Modern Insurance Magazine Issue 65

More documents

Recommendations

Info

INTERVIEWS CYBER PROTECTION with Jim Steven, CULTUREExperian UK Modern Insurance Magazine recently sat down with Jim Steven, Head of Crisis and Data Breach Response Services at Experian UK, to discuss adequate safeguards against cyberthreat in business. How should firms take logical steps to mitigate cyber risk, and how can they formulate or test their data breach response plans in the event of a serious attack? Jim, why are ransomware attacks Q increasing in frequency? And from your experience, what general attitudes have you seen towards this particular brand of cyber-attack? Ultimately, ransomware attacks are A increasing because criminals have found this to be a successful and lucrative commercial venture. People pay, and because people pay it becomes a very attractive model for criminal gangs. If you actually look at what ransomware does, it’s the deployment of one piece of malware that generates an upfront payment in a great deal of cases. Until people stop paying out in the event of a ransomware attack, we’ll see this activity continue to operate. There’s got to be an understanding of the fact that this type of activity isn’t going away. There are a number of governments that say business owners shouldn’t pay in the event of a ransomware attack, but if you’re the CEO of a £5million business and you suffer a ransomware attack which promises to resolve itself if you pay the ransom, you’re likely to succumb to it. If you don’t pay, the alternative could result in reputational damage, through the press or through your share price. Your investors might lose faith, your customers might lose faith, you might lose revenue as a consequence. If people are going to continue to pay the ransom, and if CEOs and Boards of Executives think that’s a viable choice and a cost of doing business, there’s always going to be a market. We’re seeing this play out in cyber insurance policies across the industry. Bigger organisations are only insuring part of their loss in the event of a ransomware attack; there’s a lot of captives running at the moment, and a lot of self-insurance. There’s such a high deductible on so many cyber policies, there’s already an attitude within firms and organisations that alludes to being prepared to pay out. Quite rightly, organisations are looking at their own security and data governance in order to mitigate the risk of cyber-attacks. But there’s such a breadth of low hanging fruit in terms of how you can access a firm’s online systems, particularly when there’s a third party involved which might not have the same levels of security. You can still fall foul to the consequences of a ransomware attack even if you’ve taken all of the necessary precautions, and you may still be faced with the decision to pay or not to pay. As threats to data security grow in this Q way, how can firms and organisations take logical steps to mitigate the risk further? Whilst everyone focuses on better security, A simple cultural changes can really reduce the risk. Most organisations understand that they’ve got to have some kind of security in place, or at least some kind of layered approach to protecting their data, but this doesn’t mean “ In the last three or four years, firms have also been offering cyber education to their workforce en masse, mainly through introducing password managers and simulated, fake phishing emails. “ 14 | MODERN INSURANCE
INTERVIEWS that there aren’t some simple, basic approaches that businesses can adopt for a larger return. Firstly, if you don’t need to hold personal data, don’t hold it. So many organisations store data longer than they need to, and in doing so, they’re increasing their attack surface and exposure to nefarious cyber activity. Separating strings of information also helps to mitigate risk. Don’t keep full identity sets in one place and/or corporate intellectual property in one place. In the last three or four years, firms have also been offering cyber education to their workforce en masse, mainly through introducing password managers and simulated, fake phishing emails. If staff don’t identify the risks and open the email, they’re offered more courses and more training to prevent the same thing happening in the event of a real phishing attack. Companies are also taking this one step further through gamification, where they’re incentivising staff to be more online safety conscious by offering prizes to individuals who can identify fake, or even real phishing attempts. Developing a culture of protecting each other through education is really important. You have to look after your staff if you expect the same in return. Of course, preparation is key. How Q can firms prepare for the worst when it comes to cyber threat, and how can consumer response plans be put to the test? In the UK last year, I dealt with over 900 A breach recoveries. Globally, it was more like 6,000. I would say that of those firms, 90-95% did not have a consumer response plan in place. Many will have a Disaster Recovery (DR) plan and/or an IT Recovery plan that is mature and tested regularly, but in the event of a successful data breach, the majority of firms don’t know who has been affected or how those people will be contacted and notified. Many don’t know the intricacies of the contact information they have on file, and they’ve no plan in place for who should be prioritised in terms of how this communication will be staggered. They haven’t thought through the wording of the notification, or whether this needs to be translated into multiple languages. Are there a number of brands in the firm’s group and if so, how will this be tackled? Have a consumer recovery plan, and an employee recovery plan, and understand all of the different cohort groups that make up the personal information you hold. You might lose your payroll, which affects former employees as well as current. It’s all about understanding what data you’ve got. Then and only then can you put a consumer response plan together against the information you hold, and look at how you would communicate with these customers effectively in the event of a data breach. Once you’ve got a plan together, of course you need to test it. It may seem obvious, but very few people do this - which always surprises me given that a poorly executed plan has the potential to create the biggest reputational risk of all. This kind of strategy doesn’t need to consist of clever stuff. For instance, if you’re sending communications via post, do you have enough branded envelopes in stock? Going through a scenario in theory is all well and good, but you need to put this into practice by trying out a number of real-life simulations if you’re really going to iron out the creases. Get your teams together and ensure that everyone understands where their responsibilities lie. This increases the chances of a quicker, smoother recovery. In the event of a data breach, how can Q organisations do more to scale up their resources? Well, first of all, you’ve got to understand A what your tipping points are. What severity of attack are you dealing with? How much of the response can you manage in house without having to arrange overflow resources? Maybe you need to outsource them completely. You might be able to handle 10 calls, but can you handle 10,000? Experian are able to be quite reactive in this situation; for example, we will outsource support with suppliers that can distribute 400,000 emails per day in three days, or 2 million letters after five days. It’s all about finding that bespoke solution in accordance with business needs. The real question actually lies in how many people respond to the notification of data breach with further queries. From a customer perspective, there’s nothing worse than receiving bad news and not being able to get through to someone when you want to clarify information and understand next steps. Make a prediction as to what this return rate looks like for your company. It’s often not as bad as you might think; in these scenarios, we usually see a 1-2% response rate following mass notification of data breach. If you assess the situation and realise that outsourcing support would be the better option, you should select the right partners with the correct capabilities and factor this into your response plan from its inception. From your experience, what does the Q future cyber threat landscape look like? What can the industry do better? The landscape never sits still, and whilst A there have been some welcome wins for law enforcement recently (with Lockbit and BlackCat gangs being impacted), we’re still seeing a rise in attacks year-on-year. We believe that third-party data breaches will continue to make headlines. With increased data collection, storage and movement, there are plenty of partners further down the supply chain that could be targeted. Experian predicts attacks on systems four, five or six degrees away from the original source - especially as vendors outsource data and technology solutions, who outsource to other experts, and so on. Instead of making drastic moves and trying to reap instant reward (such as that seen with ransomware), bad actors may also start to manipulate or alter minute aspects of data in order to stay under the radar. This might be seen through adjusting a currency rate, for example, or even the coordinates for fleet transportation. These small actions can have a major impact in the grand scheme. Finally, like drug cartels, cybergangs are also forming sophisticated organisations around the world. Joining like-minded actors can be incredibly advantageous, with global networks helping each other out in order to advance common goals and interests. I think we’ll also see more hackers for trade, crews looking to expand their monopolies, and cyberwarfare alliances. The underlying message is this: companies must invest in sophisticated prevention and response methods if they are to adequately protect themselves from serious threat. Experian have recently released their 6 key predictions for the cyber landscape in 2024. To view the full report and find out more, visit their website. Jim Steven, Head of Crisis & Data Breach Response Services, Experian UK Jim Steven is Head of Crisis & Data Breach Response Services for Experian UK, building on the knowledge, experience and success of Experian’s global data breach resolution offering. The team work with businesses to help them manage and resource mass consumer crisis responses, including customer notification, contact centre and credit/identity monitoring services for customers/employees affected by a crisis event. They also support clients in preparing and practicing readiness plans for potential incidents, guaranteeing resource availability to mitigate the impact and speed of recovery. Prior to joining Experian, Jim worked for some of the world’s largest security companies, providing expertise in security risk management solutions, travel risk management, aviation security and corporate security. MODERN INSURANCE | 15
Page 1 and 2: ISSUE 65 ISSN 2515-3803 I SPY CYBER
Page 3 and 4: WELCOME Welcome to Issue 65 of Mode
Page 5 and 6: 8 12 14 17 29 38 44 49 51 53 55 Ins
Page 7 and 8: EUROPCAR NEW BRAND BLOCK Color grad
Page 9 and 10: Risk sentiment Hiscox Cyber Readine
Page 11 and 12: Page 07 Impacts of a cyber attack (
Page 13: Q Ken - what’s the appeal for hac
Page 17 and 18: EDITORIAL BOARD A Varied Approach t
Page 19 and 20: Consumer Duty Defines the Role EDIT
Page 21 and 22: EDITORIAL BOARD The Vizion Standard
Page 23 and 24: EDITORIAL BOARD Embedding Consumer
Page 25: EDITORIAL BOARD Data Security at ED
Page 28 and 29: BOOKED IT. PACKED IT. WE’RE OFF.
Page 30 and 31: EMPOWERING THE FUTURE OF REPAIR Tec
Page 32 and 33: Straightforward insurance technolog
Page 35 and 36: ASSOCIATIONS ASSEMBLE Fleur Thomas
Page 37 and 38: ASSOCIATIONS ASSEMBLE Sue Brown Tit
Page 39 and 40: COUNTER FRAUD ACTIVITY: UK VS. US T
Page 41 and 42: THE DISTINCT LANDSCAPES OF INSURANC
Page 43 and 44: Jonathan Drake IMPROVING AGILITY, M
Page 45: Keeping insurers fully in the loop
Page 49 and 50: Friction Is the Key to Customer Suc
Page 51 and 52: Put the Sugarin First FEATURES As I
Page 53 and 54: A Total Loss Could Be An Electric G
Page 55: FEATURES THE EVOLVING RISK OF CYBER
Page 58 and 59: A new approach to repair management
Page 60 and 61: Modern Insurance Magazine’s notor
Page 62 and 63: Results INSURER OF THE YEAR WINNER
Page 64 and 65:
“The team at Modern Insurance Mag
Page 66 and 67:
INSUR. TECH. TALK
Page 68 and 69:
INSURTECH Google Cloud QMonica, mor
Page 70 and 71:
INSURTECH Capgemini AXA XL QCaitlin
Page 73 and 74:
INSURTECH Munich Re Dikla, what are
Page 75 and 76:
INSURTECH Q Is AI a friend, foe, or
Page 77:
INSURTECH QWhat are some of the mos
Page 80 and 81:
INSURTECH Welcoming… Percayso Inf
Page 83:
INSURTECH Strategic Priority: Opera
Page 86 and 87:
INSURTECH The Fastest Fish in the O
Page 88:
Any me, any place, anywhere... FMG
show all

Modern Insurance Magazine Issue 65

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?