good news. “Businesses now have more options than ever to help build resilience in the face of the threat. Security solutions are being used more proactively in the hunt for bad guys, and individuals are increasingly aware of their personal and corporate responsibility to protect cyber borders,” says Linda Conrad, Head of Strategic Business Risk, Global Corporate in North America, Zurich Insurance Group (Zurich). On top of that, insurers are continually expanding their cyber risk management expertise and support, and reexamining how policies can be structured to address cyber risks that are specific to various industries.

The best defense is a good offense

Having cyber security in place has been a requirement for any business for some time now, but the trend is shifting away from protective security toward detective security. “Traditional” protective measures—firewalls, antivirus software and the like—remain part of the cyber security arsenal, and they are now being used in tandem with processes that help businesses detect the presence of hackers and send them packing. These technology tools are ideally coupled with guidance on how employees can support smart cyber risk management practices to better protect the enterprise.

“There has been a lot of innovation in advanced threat detection,” says Gerry Kane, Cyber Security Segment Director, Zurich Risk Engineering. “A lot of these new capabilities are made possible by Big Data analysis, which allows you to take logs from the many and varied devices in your network, collect the data all in one place and churn through it to find indicators of compromise in your own environment. That’s the area where the most innovation is taking place in cyber security.”

Elite information security teams are also proactively looking for bad guys, often employing people who know which rocks to look under for hackers. This tactic is still fairly new, but where it is done well it is having a positive effect, says Kane. “That approach also ties in nicely with another innovative trend—information sharing among information security departments,” he says. “The financial services industry, the energy sector and even some state and local governments, for example, have formed Information Sharing and Analysis Centers. Companies in those industries get together and share their experiences so others in the group can learn from them and use that insight to look for those types of behaviors, and hunt the threats. This is still very new, but it’s gaining in momentum and acceptance.”

How cyber fits into the holistic risk picture

Cyber risks can involve more intangibles and can feel a bit more hypothetical than other risks, despite mounting evidence to the contrary. “A cyber disruption or data breach can have a very broad impact across the enterprise,” says Conrad. “Organizations should not only protect against data loss, but also consider automated systems in their assembly line, supply procurement or logistics. Sales ordering and even payroll are also frequently automated. It is wise to assess these exposures and their potential business impact, and then institute both technology and personnel controls, and put cyber insurance protection in place.”

The Ponemon report provides proof of a basic tenet of cyber risk management long championed by Zurich, namely that board-level involvement is critical. In fact, according to the report, such involvement can reportedly reduce the cost of a data breach by $5.50 per record. Insurance protection can further reduce the cost by $4.40 per record.

Cyber insurance is vastly different from what are considered more traditional lines of insurance, for example, a property policy, where a business owner can more easily visualize risks and understand their impact. But cyber insurance can play a broad role in addressing cyber risks by reducing cost and downtime to businesses. Just as cyber risks have evolved, so has the business resilience approach and insurance coverage available to proactively managing those risks.

“It’s fair to say that many businesses are still struggling to understand the insurance aspect of cyber risk management,” says Lori Bailey, Global Head of Special Lines, Zurich. “The insurance piece of it has come a long way from the early 2000s when it focused mostly on network security and technology companies. Given progressive improvements, it’s worth taking the time to understand not only the insurance coverage itself, but how it applies to your organization: How does it add value, and what does it really protect you from?”

While all companies can be vulnerable, certain industries have very specific exposures and needs when it comes to protecting cyber liability or security and privacy. For financial institutions, for example, a number of insurance products already on the market address some aspects of cyber risks without being an actual cyber risk policy. In such industries there is “customization going on to try to fit the existing insurance products with other products that may already be purchased, or to address specific requirements unique to that industry,” says Bailey.

Interconnected risk management

The alignment of cyber insurance with existing policies is a natural next step in managing interconnected cyber risks. As businesses reassess cyber insurance—what policies cover and how they’re constructed—there is a growing awareness of where their other insurance policies may pick up or drop off when it comes to cyber incidents, network security breaches or privacy incidents.

“The question we are asked more these days isn’t ‘What can I get under my cyber policy that isn’t covered elsewhere?’ but rather questions about how cyber insurance links with other polices and where those gaps may be,” says Bailey. “For example, when a manufacturer purchases a cyber policy, they will generally have a property and a casualty program in place, and they may also have some supply chain and logistics coverage, particularly since over 50 percent of supplier disruptions were caused by cyber issues last year. So the original question becomes scenario-driven. If the manufacturer’s network is hacked into and brought down, which policy is going to respond? Is it going to be an “all risk” supply chain policy? The cyber policy? The property policy, if there is some physical damage as a result of the breach? In some cases it may trigger multiple policies, and I think that’s one of the challenges that businesses face as cyber risks add to their exposure. That’s why we at Zurich address the needs related to cyber risks from a holistic perspective.”

Creating the comfort level with cyber insurance that businesses have with other areas of insurance is where risk engineering becomes vital. “One of the benefits of having a cyber insurance policy is the proactive service that comes with it,” says Bailey. “Instead of just responding to claims, we can build and play out cyber risk scenarios in real time, helping businesses do effective risk assessments.”

Zurich has long used risk engineering on the property side, for example, to minimize the damage of potential incidents before they occur. It is now employing some of those same principles to the network security and privacy space as part of the underwriting process. “At Zurich we are deploying our own experts to help businesses assess cyber risks upfront and determine where they have gaps in their program. And then we work with them to try to mitigate those gaps as much as possible prior to a claim ever happening,” says Bailey.

This article is published in collaboration with Zurich Knowledge Hub. Publication does not imply endorsement of views by the World Economic Forum.

To keep up with the Agenda subscribe to our weekly newsletter.

Author: Joe Ritchey is a Risk Manager at Capital Region Water.

Image: A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture. REUTERS/Kacper Pempel/Files.