Some industries, such as online retail or banking, handle large amounts of sensitive and possibly lucrative data. By the very fact that the services they offer are to a wide extent are virtual, the exposure is rather obvious. With others, like manufacturers, telecommunications and healthcare, it is their obvious dependency on IT which makes them an attractive target for attacks in the cyber sphere. And indeed, participants of industries where neither apparently applies are sometimes lead to believe that this topic is of subordinate relevance or relevant to others.

Unfortunately, this is far from true, as an even quick analysis and recent events show. It is a misperception that a company has to have a widely known brand, a particular product or media coverage to become a target. Falling prey to one of the ominous phishing mails or an inconsiderate click of an employee on a seemingly harmless attachment are equally relevant for each and every company. Recent events and our claims experience show us that both large and small businesses are targeted by cyber criminals.

The top three cyber strategies of businesses

In our daily discussions with clients we encounter broadly three classes of responses:

  • Denial / minimum response: The initial response is that this risk is relevant for other industries, but not so much the own. Publicly available examples are discarded as singular incidents or consequence of particularly unsuitable use of IT tools. Often, this approach is also driven by the fact that the acknowledgement of an exposure would require a reaction, which may result in costs. An insurance premium would be such an additional cost. The topic of cyber and IT security is seen as a responsibility of the IT-department. Since the details of any exposure would inevitably be technical in nature (and impossible to understand for anybody but an IT professional) this is where the matter resides best. In smaller companies, without dedicated departments, the responsibility is seen to lie with suppliers of software or hardware/infrastructure.
  • Awareness and prevention: Media coverage on the topic has become ubiquitous and hard to avoid, even to a level where not addressing the topic could lead to the management’s reaction in this respect being questioned with hindsight. It is understood that the exposure is not merely technical, but also comprises soft facts like social engineering and human error which has to be actively managed in a company. The focus here often lies on prevention.
  • Comprehensive approach: In addition to prevention also comprising mitigation and business continuity analysis based on having developed a number of actual scenarios. Similar to fire drills, real exercises are being conducted and key personnel (not limited to the IT department) trained in how to react when servers go dark and communi

This simplified classification is of course exemplary and in reality more like a continuum. It can also be observed that when the conversation is brought to Cyber and insurance it is either the complexity of what is covered under which line of insurance (property, cyber, professional indemnity, D&O and crime being the ones which could immediately be triggered, depending on the loss scenario) which may be challenging. A certain saturation given the ever increasing media alerts and the fear this could only be the insurance industry seeking the next product it can sell are other reservations.

The risk, of course, is real and can be effectively managed by a combination of prevention and mitigation, where insurance falls under the latter.

Related Insights

Stephan Eberlein

Group Practice Leader Financial Lines

T +43 664 962 40 60