Top insurers are joining forces with Marsh to help organizations better manage cyber exposures. Under the Cyber Catalyst program, Allianz, AXIS, AXA XL (a division of AXA), Beazley, CFC, Munich Re, Sompo International, and Zurich North America will identify and evaluate solutions from cybersecurity vendors that will help firms reduce their cyber risk.
According to Marsh, the cybersecurity market is crowded and can be difficult for companies to navigate, given the thousands of firms offering solutions designed to combat cyber risk. The program will help organizations wade through the products and services available today to gain access to the ones that cyber insurers find most valuable.
While the announcement and subsequent work of the participating firms will help to inform the dialogue around risk, one expert says that this doesn’t mean the fight against cyber incidents is over because, oftentimes, it’s not what technology businesses use to bolster their cybersecurity, but how they deploy it that truly matters.
“Any efforts to help improve the risk controls of companies is a good thing, so I view this effort in that category, where the insurers are coming together with Marsh to try to help clients understand what the right technology toolset is to help manage cyber risk,” said Nadine Moore (pictured), Accenture‘s cybersecurity lead for insurance. “It’s interesting and exciting that they’re joining together to say, we’re going to try to help tackle the problem of cyber risk, and try to build up some datasets around technologies and controls to help mitigate that.”
Nonetheless, identifying those toolsets is only the first step in the war against cyber criminals.
“Step two and three is implementing them effectively to make sure that they are tailored to the vulnerabilities in your environment, coupled with the threats that your business faces,” said Moore. “It’s not just buying a tool – it’s actually understanding what is my current platform as a company, what is the risk that I face in terms of cyberattacks, and then how do I make sure that I deploy technologies that are appropriate, that measure and monitor that risk and mitigate it.”
One challenge in getting a full picture of a company’s vulnerabilities is the technology debt that many are carrying from years prior.
“Companies have varying degrees of technology from varying decades, and so protecting those legacy technologies versus protecting new things in the cloud are totally different, and require totally different tools and capabilities,” explained Moore. “There is a layered structure of controls that need to happen to be effective, and putting some controls in place can help slow adversaries, but if you don’t have [multiple walls] set up, then if they can get through one and there’s no other barriers, then you’re not being effective.”
Digitalization, whether it’s the use of smart technologies that can introduce new vulnerabilities or having a remote workforce, requires a different kind of thinking about what’s being exposed to cyber risk. Before the age of sophisticated cyberattacks was upon us, company leaders would think about protecting the perimeter of their networks, until adversaries became skilled at phishing and jumping over that perimeter. Then, everybody started thinking about endpoints, but when companies distributed more and more devices that would be trusted by networks, they also had to think carefully about managing that trust and monitoring those devices, underscoring the fact that organizations have a lot more to consider than simply implementing a few solutions to address their exposures.
Still, the Marsh-led program is a step in the right direction, says Moore, and highlights the laser-focus of the insurance industry on the issue of cyber risk.
“The industry is moving quickly. You’re starting to see regulators think about these risks, and different regulators trying to define baselines for what needs to be protected. You see that a lot in Europe and you’re starting to see that in the United States around personal information and protection,” she said. “But, at the end of the day, there’s still a lot of work to do to catch up because the adversaries are sophisticated, they run their enterprises just like enterprises, and their job is to attempt to breach companies and steal information or money. That’s their sole purpose, and so while companies, insurers included, all have jobs to do – either they’re making products or they’re writing coverage – their job isn’t to defend against cyber adversaries, so there’s always this gap [and] the adversaries are going to be ahead of us for a while, until we get controls out there and capabilities deployed more broadly.”