Modern Insurance Magazine Issue 65

INTERVIEWS
that there aren’t some simple, basic approaches
that businesses can adopt for a larger return.
Firstly, if you don’t need to hold personal data,
don’t hold it. So many organisations store
data longer than they need to, and in doing
so, they’re increasing their attack surface and
exposure to nefarious cyber activity. Separating
strings of information also helps to mitigate
risk. Don’t keep full identity sets in one place
and/or corporate intellectual property in one
place.
In the last three or four years, firms have
also been offering cyber education to
their workforce en masse, mainly through
introducing password managers and simulated,
fake phishing emails. If staff don’t identify
the risks and open the email, they’re offered
more courses and more training to prevent the
same thing happening in the event of a real
phishing attack. Companies are also taking
this one step further through gamification,
where they’re incentivising staff to be more
online safety conscious by offering prizes to
individuals who can identify fake, or even real
phishing attempts. Developing a culture of
protecting each other through education is
really important. You have to look after your
staff if you expect the same in return.
Of course, preparation is key. How
Q can firms prepare for the worst when
it comes to cyber threat, and how can
consumer response plans be put to the test?
In the UK last year, I dealt with over 900
A breach recoveries. Globally, it was more like
6,000. I would say that of those firms, 90-95%
did not have a consumer response plan in place.
Many will have a Disaster Recovery (DR) plan
and/or an IT Recovery plan that is mature and
tested regularly, but in the event of a successful
data breach, the majority of firms don’t know
who has been affected or how those people will
be contacted and notified.
Many don’t know the intricacies of the contact
information they have on file, and they’ve no
plan in place for who should be prioritised
in terms of how this communication will be
staggered. They haven’t thought through the
wording of the notification, or whether this
needs to be translated into multiple languages.
Are there a number of brands in the firm’s
group and if so, how will this be tackled? Have
a consumer recovery plan, and an employee
recovery plan, and understand all of the
different cohort groups that make up the
personal information you hold. You might lose
your payroll, which affects former employees
as well as current. It’s all about understanding
what data you’ve got. Then and only then can
you put a consumer response plan together
against the information you hold, and look
at how you would communicate with these
customers effectively in the event of a data
breach.
Once you’ve got a plan together, of course you
need to test it. It may seem obvious, but very
few people do this - which always surprises
me given that a poorly executed plan has the
potential to create the biggest reputational
risk of all. This kind of strategy doesn’t need
to consist of clever stuff. For instance, if you’re
sending communications via post, do you have
enough branded envelopes in stock? Going
through a scenario in theory is all well and
good, but you need to put this into practice by
trying out a number of real-life simulations if
you’re really going to iron out the creases. Get
your teams together and ensure that everyone
understands where their responsibilities
lie. This increases the chances of a quicker,
smoother recovery.
In the event of a data breach, how can
Q organisations do more to scale up their
resources?
Well, first of all, you’ve got to understand
A what your tipping points are. What severity
of attack are you dealing with? How much of
the response can you manage in house without
having to arrange overflow resources? Maybe
you need to outsource them completely. You
might be able to handle 10 calls, but can you
handle 10,000? Experian are able to be quite
reactive in this situation; for example, we will
outsource support with suppliers that can
distribute 400,000 emails per day in three days,
or 2 million letters after five days. It’s all about
finding that bespoke solution in accordance
with business needs.
The real question actually lies in how many
people respond to the notification of data
breach with further queries. From a customer
perspective, there’s nothing worse than
receiving bad news and not being able to get
through to someone when you want to clarify
information and understand next steps. Make
a prediction as to what this return rate looks
like for your company. It’s often not as bad as
you might think; in these scenarios, we usually
see a 1-2% response rate following mass
notification of data breach. If you assess the
situation and realise that outsourcing support
would be the better option, you should select
the right partners with the correct capabilities
and factor this into your response plan from its
inception.
From your experience, what does the
Q future cyber threat landscape look like?
What can the industry do better?
The landscape never sits still, and whilst
A there have been some welcome wins for law
enforcement recently (with Lockbit and BlackCat
gangs being impacted), we’re still seeing a rise
in attacks year-on-year.
We believe that third-party data breaches will
continue to make headlines. With increased
data collection, storage and movement, there
are plenty of partners further down the supply
chain that could be targeted. Experian predicts
attacks on systems four, five or six degrees
away from the original source - especially
as vendors outsource data and technology
solutions, who outsource to other experts, and
so on.
Instead of making drastic moves and trying
to reap instant reward (such as that seen
with ransomware), bad actors may also start
to manipulate or alter minute aspects of data
in order to stay under the radar. This might
be seen through adjusting a currency rate,
for example, or even the coordinates for fleet
transportation. These small actions can have a
major impact in the grand scheme.
Finally, like drug cartels, cybergangs are also
forming sophisticated organisations around
the world. Joining like-minded actors can be
incredibly advantageous, with global networks
helping each other out in order to advance
common goals and interests. I think we’ll also
see more hackers for trade, crews looking to
expand their monopolies, and cyberwarfare
alliances. The underlying message is this:
companies must invest in sophisticated
prevention and response methods if they are
to adequately protect themselves from serious
threat.
Experian have recently released their 6 key
predictions for the cyber landscape in 2024.
To view the full report and find out more,
visit their website.
Jim Steven,
Head of Crisis & Data Breach
Response Services, Experian UK
Jim Steven is Head of Crisis & Data
Breach Response Services for Experian UK,
building on the knowledge, experience and
success of Experian’s global data breach
resolution offering.
The team work with businesses to
help them manage and resource mass
consumer crisis responses, including
customer notification, contact centre
and credit/identity monitoring services
for customers/employees affected by a
crisis event. They also support clients in
preparing and practicing readiness plans
for potential incidents, guaranteeing
resource availability to mitigate the
impact and speed of recovery.
Prior to joining Experian, Jim worked
for some of the world’s largest security
companies, providing expertise in security
risk management solutions, travel risk
management, aviation security and
corporate security.
MODERN INSURANCE | 15