Clients know that cyber threats are a real risk, but many are not working coherently as a business to manage them, according to new research
A report by Chubb has shined a light on cyber-risk, the difference in perception between IT and risk professionals, and how insurance can bridge that gap.
Bridging the cyber-risk gap found that cyber-attacks are increasingly common and evermore sophisticated. Just over a quarter of respondents (27%) have experienced an incident recently. For most, normal service was resumed within 12 hours, but unforeseen vulnerabilities were exposed.
Over half (55%) of respondents who had not been hacked say their organisation assumes – to some extent – that a serious cyber-attack will not happen. But cyber-risk is moving up the business agenda: 69% of IT professionals say that cyber-risk is now a board-level issue. Yet there is a lack of coordination within businesses. Only 37% strongly agree that there is clear organisational ownership of cyber-risk. Furthermore, just 35% strongly agree that there is strong cross-department collaboration on the issue.
There are differences between IT and risk, with those in IT more likely to expect the impact of an attack to be severe, for example. These differences can be seen at an organisational level, too – there is not one single view on the scope of a potential threat, or how to tackle an incident. This only leads to increased vulnerability.
Risk mitigation is therefore key, which is where insurance comes in. In addition to our cyber insurance policies, Chubb offers risk engineering services, which help organisations to profile and quantify their risks and then broaden defences.
If an incident does occur then fast and decisive action is key. Agility is required to respond to business interruption, data loss, data reconstruction and ransomware events. Reporting the incident to the relevant authorities is also as complicated as it is urgent under the new GDPR regulations. However, fewer than half of respondents who have not been hacked say that a clear plan is in place for a cyber incident. Of those who fell victim to a cyber-attack this past year, just over half sought help from their insurer.
Yet insurers can do more than just pay out in the event of an incident. Chubb’s Cyber Enterprise Risk Management proposition includes a post-loss incident response service. Policyholders have access to qualified incident managers who help insureds deal with the complexities of a cyber incident from start to finish and offer access to a global network of crisis management service providers.
Insurance is a need that IT (67%) recognises more than risk (60%). This could be because IT knows its own fallibility, and understands that insurance is required to cover all eventualities. Regardless of this recognition from IT, fewer than half of respondents’ organisations have taken out insurance for cyber-risk.
This could be for a number of reasons. Two-thirds said insurance providers should do more to develop solutions that match the needs of businesses. A similar figure believes that the industry is not moving fast enough to keep up with threats, while just under half do not completely understand the solutions available to them. Kyle Bryant, Cyber Risks Manager for Europe at Chubb, says the challenges that the report outlines create a “unique opportunity for brokers to assist clients in gaining influence to improve risk management across the entirety of the organisation”.
He explains: “We are most successful as insurance partners when we, as insurers and brokers, can demonstrate a clear understanding of the challenges clients face and, likewise, clearly communicate a solution that bridges the gaps between IT security and risk management.
“At Chubb, we have invested heavily in building credibility in our insurance offering and are committed to continuous improvement. From relying on our 20 years of experience to educate the insurance and risk community on cyber-risk, to investing heavily in our cyber-risk engineering practice, we are committed to addressing the needs of our clients and brokers through providing relevant solutions that can respond to the ever-changing risk of cyber security.”
In practice, insurers are performing well: six in 10 praised their incident handling and prevention advice; the pricing of cyber events – that difficult issue – is done fairly, according to 56%; and the same percentage say their claims are handled judiciously.
Kyle advises: “Where we find the most success is in having a clear and tailored proposition for the industry. Chubb can assist in driving marketing into specific sectors – manufacturers, wholesalers or logistics firms, for example, are not as concerned with personal data risk”
“However, by using industry-defined claims examples, we can provide clients with credible scenarios that can lead to loss, clarifying the value of insurance and easing the sales process.”
If you would like a copy of Bridging the cyber-risk gap please contact Zoe Kay (firstname.lastname@example.org).
With an increase in public scrutiny over environmental issues, the spectre of reputational damage, not to mention financial loss, should be looming large for most companies – and not just obvious polluters.
Research by Chubb reveals that high-net-worth individuals are more concerned by the risk of physical attacks than cyber threats
In the run up to March 2019, Chubb explains the plans we have in place to ensure it is business as usual for our clients, partners and employees after Britain parts ways with the EU