Reducing Cyber Underwriting Risk Starts with the 3 “Bs”

Reducing Cyber Underwriting Risk Starts with the 3 “Bs”

Beyond holding second place in the alphabet, the letter “B” touches many things. In classical terms, the three Bs have delighted listeners for centuries: Bach, Beethoven, and Brahms. As for the bees we all know and love, researchers have found that they buzz in the key of A. Today, I would like to add a trio of “Bs” to mark what I believe is a pivotal moment for cybersecurity, one with its own original score unfolding as we speak.

One very good example for social cyber education is the National Cyber Security Centre (NCSC). Backed by the United Kingdom Government, the NCSC is based in London and provides support to keep UK citizens, organizations and businesses of all sizes safe online. NCSC's Cyber Essentials complements the measures for improved cyber resilience by the insurance industry, which are nicely outlined in the Swiss Re paper.

Cybersecurity is a moving target. We all use devices to manage our day-to-day living and working. With that, there are constantly new attacks and threats in play. Cybersecurity insurance, it turns out, can help protect us and fend off those risks. 

This is where imagination meets originality. We are witness to an evolution in the insurance industry I’ve never seen before: education as an accompaniment to an actual insurance policy. In virtuoso speak, this is the first duet of its kind for insurers and policyholders. 

The NCSC has launched what they call Cyber Essentials whereby employees get certified on basic cyber knowledge. While Cyber Essentials is not a requirement to purchase a cyber insurance policy, the NCSC encourages education as a recommended companion to investing in cyber insurance.

Imagine if we could detect risk before we click a link in a phishing email. This is power to the user. Certifying users increases defensive strength against cyberattacks across an entire organization. 


Making Cyber Insurance More Meaningful

One innovator in the reinsurance space is Swiss Re. It advocates leveraging education to mitigate risk, making cyber insurance meaningful and valuable as an added service. When an insurance premium is based on risk factors while educating companies on cyber know-how, it’s a win-win and Swiss Re is taking measures to combine both by arming companies with ideas and research for greater cyber resiliency.

According to Swiss Re, reported cyberattack incidents have grown five-fold since 2016, with monetary estimates of global losses around USD 945 billion. This is a growing organizational threat. Requiring people become educated on cybersecurity makes sense, and it is something Swiss Re is bringing to the table as a global reinsurance company. The company emphasizes education and calls for greater transparency in cyber insurance policies. 

Bracing for cybersecurity, but not sure where to start? Enter the 3 “Bs” of reducing cybersecurity risk: 

1. Be aware of where you are at. Use an assessment to benchmark your cybersecurity situation and, thereby, see your cybersecurity gaps. This includes identifying vulnerabilities, exposing weaknesses under a simulated cyberattack, testing your website security, and challenging your team’s email behavior and knowledge of phishing emails. For some organizations, making the leap to an assessment is a big one, but here are a few starter questions to see your cybersecurity gap. 

  • What are the key assets do you need to protect? What are the threats associated with these assets?
  • How many suppliers do you have and how are they protected?
  • How is sensitive information shared and protected?
  • What investments can you make to safeguard your assets?
  • What company-wide training do you currently do around cybersecurity so that employees won’t compromise security?
  • How can you know when unauthorized activities have occurred?
  • What are the step-by-step procedures you have in place to handle cybersecurity event?
  • How do you resolve the disruptions caused by a cybersecurity event and continue doing business as usual?

Cybersecurity gaps often live-in established processes. Being aware of your threat landscape gives you visibility into those processes. Imagine if an insurance company provides a pre-qualification check list and then having someone on your team to oversee cyber-related activities. The key is clearly defining their role and responsibilities as well as reporting protocol.

2. Be prepared to invest and commit. It’s generally accepted that Fortune 500 companies invest in cybersecurity. Small companies oftentimes can’t afford cyber insurance on a larger scale. Case in point: during the recession of 2008, one of my insurance technology clients was forced to make cuts. As a result, the company fired the entire cyber team. Pulling back on its defences left them in a more vulnerable position. 

Those companies investing in cyber insurance then have a cyber hygiene checklist – a playbook of sorts provided based on security posture, including security awareness, cloud security, patch management, application security, vulnerability management, IAM, PAM.

3. Be proactive to take action. I believe cybersecurity is everyone’s greatest challenge and opportunity. It starts with leadership and includes the board having cybersecurity on the agenda at every meeting. Cyber resiliency is no longer an “IT problem.”

This third “B” might be the most challenging of the trio. Let’s turn to manufacturing as an example. According to SCORE, the nation’s largest volunteer base of business experts, 98.6% of manufacturing companies are small businesses 75.3% have fewer than 20 employees. CEOs of manufacturing companies are busy in the weeds – attracting and managing talent, keeping operations running, handling supply chain issues, and watching quality. The challenge for them, and for many leaders of private companies, is the luxury of time to think things through. 

When it comes to cyber resilience, this could change if they had access to an affordable policy that required individual certification. Data transparency is the key. How do we balance the need?

Cyber insurance agreement needs to provide more clarify around what is and what is not covered. Many cyber insurances opt out the coverage for ransomware nowadays. That could become an opportunity if done it right.

 

A New Song for a New Era

On a macro level, having an industry standard for cyber metrics and risk measurements will increase the maturity and reduce overall risk as well.

You would never hand the keys over to your kids and tell them to drive. You educate them first. Same goes with cybersecurity. When it comes to cybersecurity reinsurance, we’re at a pivot moment to set down a new score by including education as part of a policy standard.

Absolutely fascinating insight on merging education with cyber insurance! 🌟 As Benjamin Franklin once said - An investment in knowledge pays the best interest. Swiss Re's initiative truly embodies this philosophy, transforming the landscape of cybersecurity resilience.🔐💡 Keep inspiring with such groundbreaking approaches! #CybersecurityEvolution #KnowledgeIsPower

Like
Reply
Tyler Heathman

Dealer Marketing Consultant at Epsilon | Creative Marketing Mastermind 🧠

2y

 $265 billion... 👀

Sabine VanderLinden

Activate Innovation Ecosystems | Tech Ambassador | Founder of Alchemy Crew Ventures + Scouting for Growth Podcast | Chair, Board Member, Advisor | Honorary Senior Visiting Fellow-Bayes Business School (formerly CASS)

2y

Helen Yu big numbers are thrown around with regards to the size of the #cybersecurity market. I am not sure it can be determined right now accurately how big cyber is because the size of the “true” pie is still hard to define and potential sources of risk are being identified every day. Still some predictions share that it will grow between 12% and 15% CARG between now and 2030 reaching USD $430 billion to USD $ 500 billion. Education is today a key awareness enabler to reduce the risk of cyber crime and cyber attacks not only for internal corporate employees (often the first one to click on phishing emails and allow malware to ensure an organisation) but also every day individuals. One of the best risk prevention approach today is good 15 character passwords. Technology is a crucial element of the equation to evaluate and monitor risk often part of cyber security insurance proposition today. Still, every risk is not the same and require the development of highly effective and simple to understand frameworks to size but also get to the root of the problem. This means a certainly great market for prevention and protection. The best cyber security mitigation solutions are still emerging.

Helen Yu

CEO @Tigon Advisory Corp. | Host of CXO Spice | Board Director |Top 50 Women in Tech | AI, Cybersecurity, FinTech, Insurance, Industry40, Growth Acceleration

2y
Tony Richardson CISSP Pg.Dip

Helping SMEs in Financial Services navigate the Cyber Security minefield with straight talking advice and guidance.

2y

Interesting read. I couldn’t agree more that positively affecting cyber security culture through education is critical to any business entity. Relying on exponentially cost increasing cyber insurance to mitigate risk is questionable at best. As of march 2023 cover for nation state sponsored attacks will not be available and the attribution line is so blurred it will be a tough claim to make. Be mindful that prevention is always better, and cheaper, than cure. Chris Windley

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics