In the survey, almost half of UK business leaders predict cyber will be their top concern by spring 2018. Cyber risk was predicted by 48% of respondents to be their top concern by spring 2018, expecting the threat of malware, viruses, hacks or data theft will increase.
Another 39% identified technology risk, such as failure of systems and processes to keep them competitive, as their top concern by Spring next year.
But participants of the roundtable agreed that cyber risk does not have a one-size fits all definition and as a result, it is “incredibly difficult to get your arms around it”, said one risk manager and “incredibly hard to buy the right protection”.
“One of the challenges with cyber is we always look to the past,” said Dave Brosnan, chief executive officer of CNA Hardy. “This is what happened in the past, so how will it impact me again if it happens. But we don’t know where cyber will take us. It’s a new and evolving risk. So, a year from now we may be talking about something completely different,” he added.
One of the risk managers at the table said: “And I think that as risk professionals, this is the situation we’re currently in. We’ve got Brexit, and nobody knows what’s going on with that. We’ve got cyber, and nobody really knows what’s going on with that either. So, it’s taking a lot of air time at board level as we try to discuss and predict and try to get common sense scenarios. But what is common sense, because a few years ago none of us would have predicted we would be in this place.”
While discussing some hacking scenarios, including scenarios faced by our risk managers at the table, it became clear there is a real issue around the ability to collate information to better inform the risk manager of the risks surrounding cyber. This is in part down to companies insisting on tighter controls on information sharing from country to country, said one risk manager, and the other issue is around accountability – who looks after cyber in a business?
“When this question of cyber came up a couple of years ago, we went to IT and said, ‘Are you responsible?’ And they said no,” explained one risk manager at the table. “We went to a number of departments, and we couldn’t find who was responsible. So, from the insurance side, the cover is packaged as cyber, but I’m looking for the head of cyber and it doesn’t exist. The risk resides in about 20 different departments. So, as a risk manager, we look for risk, and for many of these things, we can’t find it. There’s no point in buying insurance if you don’t understand what risk you have in the first place.”
Education will play a really important role when it comes to better understanding the possible exposures linked to cyber, which in turn will improve the products related to the risk and additional aggregation, the participants agreed.
“I’m perceiving a change in how people look at cyber,” said Marsh’s King. “A few years ago, there was a huge desire to buy cyber protection, but I think that’s changing as companies are more focused on finding out more about how to manage this risk internally which means as an industry, we need to do more to help with the scenario planning, the testing, and the analysis.
King added: “I think now the requirement is for a risk-first bespoke solution, and then, if possible, look to mitigate. But as we’ve identified, it’s not that simple, because as we’ve already explored, there’s different types of cyber coverage. We need to be able to answer whether we are protecting our consumer, or is it interruption to the business, or the complexity of the supply chain”
CNA Hardy’s Gage continued: “It’s a great topic as it really does show how insurance and risk sit hand-in-hand. My view of the insurance market is we’re great at building products we’re comfortable with but not so great at anticipating products our customers need. The technology is very different now.
“What the insurance industry does is bolt on different bits of coverage and you end up with everybody feeling dissatisfied. The client doesn’t get the coverage they needed or thought they had, the insurer pays a claim they didn’t think they would have to pay, and everyone falls out. So, when it comes to building product and service, we need to understand much better about what we need to deliver. It’s about the consultancy function, working with our brokers and understanding best practice based on our industry knowledge,” said Gage.
What this part of the discussion demonstrated, above all else, is that there is no organisation or industry immune to this type or risk – whether it is a third or first party risk, or indeed and more likely, both.
“It’s on your horizon,” said Lockton’s Jack. “The scale of potential scenarios is endless and as an industry, we need to get much better at having open discussions around this and sharing the knowledge required to build better and more relevant products.”