Intangible risk is a difficult concept to grasp. How can something be risky if you can’t see it? How can you lose money on something that has no palpable value? This is the backdrop that cyber insurers, brokers and risk managers are constantly battling against. And they’ve done a great job so far. Cyber is one of the hottest topics in the insurance industry and one of the fastest-growing markets around the world. Cyber insurance is now a common purchase among large commercial organisations and is slowly gaining the interest of small and medium-sized enterprises (SMEs).
Insurance is just one of the elements organisations need to tackle intangible cyber risk and create strong information security. According to Dan Trueman, global head of cyber at AXIS Insurance, there are three other elements that businesses need to consider in addition to risk transfer: education, standards and testing.
“At AXIS, we believe everything starts with education. Unless we can do our bit to improve education [around cyber security] and create better baselines for people [so they can interpret the intangible risk], we’re going to struggle and suffer,” he said at the AXIS Cyber Incyte in London, UK. “A second element we really believe in is endorsing, creating and supporting core standards for sensible business behaviours, whether that’s classic cyber hygiene [things like having strong passwords and avoiding dodgy email links] or more complex matters. There are some great standards out there in the world and we really believe they should be looked at.
“A third lens we like to look at is testing. You can have all the standards in the world, but is there a way of testing those standards? That auditing happens in multiple contexts. Obviously, it happens in the cybersecurity sense with red teaming, blue teaming and purple teaming, but it’s also important in terms of governance and working out a definition of good governance. The aim is to create a world where people understand the value of [cyber] hygiene factors and what can be supported there.”
Only once an organisation has attempted to tackle those three elements should it purchase a cyber insurance policy to capture the residual risk that’s inevitable, according to Trueman. Even companies with the very best cyber hygiene standards are vulnerable in the dynamic and ever-changing cyber risk landscape. Bad actors are constantly pushing the boundaries and finding new ways to exploit cyber security weaknesses. The challenge for the insurance industry is to find a way to use the data already gained in this relatively immature market to harden that sense when the threat environment changes.
“One of the challenges we’ve always had is trying to get people to look at and understand an intangible risk,” Trueman commented. “It’s really difficult to sell an insurance policy full stop. I’m going to ask you for a lot of money and then depending on the clauses contained in this document, I may or may not pay you back. It’s a tough sell, and it’s even harder when you’re talking about an intangible risk like cyber. As an industry, we need to frame [the risk] better and offer tangibility. When we look at the first three elements of education, standards and testing – can we make them tangible? Can we make the threat dynamic tangible?”
Data enhances and supports tangibility. Insurance is a data-driven business, but there are still those who question whether the industry has enough data to quantify cyber risk. Trueman dismissed those concerns, stating that there’s “plenty of data” when you compare a single large organisation facing millions of cyberattacks a day versus the rate of natural catastrophe occurrence, which is much lower. He said: “We’ve got the data points. What we have to do now is invest in unpacking and understanding [that data].”
A final point Trueman left with the audience at AXIS Cyber Incyte was around the idea and value of response preparedness – something also supported by tangibility. He said: “Failing to prepare in this environment is preparing to fail. It’s more than that. It’s the surest route to mediocrity and organisational failure.”