Increasing cyber regulation, both at home and abroad, could make clients become more focused on ticking boxes than on the actual risk, an expert has said.
Sarah Stephens, head of cyber, content and new technology risks at JLT, said that the introduction of mandatory breach notification alongside changing laws in Europe, is making the risk more difficult to manage.
“We now have mandatory data breach notification here in Australia, we have the General Data Breach Regulation coming into force on May 25 of this year and that applies worldwide to any entity that deals with EU citizens’ information,” Stephens told Insurance Business.
“It is becoming more and more difficult and the danger there for companies is that they become compliance focus, and tick box focused, versus really thinking about what is going to protect their company and taking their eye off the ball of a risk focused approach.”
Stephens highlighted that as the regulatory landscape evolves, so do attitudes towards security. She noted that the cyber security industry is beginning to recognise that there is “no longer a perimeter around systems and networks” as firms focus more on their response to an attack so they can limit their damage.
Stephens also said there is a mindset shift when it comes to insurability, as chief information security officers are beginning to recognise that utilising cyber insurance does not mean they have admitted defeat from a security perspective.
“I think the old thinking in the cyber security industry was you can prevent most attacks, and therefore if you seek to purchase insurance for some attacks, you are admitting failure right away,” Stephens said.
“We are seeing a big shift in that attitude in that many chief information security officers that we speak to now recognise that insurance is a critical part of the overall resilience of an organisation, and security and insurance work hand-in-hand to reduce the overall impact of cyber risk to an organisation.”