Preventative medicine: a 360⁰ approach to cyber risk

Cyber insurance may have been around for 20 years but in this rapidly evolving risk landscape, a 360⁰ approach to cyber risk may become the only process truly fit for purpose.

Three cyber experts debated this complex, yet critical, idea on a webinar called ‘Assessing and managing cyber risk – the benefits of a 360⁰ approach’, which was hosted by Intelligent Insurer and sponsored by Markel.  T o watch this debate in its entirety,  click here.

It’s no secret that greater reliance on technology has brought with it greater exposure, while security risks include an increasing vulnerability to privacy breach events. Such events can lead to financial impact from ransomware, business interruption, and/or potential regulatory and private litigation issues.

Given the massive scale of such challenges, it makes sense for clients, brokers and carriers to partner and explore a 360⁰ approach to cyber risk, the speakers agreed.

The webinar panel was made up of Lou Botticelli (pictured), managing director, Specialty Professional Liability – Cyber, Markel, Zach Scheublein, managing director, Private Equity Cyber Insurance Solutions Leader, Aon, and Chris Bush, chief operating officer, Black Kite.

Scheublein referenced the “four core quadrants that round out a 360⁰ approach”, which include mitigation, quantification, transfer and response. Together, they effectively outline a company strategy for developing a cybersecurity framework, he explained.

“The issue is, for insurers, it's not a static risk, it's dynamic, it's going to change from binding to the policy end. That is why you're seeing a lot more use of active scanning tools to be able to help clients more effectively manage risk on an ongoing basis throughout the year.”

He stressed that writing this business has changed hugely in recent years; policies were once based on a limited number of questions and a broad insurance contract was offered. Now, the emphasis is on helping clients quantify their cyber risk, developing a cohesive cyber risk insurance strategy, and then having a formalised and tested incident response plan between key internal stakeholders at a company.

“This is often also combined with having third party incident response vendors on retainers, specifically legal counsel and forensic investigations. If something goes sideways and there is a suspected incident, everybody's on the same page, and that specific event is handled accordingly, in the most efficient and effective way possible. That is the 360⁰ approach. Now, more so than ever, companies need to effectively communicate their cyber resilience to qualify for competitive insurance terms,” Scheublein said.

You can see the in-depth video debate online by clicking  here

Botticelli emphasised that the merits of this approach lie in the context of the constantly changing threat landscape. He said cyber risk cannot be approached in the same way as other risks. “As underwriters, we are only as good as the data presented to us – and we get only one bite of the apple. These are 12-month policies based on historical data. Maybe you don't see a client for another ten months. An issue could arise on day-354 of the policy period. Cyber insurance needs to be different. But that is why the 360⁰ approach is so important.”

He explained how Markel has partnered with Black Kite, which runs non-invasive scans of insured companies during a policy period to spot any vulnerabilities. “That is real time information. Then we work with other vendors who can fix any issues. That is the 360⁰-degree approach of providing value at the beginning of the policy period, during the policy period, and at the end of the policy period.”

Botticelli stressed the importance of communication between all parties through the lifecycle of the policy: the insured, the insurer, brokers and vendors all working together from the start to understand the risks. “You sit down and you do that risk analysis: what are your assets, what are your exposures to regulation? Then you go to the insurance community understanding what you need: what risks you can mitigate and what risks you can transfer. That's the full 360⁰ process.”

To watch the full discussion  click here.

Bush added that the approach should take into account all aspects of an organisation's cyber security position. “What are the threats you're being faced with? What are the vulnerabilities? But you also have to know what your assets are and how are they being managed. You need to identify your entire landscape, which is difficult.

“Ultimately, you need to be aware of and track and identify and understand the risks surrounding that. But also understand the controls you have in place: your incident response posture, your capability, what you are monitoring, and your detection and prevention capabilities.”

Scheublein was clear that there is no silver bullet out there to completely mitigate against cyber risk. But collaboration early on in the underwriting process, always leads to the best outcomes. “Historically, different parties worked in silos; having that cohesive strategy is critical.”

Botticelli added: “You have to get everybody on board, everybody's got to be in the boat and understand why we're doing this. When you have that collaboration, it makes the process more transparent and easier all around.”

Botticelli likened the approach to the use of preventative medicine. “Why do you want to get sick instead of better understanding the risk and preventing that illness? That is a pretty easy concept to understand. We're the insurance company. We will respond and pay claims. That's our product ultimately. But I also believe prevention is the key to this risk. When you consider motor insurance, people change their tyres but also still buy car insurance.”

Bush added to this analogy. “If you drive by a building and the grass is 4ft high, the doors are caved in, the windows are broken, the chances are there are also issues on the inside. The security measures being taken are probably low. What that ultimately equates to is having information and intelligence that allows you to make better business decisions without utilising just questionnaires once a year.”

For more on how to make the most of the benefits of a 360⁰ approach to cyber risk  watch the full video here.