“Organisations often believe they are using cyber security solutions to keep everything safe, including their data,” said Brian Grant (pictured above), ANZ Director for Thales Cloud Security. “In reality, what they are protecting is the digital environment the data lives in or is transiting through – so the data itself isn’t being proactively protected because data security is a specific security function.”
In answer to questions from Insurance Business, the Melbourne-based digital and data systems security expert pointed to the “critical” distinctions insurance brokers need to understand. Broker knowledge in this cyber / data area is more important than ever, suggested Grant, given new regulations coming into play.
He also said insurance companies can play an important part educating other companies about data security. “I believe the insurance industry can play an intrinsic role in changing attitudes and behaviours towards data security, which would benefit our entire digital economy and help organisations become better social citizens,” said Grant.
Grant started by defining, in layman’s terms, the key differences between cyber security and data security.
“Cyber security is used as an all-encompassing term covering the security of anything in a computing environment,” he said. “It is the term most business and IT leaders use when referring to the digital security of their organisation.”
However, data security, he said, focuses solely on securing the data itself “and requires a very specific approach.” Grant said that “too often” organisations have everything around the data secure but the data itself is left unprotected.
“Any company that is using or collecting data, or sharing it with third parties must ask, ‘What are we doing to secure our data?’” he said. “Many data breaches happen even with cyber security protections in place - and they are successful because the data itself hasn’t been secured.”
Grant said these failings are what’s pushing the new regulations requiring organisations, including insurance companies, to prioritise data security throughout the entire data journey.
The digital and data systems security expert has some advice for insurers and insurance brokers risk managing and selling coverages in the cyber space.
“When discussing cyber insurance policy options with their clients, insurers need to dig deeper to uncover the value of their data,” he said. “So what is sensitive data, what is operational data and what data impacts compliance obligations?”
Grant said the next question must be: What are you doing to secure this data?
“If the answer doesn’t directly relate to the data itself, it’s likely the organisation doesn’t have specific capabilities in place,” he said. “Insurers need to understand that having a strong cyber security posture and comprehensive cyber security toolset doesn’t automatically equate to data security.”
Grant said if insurers and brokers can identify how secure a firm’s data is they can create two significant changes.
“When a data-dependent organisation is breached it can result in a substantial pay-out by the insurer,” he said. “By asking the right questions about an organisation’s security at the start, insurers can avoid this scenario by either increasing premiums in line with the increased risk or mandating the roll-out of adequate data security before continuing with the policy.”
Grant said this will lower the risk of data breach and, as insurers would know, contribute to reducing premiums for the company. He said more education is needed around what is meant by data security and much of it needs to be driven by data-dependent organisations themselves.
One item of legislation that will impact how insurance companies deal with their cyber and data protection challenges, said Grant, is CPS 230. This legislation is designed to strengthen management of operational risk. Last week, APRA announced that it plans to release a final version of CPS 230 with draft supporting guidance, in mid-2023.
In September, one month before the cyberattack on Medibank Private, Ismael Valenzuela, vice president of Threat Research and Intelligence at BlackBerry, strongly criticised the level of cyber security knowledge across the business world.
“There’s immaturity both from the side of the organisations demanding these policies for protection and also immaturity from the insurance industry in terms of their knowledge about what is happening in the industry,” said Valenzuela to IB.
Are you an insurance broker? Do you draw a distinction between cyber risks and data protection? Please tell us below.