Cyber controls dubbed “not fit for purpose”

Two reports assess cyber risk and insurance cover with suggestions that insurers need to adjust their approach

Cyber controls dubbed “not fit for purpose”


By Paul Lucas

Specialist Lloyd’s insurer Novae Group has produced a report which suggests that cyber risk controls that meet international standards might not be fit for purpose – while a separate report by Deloitte suggests cyber insurers need to rethink their approach.

The insurer teamed up with the University of Oxford, led by Professor Sadie Creese, and together they found that insurance alone is not enough to manage cyber risk and that the standards being set by international bodies are often not backed up by suitable research and therefore do not necessarily have quantifiable benefits.

“Businesses are not well prepared for data/software damage and this research demonstrates cyber controls which some companies adopt might not be fit for purpose,” said Dan Trueman, chief innovation officer and head of cyber at Novae Group. “Much more needs to be done to understand the risk environment and prevent the potential damage to organisations from this threat.

“Insurance alone cannot manage cyber-risk; we need a holistic approach. As insurers, we may decide a cyber-risk is a good risk when the insurance buying firm has put controls in place that meet one of another set of international standards. However, this paper shows that a cyber-risk gap may diminish the value of companies’ efforts to protect their assets from cyber-harm.”

Want the latest insurance industry news first? Sign up for our completely free newsletter service now.

According to the report, entitled “The relative effectiveness of widely used risk controls and the real value of compliance”, which is available here, instead of simply working to meet standards, organisations must look carefully at the vulnerabilities inherent in the assets they want to protect.

“Cyber-attackers are creative and aggressive. Both the changing threat and an organisation’s attack surface must be modelled to ensure that cyber-controls offer adequate protection from harm,” added Professor Creese.

In a separate report, meanwhile, Deloitte has suggested insurers need to look again at their approach to cyber to avoid the “vicious circle” holding back the market.

With predictions suggesting that the market could explode and be about 10 times as high in 2025 as its value of $2 billion by the end of 2015, Adam Thomas, a senior manager at Deloitte, told the Financial Times that much of cyber insurance is covering data loss but that clients are going to start looking for products more tailored for their needs – such as those that cover attacks on the supply chain.

Thomas suggests that because of the dearth of data on cyber attacks, insurers are reluctant in their approach when offering policies – but that they could overcome this by making use of their own operations.

“Insurers have robust security controls themselves. But it is amazing how few of the people on the product side spoke with their own security teams,” he said.

Related stories:
Novae promotes cyber head to innovation chief
Majority of UK, US firms not ready for cyber attacks – report

Keep up with the latest news and events

Join our mailing list, it’s free!