Modern Insurance Magazine Issue 65
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
INTERVIEWS<br />
CYBER PROTECTION<br />
with Jim Steven,<br />
CULTUREExperian UK<br />
<strong>Modern</strong> <strong>Insurance</strong> <strong>Magazine</strong><br />
recently sat down with Jim<br />
Steven, Head of Crisis and<br />
Data Breach Response Services<br />
at Experian UK, to discuss<br />
adequate safeguards against<br />
cyberthreat in business. How<br />
should firms take logical steps<br />
to mitigate cyber risk, and how<br />
can they formulate or test their<br />
data breach response plans in<br />
the event of a serious attack?<br />
Jim, why are ransomware attacks<br />
Q increasing in frequency? And from your<br />
experience, what general attitudes have you<br />
seen towards this particular brand of<br />
cyber-attack?<br />
Ultimately, ransomware attacks are<br />
A increasing because criminals have found<br />
this to be a successful and lucrative commercial<br />
venture. People pay, and because people pay<br />
it becomes a very attractive model for criminal<br />
gangs. If you actually look at what ransomware<br />
does, it’s the deployment of one piece of<br />
malware that generates an upfront payment in<br />
a great deal of cases. Until people stop paying<br />
out in the event of a ransomware attack, we’ll<br />
see this activity continue to operate.<br />
There’s got to be an understanding of the fact<br />
that this type of activity isn’t going away.<br />
There are a number of governments that say<br />
business owners shouldn’t pay in the event<br />
of a ransomware attack, but if you’re the<br />
CEO of a £5million business and you suffer a<br />
ransomware attack which promises to resolve<br />
itself if you pay the ransom, you’re likely to<br />
succumb to it. If you don’t pay, the alternative<br />
could result in reputational damage, through<br />
the press or through your share price. Your<br />
investors might lose faith, your customers<br />
might lose faith, you might lose revenue as a<br />
consequence. If people are going to continue<br />
to pay the ransom, and if CEOs and Boards of<br />
Executives think that’s a viable choice and a<br />
cost of doing business, there’s always going to<br />
be a market.<br />
We’re seeing this play out in cyber<br />
insurance policies across the industry.<br />
Bigger organisations are only insuring part<br />
of their loss in the event of a ransomware<br />
attack; there’s a lot of captives running at<br />
the moment, and a lot of self-insurance.<br />
There’s such a high deductible on so many<br />
cyber policies, there’s already an attitude<br />
within firms and organisations that alludes<br />
to being prepared to pay out. Quite rightly,<br />
organisations are looking at their own security<br />
and data governance in order to mitigate<br />
the risk of cyber-attacks. But there’s such<br />
a breadth of low hanging fruit in terms of<br />
how you can access a firm’s online systems,<br />
particularly when there’s a third party<br />
involved which might not have the same<br />
levels of security. You can still fall foul to the<br />
consequences of a ransomware attack even if<br />
you’ve taken all of the necessary precautions,<br />
and you may still be faced with the decision to<br />
pay or not to pay.<br />
As threats to data security grow in this<br />
Q way, how can firms and organisations<br />
take logical steps to mitigate the risk<br />
further?<br />
Whilst everyone focuses on better security,<br />
A simple cultural changes can really reduce<br />
the risk. Most organisations understand that<br />
they’ve got to have some kind of security in<br />
place, or at least some kind of layered approach<br />
to protecting their data, but this doesn’t mean<br />
“<br />
In the last three or four years, firms have also<br />
been offering cyber education to their workforce<br />
en masse, mainly through introducing password<br />
managers and simulated, fake phishing emails.<br />
“<br />
14 | MODERN INSURANCE