We use cookies to improve this site and enable full functionality. You can change your cookie settings at any time using your browser. Our cookie policy.

Lockton's cyber guru

Lockton's cyber guru | Insurance Business UK

In 2013, Ben Beeson was relaxing on holiday in France when he received a phone call from Lockton Companies’ head office in Kansas City.

“They wanted me to go to Washington DC for a meeting at the White House within two days,” Beeson recalls. “And I thought, ‘This doesn’t sound right. It must be a joke!’ “Within 48 hours, I was sitting with other industry leaders in front of one of the president’s lead advisers on cyber security and a number of lead agencies, representing the insurance industry. The federal government had basically wanted to engage us in helping to roll out the NIST [National Institute of Standards and Technology] Cyber Security Framework, which they had devised to help US businesses understand
the risk and how to deal with it.”

Beeson is Lockton’s US cyber risk practice leader, a role he took on in January. But his involvement in the cyber risk space dates right back to 1999, before which time he was following a career in London’s reinsurance market. Joining Lockton in 2007, just after the company had made a decision to become a global broker, Beeson and his colleague, Emily Freeman, founded Lockton’s cyber risk practice in London.

Working with leading underwriters in Lloyd’s we built a platform that provided both client advisory and placement services to our global clients and became the leading team in the London market.
Beeson’s extensive experience in cyber has even encompassed him having had the opportunity to testify before the US Congress, in March 2015, about the evolution of the cyber insurance market. He says that chance represents one of his proudest achievements in the cyber space to date.

“That was a great moment, having made the decision to relocate to our Washington, DC office in 2014 and only been in the US a year, to be asked to do that,” he says. “And what resonated with me at that point was what a great opportunity we have, as an industry, on this risk issue. We mustn’t lose that and have to capitalise on that if lawmakers are giving us that type of attention.”

So, how well does the business world appreciate the cyber threat in 2016? 

“The good news is [that] the awareness is much better than it was, say, two years ago, particularly at the board and executive level,” Beeson says. “I think that, generally speaking, businesses understand there is a risk.”

However, he says there remains a lack of understanding as to how to deal with the threat. “That is because the issue has traditionally been owned by the IT department, the technical people who are invested in the box of tools – the firewalls [and] the anti-virus software – to keep the problem at bay,” Beeson explains. “That approach no longer works because prevention is very difficult, and so you have to build resilience across the organisation because you should expect you are going to get hit, no matter how much you try to mitigate.”

He says building resilience requires ensuring that effort extends right across the organisation. “It includes the people you hire, what access you give them to what information, and how you engage with third-party vendors who deal with your organisation. And that all requires a strategy that comes from the top of the firm, starting in the boardroom.”

Beeson says too many companies misunderstand cyber as being only a risk around handling the personal information of individuals. “They view it first and foremost, and maybe only, as a privacy issue – the liability to the company from handling customer data or employee personal data or their healthcare information,” he says. “Of course, that’s a big risk and that’s certainly where the insurance industry has been focused for the last 15 or 16 years, but it’s way broader than that now, and it’s only just being understood that it’s broader.”

Beeson raises the theft of a company’s intellectual property and cyber espionage as key examples of cyber risk unrelated to personal information. “[Cyber] is not a product, it’s a peril, and it’s a peril that can have lots of different types of consequences. We have to start talking much more broadly about cyber risk as a peril that can have different consequences depending on who the buyer is, and change that perception of it only being something that we’re focused on as a privacy issue.”

And how rapidly does Beeson think the cyber threat is growing?

“It’s growing as rapidly as technology advances, so very fast,” he says. “The bad guys are still ahead of the good guys. That’s the problem – we’re still playing catch-up with the bad guys, because the economics are much easier for the bad guys than the good guys. The bad guys only have to succeed once, essentially. “We’re continually investing in mitigation, playing catch-up, to keep every
attack at bay. The economics dictate it’s much harder to do that.”

While the insurance industry offers products that provide breach response services, Beeson says there’s substantial work to be done with respect to the pre-breach side – the time before things go

“Most companies right now are really struggling, for example, to understand how to identify the critical assets they want to protect,” he says. “How do they quantify the risk to those assets? How do they understand what the ROI is on mitigation to those assets, and whether they should or should not buy cyber insurance and how much should they buy?

“Those questions, we as an industry right now, are trying to work on and help clients answer, but we haven’t solved that yet, and it’s incumbent upon us to come up with those answers.”