The rapid evolution of cybercrime, due to widespread adoption of digital technology, has exposed virtually all sectors of society to cyber risk. Nowadays, it isn’t only businesses that are targeted by cybercriminals – even high net worth (HNW) individuals and their families are considered potential targets.
This was reflected in a report by non-profit organization the Private Risk Management Association (PRMA), which suggested that the consequences go far beyond stolen identity. A cybercriminal could sell important information of a wealthy individual on the black market, posing a huge security risk.
Corporate Risk and Insurance spoke with several Advanced Chartered Private Risk and Insurance Advisor (ACPRIA) candidates from PRMA on how private risk managers can protect their HNW clients.
According to Brenda Weaver of Aon Private Risk Management, family offices that manage and help protect the lifestyle and assets of HNW family members should adopt the same cyber mindset as businesses, thereby reducing the cyber threats to HNW families. This includes investing in all three areas of cybersecurity, which are: prevention, detection, and recovery.
“While the best cyber defenses depend on protocols and governance that address each area, it’s clear that the best-protected businesses focus first on creating a cyber-aware culture,” she said. “This will require visible support and endorsement from the highest levels of the company that cyber protection is to be a core competency.”
However, many organizations often fall into a major misconception regarding cyber risk.
“The biggest misconception is that it’s a technology issue when it is actually a behavioral issue,” said Erika Close of PayneWest Insurance. “Sharing company-wide awareness, standardized processes, training, and transparency of results are more important than the management of the technological ingredients. Relatedly, it can be wrongly assumed that having a cybersecurity plan will be universally understood and equally adopted. Most all cyberattacks involve some mistaken human behavior, so diligence and consistency with awareness and training is vital. ‘One-and-done’ when launching a cyber security plan will not be sufficient. Everyone must be diligent even when off the clock.”
How can HNW families protect themselves?
“Learn and understand the principle of building a layered defense as the strategic framework for the firm’s cybersecurity,” said Darren McGraw of Mechelsen Private Client. “The layered defense principle has been studied and shown to be a highly effective way of creating and strengthening a firm’s cybersecurity culture and effectiveness. At its core, the premise is to build various rings of security where a malicious actor must get through each successive ring of defense before capturing the most prized cyber possessions.
“Each building block of defense has an opportunity to stop an attack, and if one defensive layer is defeated by the criminal, there are other blocks behind it to help. There are many different strategies and options, but the major layers are usually broken down into three categories: prevention, detection, and recovery.”
Meanwhile, Weaver said that the insurance industry is now at the forefront of cyber defense, developing coverages that can help finance some of the costs associated with cybercrime losses. These insurance solutions developed over recent years ensure that businesses, family offices, and families alike are not limited to a one-size-fits-all cybercrime policy.
“This means that policyholders should devote attention to seeking assistance from an experienced and qualified insurance and risk management expert for the benefit of securing the right coverage for them,” she said.
In order to help their clients shore up their cyber defenses, private risk managers, insurance agents, and brokers must be knowledgeable in these matters. The stated goal of the PRMA is to educate its members about developments in the insurance industry so they can better serve their high-net-worth clients. According to Close, insurance agents and brokers now have access to various resources, and can gain experience to help identify, control and finance cybercrime exposures like never before.
What to do in case a cybercrime does happen?
“One aspect of the layered defense principle is to have plans and protocols in place in the event of an attack,” said McGraw. “If a firm has invested ahead of time in developing a layered defense strategy, then they can turn to the recovery section of the plan and execute as predetermined.”
Weaver, meanwhile, highlighted the importance of communication in the event of a cybercrime.
“Most recovery plans have some element of addressing the immunization of infected devices and software and the restoration of any corrupted data,” she said. “But plans also need to include communication strategies with employees, owners, customers, suppliers, and potentially the media.”
Finally, Close stressed the importance of insurance in being able to deal with the aftermath of a cybercrime.
“Some firms will have a first-response team pre-established that can cross all functions of the organizational structures with the aim of stopping the acute phase of the attack, and then moving toward a resumption of normal operations,” she said. “All of the planning also helps to identify and bracket an insurance need as firms, in the course of designing their recovery plan, can reverse-engineer the costs associated with recovery and look to insurance as a possible funding mechanism.”