Cyber Risk Management – From Security to Resilience

Rapidly evolving threats and infiltration techniques have rendered traditional cyber defense strategies insufficient and ineffective. The emerging threat vectors and speed of change amplified by the digital transformation cannot be addressed by traditional means. Globally, laws are also changing to keep pace as cybercrime evolves, knowing no
boundaries. Therefore, organizations must be nimble and agile to keep pace with policy changes, especially when expanding across different jurisdictions.

This report highlights three strategic imperatives to strengthen cyber resilience:

  • Understand (know your threats): Identify organization and industry-specific cyber threats and regulations calls for robust strategies that include cross-disciplinary considerations.
  • Measure (know yourself): Quantify the potential financial impact of cyber exposures to compare against the level of risk appetite acceptable to the board. This will determine the amount of investment necessary to mitigate and transfer any residual risk.
  • Manage (know what you can do): Proactively manage cyber risks by having clear action plans based on your capabilities and capacities to protect against cyber criminals.

It is inefficient and impractical to expect organizations to be ahead of every threat, but organizations should at least be on par with the evolution of cyber threats while ensuring compliance with changing laws and regulations. While cyber attacks are inevitable, proper preparation is the essential element that sets resilient organizations apart from the rest in managing risk, minimizing damage, and recovering quickly from any incidents.

Cyber Risk: A Top Concern

Technology continues to play a profound role in shaping the global risk landscape for individuals, businesses, and governments. Risk experts around the world continue to rank massive data fraud and theft and cyber attacks as their greatest and most likely risks over the next decade, a pattern that is consistent with previous years. Most risk experts also expect cyber attacks to have a much greater impact through business disruption and the targeted theft of money, data and intellectual property. Our increased dependence on pervasive, integrated digital technologies also increases anxiety around cyber security.

Rapid Innovation

The pace of business innovation has been driven by technology and connectivity megatrends such as mobile, the Internet of Things (IoT), big data and cloud solutions. The adoption and use of mobile devices have surpassed that of desktops since the last quarter of 2016, with mobile traffic accounting for 52 percent of total internet traffic in 2018. While business benefits include greater convenience and productivity, the use of mobile devices for both work and personal reasons has blurred the lines between sensitive corporate and confidential personal data, which are increasingly exposed to weaker application security features, mobile malware and other vulnerabilities.

Pervasive, Sophisticated Technologies

A recent study by FireEye Mandiant revealed that cyber attackers have followed cloud-reliant organizations, such as software-as-a-service and cloud computing, into the cloud. Mandiant researchers observed an increased volume of attacks against organizations with access to vast amounts of personal and confidential data, such as cloud providers, telecommunications, and retail and hospitality. More than 730 investigations were performed by Mandiant experts globally in 2018, a higher volume than any year before and an increase of more than 30 percent over 2017.

Devious, Organized Threat Actors

The modern cyber risk landscape is rapidly evolving and populated by threat actors with a myriad of motivations and attack sophistication levels. The methodologies can vary from highly-targeted and deliberate, to mass-scale with self-distributing malware. Different threat actors also have different motivations and ambitions that can be uniquely destructive.

Motivations and methodologies of threat actors can also overlap with one another. In many cases, similar tools and techniques are used by different groups since those may be the only tools available. In some cases, state-sponsored actors may even work with hacktivists to carry out an attack. Some threat groups demonstrate increased determination by maintaining persistence in victims’ networks. Some APT attackers plan out their modus operandi and patiently pursue their goals over a long period of time—months or years—before they launch their attack. They rapidly adapt to a victim organization’s attempts to remove them from the network and frequently target the same victim again if access is lost.

After an organization has been successfully attacked, there is a higher probability of re-compromise. According to FireEye, globally two in three (64 percent) compromised organizations were successfully attacked again within a year. It is more significant in APAC where almost eight in 10 (78 percent) of compromised organizations are likely to face at least one additional significant attack over the next year.

Organizations that have been attacked should strengthen their cyber security defenses and close any identified gaps to mitigate risks; unfortunately, this doesn’t always happen.

MMC1

Data Sharing Economies

Data sharing is inevitable as we accelerate into the digital economy. Our growing interconnectedness is combined with a massive increase in velocity, volume, and variety of data shared across boundaries and jurisdictions. The accelerated digitalization of countries and industries amplifies the systemic effects from cyber attacks and increases the severity of successful cyber attacks.

With the advent of digital and transformative technologies that change the nature of business, policymakers are challenged to maintain the robustness of cyber laws and legislations. The anonymity of the Internet further ensures little or no risk of repercussion for cyber criminals.

According to FireEye CEO Kevin Mandia, ”We are on a slippery slope in terms of frequency and seriousness of cyber attacks” and it is likely to get worse unless serious consequences can be put in place for criminal behavior.

Although cyber regulations have lagged behind evolving cyber threats, the past years have seen a substantial increase in new cyber laws and other regulatory schemes, and this is expected to continue. Most regulatory schemes aim to protect data and privacy and fulfil notification obligations by breached organizations, but disclosures and notifications are critical first steps to reveal the volume, frequency and complexity of breaches before data protection and privacy can be further improved.

Complications That Impact Cyber Resilience

In an increasingly complex business and cyber landscape, organizations encounter greater challenges when trying to balance their business resilience and cyber security priorities.

Between 2016 and 2018, the rate of growth for internet users was 10 times faster than the global population. Correspondingly, the surface area for attack has expanded exponentially. The exposure is estimated to impact up to six billion internet users by 2022, approximately three-quarters of the projected world population. Increased connectivity coupled with the expanded adoption of mobile devices makes building cyber security defenses much more challenging since every employee or web-connected device now represents a potential vulnerability.

Underlying Trends Impose Additional Layers of Fiduciary Responsibilities

Rapid digitalization amplifies the systemic effect of cyber threats, which leads to more cyber regulations and policies. In addition to safeguarding the interests of individuals and businesses, governments and policymakers also aim provide a conducive and well-regulated environment to develop transformative technologies to spearhead their respective digital economies.

Unsurprisingly, their business models are impacted by new cyber laws and regulations. As these laws are introduced, revised and enacted, companies can find themselves in a continually reactive state when attempting to comply with changing policies. Organizations with operations across national boundaries face additional compliance costs as they attempt to navigate diverse regulations in different jurisdictions. While GDPR has led to the convergence of cyber security and data protection laws in the EU, cyber regulations in other parts of the world remain largely localized and diverse.

Re-Thinking a Cyber Resilient Culture

To reduce our growing vulnerability to humanenabled cyber threats, workplace culture needs to change. The outlook, attitudes, values, moral goals and legacy systems shared within an organization have a direct impact on how cyber threats are perceived and managed. While cyber security involves many different technical and information solutions, necessary defenses and resilience cannot be fully achieved without the right mindset.

To establish a cyber resilient culture, everyone in the organization—from executive leadership and management to data analysts and salespeople—have an equal and important role to play in defense.

Through social engineering, threat actors increasingly exploit individuals as the weakest link of the cyber security chain. Therefore, cyber security and resilience must begin with the individual. Although Finance or HR departments may be primary targets for potential access to sensitive information, other executives and employees may also be targeted to gain network access.

How To Line Up Your Defense

Given the reality of the cyber threat landscape, you need to determine the tools you need to mitigate and respond to inevitable cyber attacks. Unfortunately, while both the aggressiveness and sophistication of cyber attacks have accelerated, defensive capabilities have been relatively slow to evolve and respond.

MMC2

Darren Thayre, Partner in the Digital, Technology and Analytics Practice for Asia Pacific at Oliver Wyman, mentioned that typical cyber security discussions are often absent when organizations initially strategize on cloud implementation, a process normally driven by developers or infrastructure demands.

Many victim organizations and those working diligently on defensive improvements still lack the fundamental security controls and capabilities to either prevent breaches or to minimize the damages and consequences of an inevitable compromise.

Based on trend observations, Kelly Butler, Head of Cyber Practice, Pacific, Marsh, stated that while security remains important in the 2019 cyber landscape, it is becoming more about resilience.

Organizations must maintain a posture of continuous cyber resilience to prepare for and adapt to the changing threat landscape and recover from the disruptive attacks. Otherwise, they risk facing significant gaps in both basic security controls and—more critically—visibility and detection of targeted attacks. The saying goes, “what gets measured, gets managed,” but you can only measure what you understand.

Understand Cyber Risks from a Business Perspective

Cyber risk is now at the forefront of most corporate risk agendas. Organizations are increasingly looking to understand and assess the nature and extent of their potential cyber-related losses—a necessary first step to mitigate those losses.

A cyber defense strategy delivers substantial benefits for both the senior management and the organization, especially when the strategy and associated action plans are mandated from the top and prioritized with the necessary investments and budgets. A proactive cyber defense strategy demonstrates to regulators that the organization takes cyber risk management seriously and has clear priorities in place.

A cyber security strategy is how you direct and focus the creation of an actionable roadmap and build a comprehensive cyber security program. This process allows you to clearly link gaps identified in the program assessment to your organization’s cyber security investments. However, developing a fit-for-purpose strategy and obtaining buy-in for the cyber security program from senior management can be difficult.

MMC3

After you understand cyber risks from a business perspective, you need to identify how much cyber risk is acceptable (to be absorbed) across your entire organization. This baseline helps make decisions related to cyber risk and implement controls.

For example, you can use a structured methodology to determine your organization’s cyber risk appetite. Ideally, you should break down and prioritize your cyber risk appetite, and the metrics you need to inform and measure the risk appetite. Later, you can develop recommendations regarding governance and operating model requirements, which in turn will determine and influence corporate decisions with respect to cyber security investments.

MMC4

After you assess the amount of acceptable cyber risk, work to quantify your potential cyber risk exposure. Measure its financial impact to inform the business case for cyber security investments as well as cyber insurance that can mitigate or transfer risk.

Quantification determines nature and extent of risk impacts for different threats and scenarios. However, boards and senior executives often struggle to clearly and comprehensively gain a current understanding of their organization’s cyber risk profile.

MMC5

The increase in awareness, cyber data breaches and adoption of cloud-based services are a few of the factors that drive the growth of the cyber insurance market, while high costs inhibit growth. High premiums can be effectively overcome by systematically and clearly understanding organization-specific cyber risks to lower risk exposure and enhance risk profile. For example, the use of data analytics to quantify risk exposure and underwrite cyber risks has proved to drive more efficient and effective risk profiling and provide more accurate policy coverage.

MMC6

With an internally aligned cyber risk strategy and adequately measured risk exposure around expected losses due to cyber attacks, organizations can better insure and secure stronger financials to respond and recover from an incident. An incident response plan requires the support of proper security technologies and expertise. At a minimum, a response plan requires full view of IT assets, strong detection capabilities, clear roles and responsibilities and fast reaction times. The plan must also be regularly practiced through drills to ensure that personnel know their roles and to track and record various metrics that measure their performance. Frequent testing can help identify areas for improvement and provide opportunities to continually refine processes and protocols.

Click here to access MMC-FireEye’s Report

Can Data and Technology Support the Insurance Industry to Regain Lost Relevance?

Since the start of the Third Industrial Revolution in the 1980s, the world has changed in many different ways:

  • rapid introduction and adoption of technological innovation (global internet; social networks; mobile technologies; evolving payment solutions; data availability);
  • new economic realities (volatile and shorter economic cycles; interconnected financial climate; under utilisation of assets);
  • structural shifts in society’s values (desire for community; generational altruism; active citizenship);
  • and demographic readjustment (increasing population; urbanization; longer life expectancy; millennials in the work force).

While these changes have been happening, the Insurance industry has seemingly preferred to operate in a closed environment oblivious to much of the impact these changes could bring:

  • Resistance to change,
  • Failure to meet changing customer demands
  • Decrease in the importance of attritional risks

has led the Insurance industry to reduce its relevance.

However

  • the availability of data,
  • the introduction of new capital providers,
  • the impact of new business models emerging from the sharing economy
  • and the challenge of InsurTechs

are affecting the industry complacency. Collectively, these factors are creating the perfect storm for the incumbents allowing them to re-evaluate their preference for maintaining the status quo. There is an ever increasing expectation from the industry to be more innovative and deliver a vastly improved customer experience.

As data and emerging technology are accelerating the need for change, they are also opening doors. The industry is at cross roads where it can either choose to regain relevance by adapting to the new world order or it can continue to decline. Should it choose the latter, it could expose the US$ 5 trillion market to approaches from large technology firms and manufacturers who have the access to customers, transformational capabilities and more than enough capital to fill the void left by the traditional players.

Insurance industry is slow to evolve

The Insurance industry has historically lacked an appetite to evolve and has shown reluctance in adopting industry-wide changes. A number of key elements, have created high barriers to entry. New entrants have found it difficult to challenge the status quo and lack appetite to win market share from incumbents with significantly large balance sheets. Such high barriers have kept the impact of disruption to minimal, allowing the industry to stay complacent even when most other industries have undergone significant structural shifts. In many ways ‘Darwin’ has not been at work.

  • A complex value chain

The Insurance industry started with a simple value chain involving four roles – the insured, a broker who advices the insured, an underwriter who prices the risk and an investor who provides the capital to secure the risk. Over centuries, the chain has expanded to include multiple other roles essential in helping the spreading of large risks across a broad investor community, as shown below.

Aon1

These new parties have benefitted the chain by providing expertise, access to customers, secure handling of transactions, arbitration in case of disputes and spreading of risk coverage across multiple partners. However, this has also resulted in added complexities and inefficiencies as each risk now undergoes multiple handovers.

While a longer value chain offers opportunities to new entrants to attack at multiple points, the added complexities and the importance of scale reduces opportunities to cause real disruption.

  • Stringent regulations

Insurance is one of the highest regulated industries in the world. And since the global financial crisis of last decade, when governments across the globe bailed out several financial service providers including insurers, the focus on capital adequacy and customer safety has increased manifold.

While a proactive regulatory regime ensures a healthy operating standard with potential measures in place to avoid another financial meltdown, multiple surveys have highlighted the implications of increased regulatory burden, leading to increased costs and limited product innovation.

  • Scale and volatility of losses

The true value of any insurance product is realised when the customer receives payments for incurred losses. This means that insurers must maintain enough reserves at any time to meet these claims.

Over the years volatility in high severity losses have made it difficult for insurers to accurately predict the required capital levels.

In addition, regulators now require insurers to be adequately capitalised with enough buffer to sustain extreme losses for even the lowest probability of occurrence (for example 1-in-100 years event or 1-in-200 years event). This puts additional pressure on the insurers to maintain bulky balance sheets.

On the other hand, a large capital base gives established insurers advantage of scale and limits growth opportunities for smaller industry players/new entrants.

  • Need for proprietary and historical data

Accurate pricing of the risk is key to survival in the industry. The insurers (specifically underwriters supported by actuaries) rely excessively on experience and statistical analysis to determine the premiums that they would be willing to take to cover the risk.

Access to correct and historical data is of chief importance and has been a key differentiating factor amongst insurers. Since the dawn of Third Industrial Revolution in the 1980s, insurers have been involved in a race to acquire, store and develop proprietary databases that allow them to price risks better than the competitors.

The collection of these extensive databases by incumbent insurers have given them immense benefits over new entrants that do not typically have similar datasets. Additionally, the incumbents have continued to add on to these databases through an unchallenged continuation of underwriting– which has further widened the gap for new entrants.

Struggling to meet customer needs

Despite years of existence, the Insurance industry has failed to keep up with the demand for risk coverage. For example the economic value of losses from all natural disasters has consistently been more than the insured value of losses by an average multiple of 3x-4x.

The gap is not limited to natural disasters. As highlighted by Aon’s Global Risk Management Survey 2019, multiple top risks sighted by customers are either uninsurable or partially insurable leading to significant supply gap.

Aon2

Six of the top 10 risks, including Damage to reputation/brand and Cyber, require better data and analytical insights to achieve fully effective risk transfer. However, current capabilities are primarily applied to drive better pricing and claims certainty across existing risk pools, and have not yet reached their full potential for emerging risks.

This inability to meet customer need has been driven by both an expensive model (for most risks only 60% of premiums paid are actually returned to the insured) and a lack of innovation. Historically, the need for long data trends meant insurance products always trailed emerging risks.

Status Quo is being challenged

While the industry has been losing relevance, it is now facing new challenges which are creating pressure for change. While these challenges are impacting the incumbents they also provide the potential for insurance to regain its key role in supporting innovation. Creating opportunity for lower costs and new innovations.

The insurance customer landscape has changed considerably: traditional property and casualty losses are no longer the only main risks that corporations are focused on mitigating. The importance of intellectual property and brand/reputation in value creation is leading to a realignment in the customer risk profile.

Value in the corporate world is no longer driven by physical/ tangible assets. As technology has advanced, it has led to the growth of intangibles assets in the form of intellectual property. The graph below shows that 84% of market capitalization in 2018 was driven by intangible assets. While the five largest corporations in 1975 were manufacturing companies (IBM; Exxon Mobil; P&G; GE; 3M), that has completely changed in 2018 as the first five positions were occupied by Tech companies (Apple; Alphabet; Microsoft; Amazon; Facebook). Yet, organizations are only able to secure coverage to insure a relatively small portion of their intangible assets (15%) compared to insurance coverage for legacy tangible assets (59%).

Aon3

This shift represents both a challenge and an opportunity for the Insurance industry. The ability to provide coverage for intangible assets would enable insurance to regain relevance and support innovation and investment. Until it can, its importance is likely to remain muted.

InsurTech

The Insurance industry has had traditionally manual processes, and has been a paper driven industry with huge inefficiencies. While customers´ needs are evolving at an unprecedented quick pace, the incumbents´ large legacy systems and naturally conservative approach, make them slow to reach the market with new products and an improved customer experience.

InsurTechs are companies that use technology to make the traditional insurance value chain more efficient. They are beginning to reshape the Insurance industry by targeting particular value pools or services in the sector, rather than seek to provide end-to-end solutions.

InsurTechs have seen more than US$ 11 billion of funding since 2015, and the volume in 2018 is expected to reach US$ 3,8 billion (FT PARTNERS). While Insurtechs were originally viewed as a disruptive force competing with traditional insurers to gain market share, there is a growing collaboration and partnership with the incumbent players. Most of them are launched to help solve legacy insurer problems across the organization, from general inefficiency in operations to enhancing underwriting, distribution, and claims functions, especially in consumer facing insurance. More recently they are also moving into the commercial segment focusing on loss prevention and efficiency. (CATLIN, T. et al. 2017). Incumbent insurers have managed to leverage InsurTechs to speed up innovation (DELOITTE, 2018: 11). From a funding perspective most of the US$ 2.6 billion that went into the InsurTechs in the first nine months of 2018 came from incumbent Insurers. (MOODY`S, 2018: 6).

The accelerated use of technology and digital capabilities again represents both a challenge for the industry but also an opportunity to innovate and develop more efficient products and services.

Data and technology with potential to transform

Traditionally, the Insurance industry has used proprietary historic data to match the demand from risk owners with the supply from capital providers. Focusing on relative simplistic regression analysis as the main approach.

While robust, this approach is reliant on a long data history and limits insurers ability to move into new areas. Increasingly the transformative power of data and technology is changing this relationship, as shown in the graph below. While underwriting data used to be in the hands of the incumbents only, emerging technologies, new analytical techniques and huge increases in sensors are enabling usage of new forms of data that are much more freely accessible. In addition, these technologies are supporting instant delivery of in-depth analytics that can potentially lead to significant efficiency gains and new types of products.

Aon4

  • Artificial Intelligence

Artificial Intelligence – Robotic Process Automation (RPA) and Cognitive Intelligence (CI) – is know as any system that can perceive the world around it, analyse and understand the information it receives, take actions based on that understanding and improve its own performance by learning from what happended.

Artificial Intelligence not only gives the opportunity to reduce costs (process automation; reduction of cycle times; free up of thousands of people hours) but improves accuracy that results in better data quality. For insurers this offers significant potential to both enable new ways of interpreting data and understanding risks. As well as reducing the costs of many critical processes such as claims assessment.

This dual impact of better understanding and lower costs is highly valuable. Insurers’ spend on cognitive/artificial intelligence technologies is expected to rise 48% globally on an annual basis over five years, reaching US$ 1.4 billion by 2021. (DELOITTE, 2017: 15).

  • Internet of Things

The Internet of Things refers to the digitization of objects around us. It works by embedding advanced hardware (e.g. sensors, cameras and meters) into everyday objects and even people themselves, linking those objects further to online networks. (MOODY`S, 2018: 11).

For example, connected devices in the homes such as water leakage detectors, smoke alarms, C02 readers and sophisticated home security systems will support prevention and reduction in losses from water damage, fire and burglary, respectively.

The Internet of Things has the potential to significantly change the way that risks are underwritten. The ability to have access to data in ‘real time’ will provide greater precision in the pricing of risk and also help insurers to respond better to the evolving customer needs. Consider the example of home insurance; customers will be forced to resconsider the decision to buy home insurance as packaged currently when their house is already monitored 24/7 for break-ins and the sensors are constantly monitoring the appliances to prevent fires. The insurers could utilise the same data to develop customised insurance policies depending on usage and scope of sensors.

The Internet of Things applies equally to wearable devices with embedded sensors for tracking vital statistics to improve the health, safety and productivity of individuals at work. It is predicted that the connected health market will be worth US$ 61 billion by 2026.

The Internet of Things offers the Insurance industry an opportunity to reinvent itself and to move from simply insuring against risk to helping customers protect the properties / health. This integration of insurance with products through live sensor data can revolutionise how insurance is embedded into our every day lives.

  • Blockchain

All disruptive technologies have a “tipping point” – the exact moment when it moves from early adopters to widespread acceptance. Just as it was for Google in the late 1990s and smartphones in the 2000s, could we be approaching the tipping point for the next big disruptive technology – blockchain?

Essentially, blockchain is a shared digital ledger technology that allows a continuously growing number of transactions to be recorded and verified electronically over a network of computers. It holds an immutable record of data, stored locally by each party to remove the barrier of trust. Through smart contacts, blockchain can enable automation of tasks for more efficient processing. It made its debut in 2009 as the system used to track dealing in the first cryptocurrency, Bitcoin, and, since then, organisations around the world have spotted blockchain’s potential to transform operations.

Most industries are currently experimenting with blockchain to identify and prove successful use cases to embrace the technology in business as usual. IDC, a leading market intelligence firm, expects the spend on blockchain to increase from US$ 1.8 billion in 2018 to US$ 11.7 billion in 2022 at a growth rate of 60%.

With all the aforementioned benefits, blockchain also has potential to impact the Insurance industry. It can help Insurers reduce operational and administrative costs through automated verification of policyholders, auditable registration of claims and data from third parties, underwriting of small contracts and automation of claims procedures. Equally, it can help reduce the fraud which would contribute to reduce total cost.

In an industry where ‘trust’ is critical, the ability to have guaranteed contracts, with claims certainty will help the take-up of insurance in new areas. BCG estimates that blockchain could drastically improve the end-to-end processing of a motor insurance policy and any claims arising thereof as shown in the graph below.

Aon5

Conclusion

The relevance of insurance, which has declined over the last few decades, after peaking in the early 1980s, is set to increase again:

  • Big shifts in insurance needs, both in the commercial and consumer segments,
  • New sources of cheap capital,
  • Prevelance of cheap and accessible data and the technology to automate and analyse

will transform the Insurance industry.

Not only is this important for insurers, it is also important for all of us. Insurance is the grease behind investment and innovation. The long term decline in the Insurance´s industry ability to reduce risk could be a significant impediment on future growth.

However we believe that the reversal of this trend will mean that insurance can once again grow in its importance of protecting our key investments and activities.

Click here to access Aon’s White Paper

 

Perspectives on the next wave of cyber

Financial institutions are acutely aware that cyber risk is one of the most significant perils they face and one of the most challenging to manage. The perceived intensity of the threats, and Board level concern about the effectiveness of defensive measures, ramp up continually as bad actors increase the sophistication, number, and frequency of their attacks.

Cyber risk management is high on or at the top of the agenda for financial institutions across the sector globally. Highly visible attacks of increasing insidiousness and sophistication are headline news on an almost daily basis. The line between criminal and political bad actors is increasingly blurred with each faction learning from the other. In addition, with cyberattack tools and techniques becoming more available via the dark web and other sources, the population of attackers continues to increase, with recent estimates putting the number of cyberattackers globally in the hundreds of thousands.

Cyber offenses against banks, clearers, insurers, and other major financial services sector participants will not abate any time soon. Looking at the velocity and frequency of attacks, the motivation for cyberattack upon financial services institutions can be several hundred times higher than for non-financial services organizations.

Observing these developments, regulators are prescribing increasingly stringent requirements for cyber risk management. New and emerging regulation will force changes on many fronts and will compel firms to demonstrate that they are taking cyber seriously in all that they do. However, compliance with these regulations will only be one step towards assuring effective governance and control of institutions’ Cyber Risk.

We explore the underlying challenges with regard to cyber risk management and analyze the nature of increasingly stringent regulatory demands. Putting these pieces together, we frame five strategic moves which we believe will enable businesses to satisfy business needs, their fiduciary responsibilities with regard to cyber risk, and regulatory requirements:

  1. Seek to quantify cyber risk in terms of capital and earnings at risk.
  2. Anchor all cyber risk governance through risk appetite.
  3. Ensure effectiveness of independent cyber risk oversight using specialized skills.
  4. Comprehensively map and test controls, especially for third-party interactions.
  5. Develop and exercise major incident management playbooks.

These points are consistent with global trends for cyber risk management. Further, we believe that our observations on industry challenges and the steps we recommend to address them are applicable across geographies, especially when considering prioritization of cyber risk investments.

FIVE STRATEGIC MOVES

The current environment poses major challenges for Boards and management. Leadership has to fully understand the cyber risk profile the organization faces to simultaneously protect the institution against everchanging threats and be on the front foot with regard to increasing regulatory pressures, while prioritizing the deployment of scarce resources. This is especially important given that regulation is still maturing and it is not yet clear how high the compliance bars will be set and what resources will need to be committed to achieve passing grades.

With this in mind, we propose five strategic moves which we believe, based on our experience, will help institutions position themselves well to address existing cyber risk management challenges.

1) Seek to quantify cyber risk in terms of capital and earnings at risk

Boards of Directors and all levels of management intuitively relate to risks that are quantified in economic terms. Explaining any type of risk, opportunity, or tradeoff relative to the bottom line brings sharper focus to the debate.

For all financial and many non-financial risks, institutions have developed methods for quantifying expected and unexpected losses in dollar terms that can readily be compared to earnings and capital. Further, regulators have expected this as a component of regulatory and economic capital, CCAR, and/or resolution and recovery planning. Predicting losses due to Cyber is particularly difficult because it consists of a combination of direct, indirect, and reputational elements which are not easy to quantify. In addition, there is limited historical cyber loss exposure data available to support robust cyber risk quantification.

Nevertheless, institutions still need to develop a view of their financial exposures of cyber risk with different levels of confidence and understand how this varies by business line, process, or platform. In some cases, these views may be more expert based, using scenario analysis approaches as opposed to raw statistical modeling outputs. The objectives are still the same – to challenge perspectives as to

  • how much risk exposure exists,
  • how it could manifest within the organization,
  • and how specific response strategies are reducing the institution’s inherent cyber risk.

2) Anchor all cyber risk governance through risk appetite

Regulators are specifically insisting on the establishment of a cyber risk strategy, which is typically shaped by a cyber risk appetite. This should represent an effective governance anchor to help address the Board’s concerns about whether appropriate risks are being considered and managed effectively.

Setting a risk appetite enables the Board and senior management to more deeply understand exposure to specific cyber risks, establish clarity on the Cyber imperatives for the organization, work out tradeoffs, and determine priorities.

Considering cyber risk in this way also enables it to be brought into a common framework with all other risks and provides a starting point to discuss whether the exposure is affordable (given capital and earnings) and strategically acceptable.

Cyber risk appetite should be cascaded down through the organization and provide a coherent management and monitoring framework consisting of

  • metrics,
  • assessments,
  • and practical tests or exercises

at multiple levels of granularity. Such cascading establishes a relatable chain of information at each management level across business lines and functions. Each management layer can hold the next layer more specifically accountable. Parallel business units and operations can have common standards for comparing results and sharing best practices.

Finally, Second and Third Line can have focal points to review and assure compliance. A risk appetite chain further provides a means for the attestation of the effectiveness of controls and adherence to governance directives and standards.

Where it can be demonstrated that risk appetite is being upheld to procedural levels, management will be more confident in providing the attestations that regulators require.

cyber1

3) Ensure effectiveness of independent cyber risk oversight using specialized skills

From our perspective, firms face challenges when attempting to practically fit cyber risk management into a “Three Lines of Defense” model and align cyber risk holistically within an enterprise risk management framework.

CROs and risk management functions have traditionally developed specialized skills for many risk types, but often have not evolved as much depth on IT and cyber risks. Organizations have overcome this challenge by weaving risk management into the IT organization as a First Line function.

In order to more clearly segregate the roles between IT, business, and Information Security (IS), the Chief Information Security Officer (CISO) and the IS team will typically need to be positioned as a « 1.5 Line of Defense » position. This allows an Information Security group to provide more formal oversight and guidance on the cyber requirements and to monitor day-today compliance across business and technology teams.

Further independent risk oversight and audit is clearly needed as part of the Third Line of Defense. Defining what oversight and audit means becomes more traceable and tractable when specific governance mandates and metrics from the Board down are established.

Institutions will also need to deal with the practical challenge of building and maintaining Cyber talent that can understand the business imperatives, compliance requirements, and associated cyber risk exposures.

At the leadership level, some organizations have introduced the concept of a Risk Technology Officer who interfaces with the CISO and is responsible for integration of cyber risk with operational risk.

4) Comprehensively map and test controls, especially for the third party interactions

Institutions need to undertake more rigorous and more frequent assessments of cyber risks across operations, technology, and people. These assessments need to test

  • the efficacy of surveillance,
  • the effectiveness of protection and defensive controls,
  • the responsiveness of the organization,
  • and the ability to recover

in a manner consistent with expectations of the Board.

Given the new and emerging regulatory requirements, firms will need to pay closer attention to the ongoing assessment and management of third parties. Third parties need to be tiered based on their access and interaction with the institution’s high value assets. Through this assessment of process, institutions need to obtain a more practical understanding of their ability to get early warning signals against cyber threats. In a number of cases, a firm may choose to outsource more IT or data services to third party providers (e.g., Cloud) where they consider that this option represents a more attractive and acceptable solution relative to the cost or talent demands associated with maintaining Information Security in-house for certain capabilities. At the same time, the risk of third party compromise needs to be fully understood with respect to the overall risk appetite.

cyber3

5) Develop and exercise incident management playbooks

A critical test of an institution’s cyber risk readiness is its ability to quickly and effectively respond when a cyberattack occurs.

As part of raising the bar on cyber resilience, institutions need to ensure that they have clearly documented and proven cyber incident response plans that include

  • a comprehensive array of attack scenarios,
  • clear identification of accountabilities across the organization,
  • response strategies,
  • and associated internal and external communication scenarios.

Institutions need to thoroughly test their incident response plan on an ongoing basis via table top exercises and practical drills. As part of a table top exercise, key stakeholders walk through specific attack scenarios to test their knowledge of response strategies. This exercise provides an avenue for exposing key stakeholders to more tangible aspects of cyber risk and their respective roles in the event of a cyberattack. It also can reveal gaps in specific response processes, roles, and communications that the institution will need to address.

Last but not least, incident management plans need to be reviewed and refined based on changes in the overall threat landscape and an assessment of the institution’s cyber threat profile; on a yearly or more frequent basis depending on the nature and volatility of the risk for a given business line or platform.

CONCLUSION

Cyber adversaries are increasingly sophisticated, innovative, organized, and relentless in developing new and nefarious ways to attack institutions. Cyber risk represents a relatively new class of risk which brings with it the need to grasp the often complex technological aspects, social engineering factors, and changing nature of Operational Risk as a consequence of cyber.

Leadership has to understand the threat landscape and be fully prepared to address the associated challenges. It would be impractical to have zero tolerance to cyber risk, so institutions will need to determine their risk appetite with regard to cyber, and consequently, make direct governance, investment, and operational design decisions.

The new and emerging regulations are a clear directive to financial institutions to keep cyber risk at the center of their enterprise-wide business strategy, raising the overall bar for cyber resilience. The associated directives and requirements across the many regulatory bodies represent a good and often strong basis for cyber management practices but each institution will need to further ensure that they are tackling cyber risk in a manner fully aligned with the risk management strategy and principles of their firm. In this context, we believe the five moves represent multiple strategically important advances almost all financial services firms will need to make to meet business security, resiliency, and regulatory requirements.

cyber2

click here to access mmc’s cyber handbook

 

 

Global Governance Insights on Emerging Risks

A HEIGHTENED FOCUS ON RESPONSE AND RECOVERY

Over a third of directors of US public companies now discuss cybersecurity at every board meeting. Cyber risks are being driven onto the agenda by

  • high-profile data breaches,
  • distributed denial of services (DDoS) attacks,
  • and rising ransomware and cyber extortion attacks.

The concern about cyber risks is justified. The annual economic cost of cyber-crime is estimated at US$1.5 trillion and only about 15% of that loss is currently covered by insurance.

MMC Global Risk Center conducted research and interviews with directors from WCD to understand the scope and depth of cyber risk management discussions in the boardroom. The risk of cyberattack is a constantly evolving threat and the interviews highlighted the rising focus on resilience and recovery in boardroom cyber discussions. Approaches to cyber risks are maturing as organizations recognize them as an enterprise business risk, not just an information technology (IT) problem.

However, board focus varies significantly across industries, geographies, organization size and regulatory context. For example, business executives ranked cyberattacks among the top five risks of doing business in the Asia Pacific region but Asian organizations take 1.7 times longer than the global median to discover a breach and spend on average 47% less on information security than North American firms.

REGULATION ON THE RISE

Tightening regulatory requirements for cybersecurity and breach notification across the globe such as

  • the EU GDPR,
  • China’s new Cyber Security Law,
  • and Australia’s Privacy Amendment,

are also propelling cyber onto the board agenda. Most recently, in February 2018, the USA’s Securities and Exchange Commission (SEC) provided interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.

Regulations relating to transparency and notifications around cyber breaches drive greater discussion and awareness of cyber risks. Industries such as

  • financial services,
  • telecommunications
  • and utilities,

are subject to a large number of cyberattacks on a daily basis and have stringent regulatory requirements for cybersecurity.

Kris Manos, Director, KeyCorp, Columbia Forest Products, and Dexter Apache Holdings, observed, “The manufacturing sector is less advanced in addressing cyber threats; the NotPetya and WannaCry attacks flagged that sector’s vulnerability and has led to a greater focus in the boardroom.” For example, the virus forced a transportation company to shut down all of its communications with customers and also within the company. It took several weeks before business was back to normal, and the loss of business was estimated to have been as high as US$300 million. Overall, it is estimated that as a result of supply chain disruptions, consumer goods manufacturers, transport and logistics companies, pharmaceutical firms and utilities reportedly suffered, in aggregate, over US$1 billion in economic losses from the NotPetya attacks. Also, as Cristina Finocchi Mahne, Director, Inwit, Italiaonline, Banco Desio, Natuzzi and Trevi Group, noted, “The focus on cyber can vary across industries depending also on their perception of their own clients’ concerns regarding privacy and data breaches.”

LESSONS LEARNED: UPDATE RESPONSE PLANS AND EVALUATE THIRD-PARTY RISK

The high-profile cyberattacks in 2017, along with new and evolving ransomware onslaughts, were learning events for many organizations. Lessons included the need to establish relationships with organizations that can assist in the event of a cyberattack, such as l

  • aw enforcement,
  • regulatory agencies and recovery service providers
  • including forensic accountants and crisis management firms.

Many boards need to increase their focus on their organization’s cyber incident response plans. A recent global survey found that only 30% of companies have a cyber response plan and a survey by the National Association of Corporate Directors (NACD) suggests that only 60% of boards have reviewed their breach response plan over the past 12 months. Kris Manos noted, “[If an attack occurs,] it’s important to be able to quickly access a response plan. This also helps demonstrate that the organization was prepared to respond effectively.”

Experienced directors emphasized the need for effective response plans alongside robust cyber risk mitigation programs to ensure resilience, as well as operational and reputation recovery. As Jan Babiak, Director, Walgreens Boots Alliance, Euromoney Institutional Investor, and Bank of Montreal, stressed, “The importance of the ’respond and recover’ phase cannot be overstated, and this focus needs to rapidly improve.”

Directors need to review how the organization will communicate and report breaches. Response plans should include preliminary drafts of communications to all stakeholders including customers, suppliers, regulators, employees, the board, shareholders, and even the general public. The plan should also consider legal requirements around timelines to report breaches so the organization is not hit with financial penalties that can add to an already expensive and reputationally damaging situation. Finally, the response plan also needs to consider that normal methods of communication (websites, email, etc.) may be casualties of the breach. A cyber response plan housed only on the corporate network may be of little use in a ransomware attack.

Other lessons included the need to focus on cyber risks posed by third-party suppliers, vendors and other impacts throughout the supply chain. Shirley Daniel, Director, American Savings Bank, and Pacific Asian Management Institute, noted, “Such events highlight vulnerability beyond your organization’s control and are raising the focus on IT security throughout the supply chain.” Survey data suggests that about a third of organizations do not assess the cyber risk of vendors and suppliers. This is a critical area of focus as third-party service providers (e.g., software providers, cloud services providers, etc.) are increasingly embedded in value chains.

FRUSTRATIONS WITH OVERSIGHT

Most directors expressed frustrations and challenges with cyber risk oversight even though the topic is frequently on meeting agendas. Part of the challenge is that director-level cyber experts are thin on the ground; most boards have only one individual serving as the “tech” or “cyber” person. A Spencer Stuart survey found that 41% of respondents said their board had at least one director with cyber expertise, with an additional 7% who are in the process of recruiting one. Boards would benefit from the addition of experienced individuals who can identify the connections between cybersecurity and overall company strategy.

A crucial additional challenge is obtaining clarity on the organization’s overall cyber risk management framework. (See Exhibit 1: Boards Need More Information on Cyber Investments.) Olga Botero, Director, Evertec, Inc., and Founding Partner, C&S Customers and Strategy, observed, “There are still many questions unanswered for boards, including:

  • How good is our security program?
  • How do we compare to peers?

There is a big lack of benchmarking on practices.” Anastassia Lauterbach, Director, Dun & Bradstreet, and member of Evolution Partners Advisory Board, summarized it well, “Boards need a set of KPIs for cybersecurity highlighting their company’s

  • unique business model,
  • legacy IT,
  • supplier and partner relationships,
  • and geographical scope.”

CR Ex 1

Nearly a quarter of boards are dissatisfied with the quality of management-provided information related to cybersecurity because of insufficient transparency, inability to benchmark and difficulty of interpretation.

EFFECTIVE OVERSIGHT IS BUILT ON A COMPREHENSIVE CYBER RISK MANAGEMENT FRAMEWORK

Organizations are maturing from a “harden the shell” approach to a protocol based on understanding and protecting core assets and optimizing resources. This includes the application of risk disciplines to assess and manage risk, including quantification and analytics. (See Exhibit 2: Focus Areas of a Comprehensive Cyber Risk Management Framework.) Quantification shifts the conversation from a technical discussion about threat vectors and system vulnerabilities to one focused on maximizing the return on an organization’s cyber spending and lowering its total cost of risk.

CR Ex 2

Directors also emphasized the need to embed the process in an overall cyber risk management framework and culture. “The culture must emphasize openness and learning from mistakes. Culture and cyber risk oversight go hand in hand,” said Anastassia Lauterbach. Employees should be encouraged to flag and highlight potential cyber incidents, such as phishing attacks, as every employee plays a vital role in cyber risk management. Jan Babiak noted, “If every person in the organization doesn’t view themselves as a human firewall, you have a soft underbelly.” Mary Beth Vitale, Director, GEHA and CoBiz Financial, Inc., also noted, “Much of cyber risk mitigation is related to good housekeeping such as timely patching of servers and ongoing employee training and alertness.”

Boards also need to be alert. “Our board undertakes the same cybersecurity training as employees,” noted Wendy Webb, Director, ABM Industries. Other boards are putting cyber updates and visits to security centers on board “offsite” agendas.

THE ROLE OF CYBER INSURANCE

Although the perception of many directors is that cyber insurance provides for limited coverage, the insurance is increasingly viewed as an important component of a cyber risk management framework and can support response and recovery plans. Echoing this sentiment, Geeta Mathur, Director, Motherson Sumi Ltd, IIFL Holdings Ltd, and Tata Communication Transformation Services Ltd., commented, « There is a lack of information and discussion on risk transfer options at the board level. The perception is that it doesn’t cover much particularly relating to business interruption on account of cyber threats.” Cristina Finocchi Mahne also noted, “Currently, management teams may not have a positive awareness of cyber insurance, but we expect this to rapidly evolve over the short-term.”

Insurance does not release the board or management from the development and execution of a robust risk management plan but it can provide a financial safeguard against costs associated with a cyber event. Cyber insurance coverage should be considered in the context of an overall cyber risk management process and cyber risk appetite.

With a robust analysis, the organization can

  • quantify the price of cyber risk,
  • develop effective risk mitigation,
  • transfer and risk financing strategy,
  • and decide if – and how much – cyber insurance to purchase.

This allows the board to have a robust conversation on the relationship between risk, reward and the cost of mitigation and can also prompt an evaluation of potential consequences by using statistical modeling to assess different damage scenarios.

CYBER INSURANCE ADOPTION IS INCREASING

The role of insurance in enhancing cyber resilience is increasingly being recognized by policymakers around the world, and the Organisation of Economic Co-operation and Development (OECD) is recommending actions to stimulate cyber insurance adoption.

Globally, it is expected the level of future demand for cyber insurance will depend on the frequency of high-profile cyber incidents as well as the evolving legislative and regulatory environment for privacy protections in many countries. In India, for example, there was a 50% increase in companies buying cybersecurity coverage 2016 to 2017. Research suggests that only 40% of US boards have reviewed their organization’s cyber insurance coverage in the past 12 months.

LIMITING FINANCIAL LOSSES

In the event of a debilitating attack, cyber insurance and associated services can limit an organization’s financial damage from direct and indirect costs and help accelerate its recovery. (See Exhibit 3: Direct and Indirect Costs Associated with a Cyber Attack.) For example, as a result of the NotPetya attack, one global company reported a decline in operating margins and income, with losses in excess of US$500 million in the last fiscal year. The company noted the costs were driven by

  • investments in enhanced systems in order to prevent future attacks;
  • cost of incentives offered to customers to restore confidence and maintain business relationships;
  • additional costs due to claims for service failures; costs associated with data breach or data loss due to third-parties;
  • and “other consequences of which we are not currently aware but may subsequently discover.”

Indeed, the very process of assessing and purchasing cyber insurance can bolster cyber resilience by creating important incentives that drive behavioral change, including:

  • Raising awareness inside the organization on the importance of information security.
  • Fostering a broader dialogue among the cyber risk stakeholders within an organization.
  • Generating an organization-wide approach to ongoing cyber risk management by all aspects of the organization.
  • Assessing the strength of cyber defenses, particularly amid a rapidly changing cyber environment.

CR Ex 3

Click here to access Marsh’s and WCD’s detailed report