One of the most essential questions when it comes to cyber insurance is that of cyber risk responsibility. A report on global risk perception published by Marsh and Microsoft in 2019, found that most executives are spending less than a day on cyber risk.
Andrew Maher, a senior underwriter in the cyber division of AXIS, believes changing corporate culture is the best way to increase cyber risk awareness within businesses. Maher first became involved with cyber insurance in 2010 at Beazley and since then has advanced rapidly throughout the sector, joining AXIS as a senior underwriter in November 2018.
Cyber security, Maher outlined, has become about how humans are interacting with the security measures their businesses have implemented. Technology is essentially the back door to a business, he said, and while this door has been upgraded to a bank vault level by many businesses, it is still prone to human error.
“At the end of the day,” he said, “everybody is going to have a breach and it’s not a question of ‘if’ but ‘when’. So, [cyber security] is about making sure that the organisation really knows what is going on.”
If boards have more involvement than simply being presented to on a quarterly basis, he said, and if C-suite executives are educated so they know what to ask for, then they are better prepared in the event of an incident. This does not just enable a better response to the cyber incident itself, Maher stated, but can also potentially prevent a D&O lawsuit because the executives have probably done all they could to prevent the occurrence. Board-level engagement is the most fundamental way to get essential changes made, he said, and the key to making genuine changes to a company’s culture and understanding of cyber risk.
Having these conversations with C-suite executives is getting easier, Maher said, outlining how, when he was first holding meetings, he would generally only ever be able to meet with the head of IT and the risk manager.
“Now we’re getting CISOs, risk managers, general counsel, CFOs, CEOs etc.,” he said. “Everybody’s got more involved and they understand [cyber risk] a lot more.”
The increased awareness of executives has been instigated by high profile breaches, Maher said, and also by the loss of jobs following these breaches. The fear factor has been essential in increasing engagement with cyber risk, he said, while outlining the importance of finding a balance when it comes to managing this response.
Too severe a response and nobody will ever respond, or click on an email, Maher stated, so it’s about making life easier for employees but also having them understand how their actions could negatively impact the company. This is why AXIS has tailored their cyber education initiatives - Maher believes the best training is often personalised to employees and able to keep cyber security at the forefront of their minds as they go about their daily routines.
Also key in generating discourse and awareness of cyber risk and the imperative of cyber insurance, Maher said, has been increasing the accessibility of the language used in relation to this cover. AXIS has a team just for training and awareness, Maher said, the members of which come from a range of backgrounds including an ex-Royal Marine and other ex-service people.
A member of AXIS’s cyber training and advisory team, John Donald, has written a book called the ‘35 views of cyber risk’ which provides analogies to help generate a more comprehensive understanding of this sector. One of the key analogies within this work, Maher said, examines how cyber security has evolved in the same manner as ancient cephalopods did into the modern-day squid.
Where once companies managed cyber security by putting a hard shell of technology around it, he said, now they must look to the evolution of the squid to see the importance of monitoring, employee education, and threat intelligence instead of simply building a barrier. Companies must build flexible, swift-acting policies, he identified, which are able to move and respond quickly to all kinds of cyber risk.
The impact of such analogies and simplified language, Maher said, has been evident and, for many businesses, has impacted the development of a company culture which embraces risk responsibility across the board. When it comes to cyber, he said: “the best CISOs can explain things in layman’s terms and, when they’re talking, you get the feeling that they understand the risk and can explain it to the board.”
This change to the company culture of organisations is so essential because, when it comes to mitigating cyber risk, it’s all about how the risk is dealt with and handled.
“The knee jerk reaction when a cyber incident occurring,” he said, “is that it’s going to be bad - but if you look at most companies 12 months after they’ve had a breach, and look at the stock price, it hasn’t always gone down and, in some cases, it has even gone up. It’s about being prepared to comprehend the uniqueness of each breach that makes the difference.”