EXCLUSIVE: “Facing into the ‘storm'” – Rehan Hussain, Tom Egglestone and Simon West, Resilience Cyber in ‘The Insurtech Magazine’

How can business, governments and insurers prepare for what some at this year’s Davos summit warned is a ‘gathering cyber storm’? We asked Resilience Cyber, which helped lead the debate among global leaders, to share its views

According to the World Economic Forum’s annual Global Cybersecurity Outlook 2023, 93 per cent of cyber leaders and 86 per cent of business leaders now believe a catastrophic cyber event is on the horizon, which will likely impact them within the next two years.

The Forum put cybercrime/cyberinsecurity on its Top 10 global risks for the first time in 2023, as political instability, maturing technologies and a shortage of cyber talent among the ‘good guys’ ramped up the threat – which was described by some at the Forum’s annual gathering in Davos in January as a ‘gathering cyber storm’.

Experts who presented their concerns to world leaders made clear there is not a minute to lose in addressing the risk as digital transformation across industries exposes the world to more vulnerabilities. Just this month (February), the UK government called for organisations ‘with an interest in software security and digital supply chains’ – aka anyone with a stake in the modern economy – to contribute their views on how best to address software risks to improve resilience to cyberattack.

The consultation, which is open until May 1, came as work began in the EU on a proposed Cyber Resilience Act, which seeks to tighten up potential weaknesses in the connected hardware and software ecosystem. The Act, which will likely take several years to implement, will affect manufacturers, importers and distributors within the single market.

Among those steering discussions around these issues in Davos were representatives from Resilience Cyber, an American cyber risk management and insurance provider, which recently entered the UK. With the cost of global cybercrime set, by some estimates, to rise from £7trillion in 2022 to £20trillion by 2027, we asked Resilience Cyber’s Rehan Hussain, head of underwriting UK, Europe and Lloyd’s of London, Simon West, cyber advisory lead, and Tom Egglestone, international claims leader, UK and Europe, how insurers, businesses and governments can work together to ward off disaster.

THE INSURTECH MAGAZINE: Premiums for cyber insurance have soared in recent years as insurers (and reinsurers) became concerned about their exposure in the face of exponential increases in attacks. Insurers have also been more selective in the type of cover they take on, or they’ve weighed policies down with exclusions – so much so that some companies are saying the policies aren’t worth having and it’s better to invest the money in security. What more could insurers be doing to reduce the risks, and therefore reduce the premiums, by, for example, leveraging technology, information and data collection?

REHAN HUSSAIN: The cyber insurance market is still reaching a level of maturity and continues to evolve as market dynamics change. As a product matures, changes in coverage are not uncommon as they are generally in response to new evolving threat vectors and could be viewed as the “growing pains” of a maturing product line.We believe that rather than thinking about insurance in a silo, companies need to connect their risk transfer strategy to their technical visibility and cyber hygiene efforts to build a holistic strategy.

We have already begun to see shifts in how regulators are approaching cyber risk in response to the constantly evolving landscape. This is perhaps most notable in the UK

This allows them to incorporate their insurance coverage into their overall cyber resilience efforts.Carriers should support building cyber resilience by offering services such as enhanced cybersecurity visibility with actionable cyber hygiene recommendations, and continuous engagement throughout the policy. We’ve seen success with building more cyber resilient clients, leading to fewer losses, and a more sustainable insurance market from a price and coverage perspective.

TIM: In November 2022, a Delinea study found that just 30 per cent of cyber insurance holders are covered for critical risks, including ransomware, ransom negotiations and payments. Despite this, Lloyd’s says the global cyber insurance market is likely to grow from $12billion worth of annual premiums today to $60billion over the next five to 10 years as threats increase. How are cyber policies then likely to evolve?

REHAN HUSSAIN: Due to the spike in ransomware activity over the past several years, extortion coverage can be difficult to obtain for companies who have not had proper investment in security controls or have a history of significant losses. Underwriters need to take a different approach to this risk in order to provide more flexibility for clients. Looking at a company’s paper application is a snapshot in time and doesn’t present a full picture of its risk.

Rather, insurance providers should work to build a partnership with their insureds that can establish a continuous engagement. This allows for greater visibility for the provider to see the valuable work clients are doing in strengthening their security throughout the year and can lead to more flexibility in underwriting. It also allows the insurer to provide intelligence and recommendations for addressing new threats that arise during the course of the policy.TIM: How will the evolution of cyber regulation in various jurisdictions impact risk and cover?

TOM EGGLESTONE: We have already begun to see shifts in how regulators are approaching cyber risk in response to the constantly-evolving landscape. This is perhaps most notable in the UK, where the Information Commissioner’s Office (ICO) have introduced changes which they advise is in line with a renewed focus on openness and transparency in dealing with regulated companies suffering data breaches.

UK Information Commissioner, John Edwards, has made clear he wants to move away from what he called the ‘money go round’ of paying fines as the sole regulatory action, while implementing new measures to drive accountability and transparency. One such new measure is the publication of all companies receiving reprimands from the Information Commissioner’s Office (ICO) following a data breach on the ICO website.

It remains to be seen whether this revised approach will yield the results the ICO is seeking: better cybersecurity practices and improved behaviours around data privacy. However, what it does have the potential to do is to increase the risk of litigation and reputation harm for companies affected by privacy breaches.

Claimant firms will likely monitor the ICO website as a source for building potential group actions. For affected companies, it increases the importance of robust pre-incident planning and the value of an effective incident response, ensuring that future litigation risk is taken into account early on alongside other pertinent financial and commercial factors.

Companies need to connect their risk transfer strategy to their technical visibility and cyber hygiene efforts to build a holistic strategy

Taking a global view, more and more countries are introducing new privacy laws or improving their existing laws. As time passes, a greater and greater proportion of the world’s population will become subject to such laws. Firms should ensure that they stay ahead of the game and are informed of the applicable laws affecting their business operations to ensure they remain compliant with those laws and regulations to mitigate the chances of regulatory action or third-party litigation, with the resultant potential reputation harm.

TIM: We’re beginning to see closer cooperation between banks and regional and cross-border law enforcement, trying to steer a path between privacy laws and security in order to not just limit but prosecute fraud. Would you like to see a similar focus on enforcement?

SIMON WEST: Better collaboration between industry and law enforcement/ government agencies should absolutely be on the agenda, particularly when you look at the success of measures such as the FBI Financial Fraud Kill Chain in the USA. However, the way in which that relationship works is a work in progress, particularly given sensitivities around the privacy of affected victims. To that end, in the UK we are working with market peers and the National Cyber Security Centre (NCSC) to foster an environment where victims of cyberattacks feel willing and able to engage with law enforcement and government agencies during incidents to deliver better outcomes and improve broader societal cyber resilience.

We are also heavily engaged with the Ransomware Task Force, which called for the cybersecurity community to ‘develop a clear, actionable framework for ransomware mitigation, response, and recovery’ in its initial 2021 report. The basis for this framework is the Blueprint for Ransomware Defense built by Resilience, the Center for Internet Security, and a number of Task Force partners. It includes a subset of these best practices, or safeguards that are most relevant to combating ransomware.

In April 2021, the Ransomware Task Force launched its seminal report, Combating Ransomware: A Comprehensive Framework For Action. The product was developed with more than 60 experts from industry, government, law enforcement, civil society and international organisations. After several months of work, the report provided 47 specific recommendations and advocated for a unified, aggressive, comprehensive, public-private anti-ransomware campaign.

The report’s impact was immediately felt, as governments moved to adopt new policies to empower their agencies to counter the threat, and as organisations found and implemented new tools to keep them and their customers more secure.

This article was published in The Insurtech Magazine Issue 09, Page 30-31