The following is an opinion piece written by Alex Langridge, technology, cyber and digital lead, Per Ardua. The views expressed within the article are not necessarily reflective of those of Insurance Business.
The risk of cyberattacks has redefined the threat environment for all UK businesses, but particularly financial services. This sector has become a focal-point for active, at times state-sponsored, actors populating an evolving risk frontier.
The financial damage wrought by recent attacks has been eye-watering, with average losses per breach soaring from $229,000 to $369,000 over the past year. The threat has inflated defensive cyber budgets among corporates to new highs. It has also catapulted the information security function from the bowels of organisations to the board, elevating former back office roles to high profile CISO positions.
To date, the banking sector has been front of the pack in building cyber resilience, but insurance is catching up. The Bank of England’s CBEST tests, launched in 2014, have gone some way to help the insurance sector improve the sophistication of its systems, but continued progress requires serious leadership.
Cyber is regularly on the board agenda, where constructive debate and informed action requires relevant expertise. Regulators are increasingly concerned with the depth of relevant knowledge on insurance boards, and, in some cases, have mandated that it is supplemented. While insurance has been a lucrative sector for the Big Four (and other consultancies), there is now serious demand from insurance boards to appoint former CIOs as NEDs.
Many organisations are paying the price for having hired a series of interim CISOs; they are no substitute for the stability and consistency of a full-time CISO. Cyber is integral to IT and operational risk and needs to be embedded into an enterprise risk programme. At the top end, CISO compensation has risen fast and many organisations have had to carry out protracted searches to find the right composition of talent.
The best CISOs in the market know their strengths and hire to supplement for their weaknesses. Building a cyber team is a careful blend of the right soft skills, risk management experience and technical expertise. Coaching can prove invaluable for technically adept cyber professionals, who may have had limited exposure to the upper echelons of senior management or indeed, a wider board environment.
After the initial, considerable investment in cyber defences, equipping the board with appropriate cyber skills is the critical next step. Informed boards wish to understand the rationale for further expenditure. In the banking sector, CISOs no longer have a blank cheque for cyber resilience and must clearly articulate their case, a pressure that will inevitably increase in the insurance sector.
Senior advisers have proven very valuable to enhancing the field of experience, both for their knowledge and perspectives. Bringing in people from government agencies in this capacity – the likes of Sir Iain Lobban and Dr. Jamie Saunders, both formerly of GCHQ – confers credibility and subject matter authority.
But insurers also require focused expertise to maximise the commercial potential that cyber presents. Many banks and corporates currently view commercial cyber cover with genuine scepticism, with exclusions often perceived as making the product worthless, driving many to go self-insured.
However, there is a vast opportunity to create and sell cyber cover and the industry is finally waking up to the scale of the prize at stake. Globally, cyber premiums have risen 23% year on year and are predicted to reach $20 billion by the mid-2020s. To date, the market has been dominated by a small number of global insurers, with take up particularly variable in Europe.
Insurers have adopted varied approaches to sourcing and attracting new cyber talent. Some have recognised the importance of building business continuity and created a network of support service providers, education and training purposes, which complement broader efforts to construct proprietary capability.
Elsewhere, cyber expertise has been absorbed through acquisition, such as Stroz Friedberg by AON, or through organic hiring. Increasingly, we are seeing new hires from backgrounds in risk management and technology consulting on to cyber underwriting desks, a clear departure from the more traditional financial lines or D&O background. In such scenarios the challenge of cultural assimilation cannot be understated.
Conversely, other organisations are creating ‘cyber centres of expertise’, in an attempt to embed best practice into every line of business. These hires have come either from very senior internal IT backgrounds or highly accomplished military backgrounds.
The RAF, in particular, produces a mentality which fuses technical backgrounds with a strategic outlook through exposure to the highest levels of national defence. Consulting and banks have long attracted and successfully retained people from this type of background and there have already been several examples of this type of hire into insurance.
Insurers must seize the opportunity to turn operational defence into commercial offense through talent, by intelligently building capability and product. This frontier can only be conquered with the right people deployed under the right strategy. By offering cyber professionals a career with unique commercial impact, insurers will victor in the war for cyber talent.