Our only security is our ability to change
There was a time where the biggest worry in the insurance industry was the cost of doing business and the honesty of clients when it came to disclosure and non-disclosure.
However, when Dr John Lilly said that our only security is our ability to change, he essentially confirmed the belief that change is the only constant we experience in our lives. We currently experience more change in a single year than our great grandparents experienced in their entire lifetime. The industry is becoming increasingly defined by technology where the treadmill of change constantly increases its speed.
The industry’s safe harbour
In the midst of this, the industry had found a safe harbour in the form of cyber insurance. While not a new concept or product, it is constantly changing form with each iteration being more comprehensive than the one preceding it.
However, it seems as if not every company is willing to bulk up their cyber protection. Speaking at the recently held Institute of Risk Managers South Africa Annual Conference, Jenny Jooste – Professional Indemnity and Cyber Underwriter Financial Lines at Chubb Insurance – said that small and medium companies erroneously think they are immune to the cyber threat.
“This is untrue. Criminals are increasingly adopting hit-and-run tactics and we see them targeting businesses where they can make a quick buck. Cyber crime among smaller and medium sized companies are at times some of our biggest claims. Criminals target these companies because their IT controls are low and the skills dealing with these threats are in many cases not specialised,” said Jooste.
Management fears
This is a big issue which is only increasing in relevance. Jooste pointed out that in the past, it was safe to sit back and say that the situation will be dealt with if it happens. However, the status quo has changed and it is now a case of dealing with it when it happens.
“Claiming ignorance will not be an excuse for much longer. It will eventually come to a stage where company directors will be held liable in a personal capacity when a cyber crime is committed. Proactive steps need to take centre stage and become common place,” said Jooste.
So how do insurers go about this? Jooste pointed out that the first step is to build a network of cyber specialists who will ensure that companies will be able to stay up to date and aware of the latest developments and lessons learned from international markets. Obviously, a lot of lessons will be learned from professionals who have already had to deal with a cyber incident.
Double envelopment
Insurers need to be on their toes when dealing with cyber crime. In essence, they need to think like a cyber criminal. They also need to realise that there is no blanket offering when it comes to cyber liability.
Jooste suggested that the cyber protocol of a company needs to go through a trial by fire to see whether it will withstand an attack. “Perhaps a good tactic will be to get in cyber specialists to do vulnerability testing and penetration testing. Once changes have been implemented, then retesting needs to take place. The seriousness of this cannot be underestimated,” said Jooste.
Dropping the ball
Jooste points out that there are other basic mistakes companies are making.
Data has become the new oil within the insurance industry. As such, it can be used as a major bargaining chip when dealing with a cyber attack. “When one considers this, it is baffling that certain companies are still not splitting sensitive data from normal data. A distinction needs to be made,” said Jooste.
Another major issue, which is of particular concern to brokers and advisers, is that social engineering is a major issue. Cyber criminals will log onto a social media page and copy the identity of a person, even the way that they speak. They then start committing crime such as theft, fraud and ransoming information. “Brokers and advisers need to be aware of the threat. It is real and can be catastrophic,” concluded Jooste.
Editor’s Thoughts:
While there is no blanket offering when it comes to cyber crime prevention, it is helpful to have a basic standard operating procedure when it comes to daily actions. Much like with directors and officer’s liability and professional indemnity, which were also liability issues that people knew very little information about in their early stages, cyber liability will be increasingly thrusted into the spotlight and the industry will gain serious ground in cyber warfare. Please comment below, interact with us on Twitter at @fanews_online or email me your thoughts [email protected].
