By Paul Lucas
The importance of cyber insurance is constantly being reaffirmed to insurance brokers with the likes of Inga Beale among those to have recently spoken about its expansion and potential as the “next big thing” in the insurance sector.
However, amid all the statistics and emphasis on its importance, Oliver Brew, global head of cyber risk at Aspen Insurance, says that one key aspect of risk is frequently being overlooked.
“For a business, recognising cyber risk within its four walls is one thing, but organisations must also understand this risk in the context of their supply chains,” explained Brew. “Supply chains are becoming more integrated and connected, which carries both benefits and risks: a more integrated supply chain can enable real time communication and efficiencies but can also entail greater vulnerability.”
According to Brew, there are several supply chain trends that effectively “play into the hands” of cyber attackers. In particular he points to criminals infiltrating systems through their weakest links.
Want the latest insurance industry news first? Sign up for our completely free newsletter service now.
“The liability landscape is being reshaped by supply chains; increasingly, a company could be liable for a defect that originated at one of its suppliers,” he said. “This is just as relevant for data as it is for products and services. The company initially entrusted with customers’ data is generally seen as the data owner for purposes of liability and legal duty. This means that while the data may have been passed on to and compromised at a supplier, the initial holder, with some exceptions, will have to respond to the breach.”
As such, he recommends that brokers take the time to explain these risks to the business clients they work with – and offer them advice on how to mitigate these risks, not just through cyber insurance but through prevention.
In particular, he suggests companies should clearly understand what data their vendors are handling; consider creating cyber security standards for partners within their supply chain; and negotiate favourable terms in contracts with vendors and suppliers, including the ability to undertake audits. Beyond the actual coverage protections, he explains, the underwriting process is usually thorough and sophisticated, and can act almost as a second audit beyond the company’s own due diligence when vetting that vendor.
In addition, he suggests that companies who are already successfully interpreting and leveraging threat information should consider sharing this information with its vendors and suppliers.
“The challenge is sharing meaningful and actionable intelligence rather than all information that passes through systems,” he explained. “The company should consider when and how to appropriately share information, bearing in mind that it is not a managed security provider for its vendors. Hiring vendors that have effective security capabilities is ideal, but for a subset of vendors with useful services but limited security resources, periodically sending an email advising them about a threat to look out for may be an information sharing strategy companies could employ.”
This, he explains, will then create an opportunity for an insurance broker to step in.
“An insurance professional can then advise about the proper coverages to help protect against cyber threats and other supply chain risks,” he said. “The goal is to recognize the threats, limit exposure, and ensure supply chain redundancy.”
Aspen acquires overseas MGA to boost marine expansion
Aspen snaps up Liberty’s UK regional P&C business