Pierluigi Paganini
April 03, 2017
Until the corporate Risk Managers dealing with Cyber Risk, and there are not many of these, start working at all levels, who shall be entrusted with the management of Cyber Risks and, more specifically, with the transfer of risk to the Insurance Companies? The answer is a joint round table driven by the CIO.
The Clusit Report 2016 provided the basics of the terminology, key features and usefulness of cyber policies in a Focus On dedicated to insurance in support of the so-called Cyber Risk management. The authors implicitly addressed the CFO, the position that usually supervises the insurance issues in a company.
One year after, the daily dealings between businesses, insurance brokers and ICT consultants have highlighted the following elements:
This gave rise to a double investigation in the North-East of Italy, which ended in the “Enterprise Cyber Risk Exposure & Insurance” 1 report by Via Virtuosa, in collaboration with Margas for the insurance part, published on line at the end of 2016, hereinafter, the “White Paper”.
The first survey outlines, through the answers given by CIOs and Systems Administrators, the risk exposure of companies, so that CFOs and CEOs can become aware of the central role of the Cyber Security activity, managed in-house or outsourced. The second survey, also carried out with the help of the CIO, who has to assess the risk or the protection levels in place, tries to assess the level of knowledge and sensitivity of the insurance transfer.
The results highlight some aspects that show the key role of the CIO in the transition phase from the management of ICT security to cyber risk management for the whole company; the transfer of the so-called “residual risk” to the insurance company is an ultimate, fundamental component of such management. For this reason, the white paper includes some basic information on the Italian insurance market and, above all, thanks to the 18 questions that three CIOs accepted to ask, it also includes 18 useful answers that allow people to find their direction in the purchase of an insurance policy with increased awareness.
1 *The “Cyber Risk Exposure & Cyber Risk Insurance” white paper is the result of the joint efforts of Luca Moroni and Cesare Burei. It also includes the contributions by CIOs E. Guarnaccia – BPV | M. Cozzi – Hypo Bank |A. Cobelli – ATV| and the answers to their 18 questions on cyber-insurance. The risk exposure survey was carried out in the 2013-2016 three-year period, while the one on Cyber Risk Insurance in summer 2016. The white paper can be downloaded free of charge from: www.viavirtuosa.com/whitepaper and supports the “Generation Z” survey on online security and the prevention of risk for minors https://www.facebook.com/ProgettoGenerazioneZ/
The certainty that it is not possible to defend oneself completely from Cyber Risks requires such risks to be managed and the relevant tools to be correctly assessed in terms of costs and benefits. In short, it is a matter of balance between the impact of a cyber or cyber-related adverse event, the money spent in the management /insurance process and the maintenance of business margins.
Source: L. Moroni – “Cyber Exposure & Cyber Risk Insurance” White paper presentation at Infosek 2016 – Slovenia
On the occasion of the Security Summit and thanks to the Clusit Report, a lot of figures and percentages were made known, the better to describe the overall cyber un-safety, as they all underscore that there is no 100% safe system.
Source: CHUBB Claim Trends 8/2016
It is possible to be proactive, with effective and appropriate investments on the reduction of corporate risks, in order to be prepared to deal with accidents and the costs/damages that they engender. Insurance policies turn an uncertain, often unsustainable cost/damage into a programmed and sustainable cost/premium. The choice, therefore, must be based on a careful assessment, in the prevention phase, so that the policies shall truly act as a financial and economic parachute, allowing the company to avoid the closure and be still competitive after the incident, providing the appropriate tools for compensate balance sheet losses and recover the brand reputation.
Source: CHUBB Claim Trends 8/2016
Speaking about Cyber Risk Insurance, a policy or set of policies that “cover” the damages and costs generated by a cyber or cyber-related adverse event, it makes no sense if there is no awareness of one’s risk exposure and thus there is no attempt to adopt measures to mitigate such exposure.
The risk exposure survey carried out by Via Virtuosa in the course of 3 years, synthesised in the White paper, “rather than highlighting an individual company’s positioning and risk exposure, focuses on the statistical trends of the interviewed sample, in this case, companies in the North-Eastern part of Italy, as against a reference Base Line (Red Line). The measuring method used in this case is strictly objective (as was the case for the 2700x) and the same for the whole sample group, even though it was considerably simplified. The method in question is the one adopted by the European Union Agency for Network and Information Security (ENISA).
Those who fall in the yellow section at the top right (yellow) have a significant risk exposure, with a potentially disruptive impact on their business. Those who find themselves in this section are invited (as per the Method) to “outsource their risk.”
This research highlighted the following aspects:
The sample of this second survey contained a prevalence of subjects from the industry and services sectors (40% and 35%, respectively), with turnovers exceeding 20 million Euro (75%) and with over 100 employees (50% between 100-500 and 30% > 500).
This presupposes that aspects such as Reputation, Business Interruption and Sensitive Data management might be critical.
In the survey, IT Managers were asked, first of all, about the best case scenario in terms of board commitment to the creation of a corporate security team, and whether ICT security is considered an integral part of the general security approach or just as a possible source of costs and damages (questions 1,4).
Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016
Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016
Then, the same subjects were asked to do something that was probably unusual for them: interact with their respective CFOs, in order to answer the question on the presence of some insurance policies that ought to be taken into consideration with regard to the criticalities highlighted by the risk exposure analysis. (question 3)
Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016
60% of the interviewed CIOs were involved in a wider approach to security. Again, in 60% of cases the CIO had not, to that point, taken an interest in insurance policies (q.2), and even though in 80% of cases no one in the company thought to ask him about the impact of a possible accident (q. 4), he had a clear idea of its origins (q. 4) and was able to identify the sector that might suffer the most from a business interruption (question 8).
Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016
The CIO deals with ICT security: he monitors vulnerabilities (60% of cases) and the Business Continuity and Disaster Recovery plans (50-60% of cases), but deals very rarely with reputation crisis issues (18%), procedure/policy formalisation (28%) or the standardisation of issues (12%).
It is a positive sign that the CIO receives requests for information concerning ICT security management (question 7) first of all from inside the company (+70%), then from external auditors (+28%) and from customers and ICT suppliers in equal measure (23-24%). The latter percentages might increase in future, leading to a supply chain control in terms of virtuous management and also of insurance, and in any case they may constitute a good foundation for a Cyber Risk Management policy.
Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016
39% of them state that they know of security accidents occurred in the last 5 years. An analysis of the causes shows that such accidents are substantially attributable, in equal proportions, to (external/internal) attacks, with a prevalence of Ransomware (as more than 50% declared), to (internal/external) human error and to failures (question 9).
Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016
What question 8 revealed concerning the CIO’s opinion of the worst impact of a stop of the ICT activities on the Administration/Accounting (+ 80%), logistics and deliveries (73%) and sales (60%) departments, makes it possible for the authors to go back to the value and meaning of insurance outsourcing: failure to pay the suppliers, failure to make orders or failed deliveries can assuredly cause problems for the bottom line in the short-, medium- or long-term.
“Virtuous” companies, that is to say, those that have adopted Cyber Risk Management policies, can therefore deal with the insurance companies with a full awareness of the residual risk that needs to be transferred, especially with regard to business interruption, intentional/accidental cyber issues and issues of general or professional third-party liability, and correctly assess also the reputation risk, if necessary.
The results of the survey show that the CIO can act as a “cultural mediator” for the company, with the help of a competent insurance broker.
Below is a brief synthesis of the activities of a hypothetical operational round table on the management of cyber risk:
Cyber Risk Exposure and proactive approach: knowing the extent and nature of the exposure
Now the necessary tools and knowledge to deal with the insurance issues are in place, so it is time to TRANSFER THE RESIDUAL RISK.
Cyber Risk Insurance: transfer the residual risk to an Insurance Company
For further details, please refer to the Focus On feature in the 2016 Clusit Report.
We asked the CIOs of three important companies in the North-East of Italy to ask any questions they could thing of in order to make the layman understand the opportunities and limitations of the insurance policy. Here is a synthesis of the answers to the most frequently asked questions (18):
It is necessary to analyse the existing policies and check whether they cover also the ICT issues identified during the analysis;
To date, there is no requirement for a shared standard measure of exposure. Any best practices, certifications for risk mitigation can promote the successful transfer of risk to the insurance company at better coverage conditions;
GDPR and insurance: it will be essential to know whether the company is in possession of Sensitive Data according to the expanded definition of the new Regulation, in which country and which measures it adopts to defend against data breach. If the company’s own or Third-Party Sensitive Data are entrusted to a third party, it shall be necessary to analyse the existing contracts with the relevant supplier and check the contractual indemnities, in order to transfer the cost of the GDPR mandatory actions correctly. If the company writes or customises code, the extent of the corporate (professional, general, product) liability is to be assessed quite thoroughly;
Simulate the impact of a Cyber adverse event on the bottom line, in terms of cost increases and loss of gross profit. This is maybe the most critical and underestimated field, one that is known to insurers as Business Interruption.
To conclude, it is clear that the Cyber Risk Management approach must be based on a close cooperation between the corporate risk owners and the CIO and CFO and on a virtuous supply chain that includes customers and suppliers, the help of IT professionals expert in Cyber Security management and implementation and brokers expert on cyber matters who can support the Company in the choice of the right balance between costs and insurance guarantees.
Contents on http://www.clusit.it/rapportoclusit
Get the full report contacting [email protected]
Copyright 2017 @ CLUSIT
All rights reserved to the authors of the Opera and Clusit
Any reproduction even partial publishing without the written permission of CLUSIT is forbidden.
[adrotate banner=”9″]
About the author
Luca Moroni – Coordinator Working Group “White Paper
(Security Affairs – cyber risk, cyber security)
APT / November 18, 2024
