That’s like selling them Motor Insurance to stop road accidents.

And speaking of Motor cover, probably the most basic thing you sell your clients, they still need to have roadworthy vehicles (warranted) with proven maintenance for brakes, tyres, etc and there has to be an authorised operator (Licensed Driver). 

If something as basic as CMV cover has risk management requirements you can easily see why something as complex as cyber and technology security requires a wide range of measures to be put in place before it is even possible to place a meaningful Cyber Insurance cover. 

A cyber insurance policy should only form part of an overall risk management strategy and come at the end of such a strategy. Insurance is risk transference which within a strong risk management framework should occur post risk identification, risk measurement and assessment, risk mitigation and risk acceptance. 

Well spent dollars on prevention and detection can be significantly less than the costs of remediation and restoration in the event of a claim. Even a minor cybersecurity incident can have significant financial, reputational and operational impacts on a business. As a result, cybersecurity maturity needs to form part of any risk management audit process. 

Off the back of digital transformations, rushed delivery of work from home capabilities which widen attack surfaces, current geopolitical tensions, ever increasing sophistications of attacks, and emerging technologies which will bring new and unknown cyber threat exposures, the need for a strong and resilient cybersecurity posture has never been more important.

If digital assets are important to your client and/or their stakeholders then by that definition alone it is just as valuable to an attacker. Be certain they will find a way to leverage those critical assets to extract financial gain from your client. Business leaders can easily understand their physical assets and be across how those physical assets are risk managed but too often those same levels of protections are not being used to secure the digital environments. In the digital environment some of the basic hygiene controls, which in many cases are inexpensive and feasible measures, are not in place. 

Compared to the physical environment there is often:

•    No alarm
        (intrusion detection system); 

•    No alarm monitoring service
        (managed security service);

•    No safe for valuables

•    No CCTV (incident logging); 

•    No building surveys
        (cybersecurity audits); 

•    No staff initiation and ongoing development training
        (staff user awareness training);

•    No fire evacuation trials
        (Testing response plans for cyber specific scenarios);

•    No inspection and testing of emergency generators
        (testing of backups for completeness and preparedness);

•    No key card plus pin code for building access (two factor authentication); and 

•    No ongoing building maintenance undertaken
        (software updates and replacing legacy systems).
        Many digital environments are full of cracks for water ingress to occur.

Yet without these protections for digital asset security the first port of call might be a cyber-insurance policy. How would obtaining MD/BI insurances go in a similar situation?

Without more efforts in education and lifting the overall cybersecurity standards of NZ businesses at some point cyber insurance will only be available and affordable to the few at the same time as every business is only becoming more reliant on digital assets. 

While as an underwriter I’m not a financial advisor and therefore can’t provide financial advice it is my recommendation to the industry that rather than just selling an insurance solution (which doesn’t cover everything) lets work together to better understand the digital assets and associated cyber risks of the specific business and use our position within the risk management framework to lift the cybersecurity education of all stakeholders. For many organisations perhaps the allocation of capital into a specialised cybersecurity professional to undertake a pre loss audit (and the client implementing any key recommendations) is the best first step towards evaluating and understanding cyber risk. Cybersecurity professionals will be able to provide new insights into how vulnerable a client’s digital assets are and be up to speed with the current cybersecurity trends to best posture the organisation to close the gap on such vulnerabilities. While the upfront costs of risk investigation and risk mitigation can seem expensive this investment may well save the business significant costs in the long run. A business can’t protect against a threat for which they don’t know that they are susceptible. A proactive cybersecurity strategy and prevention investment can assist an organisation to prosper in an ever evolving, complex and challenging cybersecurity landscape. At the end of the day, it is easier to protect an organisation when cyber security is at the forefront of every digital transformation or technological advancement rather than trying to patch a system where security has been overlooked in the development lifecycle.

In time an independent cybersecurity audit may well be a prerequisite for access to cyber insurance and those that can demonstrate cyber resilience being at the forefront of their digital journeys will be best positioned should cyber insurance capacity be limited in the future. 

December 2022