Phishing for trouble
What do captive insurers require from their parents in order to prevent a cyber attack?
Like any other insurance company, they are going to want to see controls and see how the company is mitigating the exposures of cyber risk. They are going to look for multiple things, such as checking to see that response plans are in place, with decent technology and coordination among their functional operating groups so that there’s discussion about what type of cyber risks exist in the company.
What are the main problems within a business that can cause a cyber breach?
There are so many different conclusions on what ranks as the top issue causing cyber breaches, but studies suggest that hacking, phishing and social engineering are the main causes. I think that you can definitely rank phishing as one of the biggest issues in 2016, with ransomware being one of the highlights. There are also obvious causes for breaches, such as hacking events, and human error or human element events.
Do breaches also come from within the business?
Yes, there are errors that can be created by an employee, as well as a malicious component of human element, which is huge in the business environment.
Should all companies have a prevention programme?
There should be a loss prevention programme in place and I think it should start with the internal response plan. The plan should identify who is in charge of preparing for a breach, determine how to prepare it, and lay out processes so that the company is ready for any situation when it occurs.
A company also has to have a post-breach response plan. There has to be a mitigation component and within that there should be an internal response plan, which is going to lead the charge in how the company handles a breach.
Are you still being approached by large companies that do not have cyber cover in place? Why do you think they are yet to purchase cover?
Yes, and I think there are a lot of reasons why companies are still not purchasing cyber coverage. I think there is a disconnection in the type of information sharing which is going on within the cyber risk community, particularly on the brokerage side.
I believe the sophisticated brokers are able to share good quality information, starting from a risk management perspective all the way down to insurance.
But, unfortunately, I think in some cases there tends to be a disconnection in the communication process.
That means the corporations may not have had the risk properly explained to them and do not understand the value of the insurance.
In those situations, what you get is disconnection and confusion, which makes it a much harder process for a company to secure the proper insurance.
How often should companies be updating covers because of new emerging risks?
Those updates should be made annually. At the moment we know that the cyber policies are still going through changes and we are seeing emerging risk taking into account the bodily injury and property damage component of an event.
Most cyber insurance policies are not addressing bodily injury and property damage, and if they are, it’s a small segment of the insurance market place that is able to provide such.
Not all companies have the exposure but there are a lot of companies out there that are concerned an attack on their computer systems could result in some sort of bodily injury or property damage, particularly from organisations that are in the power and utility sector.