Articles - Cyber risk and data protection issues to plague business


Businesses in 2015 are expected to experience increasing challenges as they struggle to contend with the burgeoning threat of complex cybercrime

     
  1.   Insurers will need to get to grips with underwriting cyber risk
  2.  
  3.   Companies will start to grapple with operationalising ‘the right to be forgotten’ in order to hit the 2017/18 enactment
  4.  
  5.   The demise of bolt-on cyber risk functions
  6.  
  7.   Cyber risk in the supply chain to come to the fore
 EY analysis has outlined some of the key areas that cyber risks threaten to impact in the coming year, including the difficulties in the insurance sector of underwriting cyber risk, the raft of regulation coming out of both the EU and the UK, the importance of integrated risk functions in firms, and the cyber risk of supply chains moving to the cloud. 
  
 1. Insuring against cyber risk
 Cyber risk poses a serious and growing threat to businesses across the UK, and companies are increasingly looking to insurers for protection against financial losses in the face of attacks. Certain sectors already require firms to take out cyber risk under regulatory compliance. However, cybercrime is not a traditional area of risk for insurers, and the burden of underwriting the risk is proving to be very difficult.
  
 Shaun Crawford, Global Head of Insurance at EY, comments:
  
 “Cyber risk will certainly be one of the biggest challenges to the insurance market in 2015. Cybercrime is a moving beast, making it impossible to quantify the risks neatly or to calculate them in an informed or consistent manner. With so much unknown, it’s not surprising that premiums are wildly different across the market, and without cross-market stability, the industry will most likely be operating on significant indemnity losses.
  
 “It will no doubt be a matter of time before insurers simply refuse to accept the undefined transfer of risks. But, in the short term, it is likely that they will start to demand evidence of adequate cyber risk controls from businesses that demonstrates they are taking cybercrime seriously and are taking the necessary steps to avoid opening themselves up to attack. This will present a whole new problem of benchmarking what does and does not constitute ‘adequate control’, which could put a spanner in the works, and result in cyber risk effectively being incompatible with the insurance model.”
  
 2. A raft of EU regulation
 
 The forthcoming EU General Data Protection Regulation (GDPR) poses significant challenges for business - in particular it changes the power to consumers via the “Right to be Forgotten”. From a cyber perspective, the GDPR will inevitably increase consumer awareness around the rights of their own data and put pressure on businesses to take more action around data capture and privacy, as well as security.
  
 This will be reinforced further by the sister instrument, the EU Network Information Security Directive, which will introduce mandatory breach reporting. The existing prevalence of news headlines will inevitably increase as companies are forced to openly disclose to their customers that they have endured a cyber-breach.
  
 Mark Brown, Executive Director in EY’s Cyber Security & Resilience Team, says:
  
 “Protecting data is no longer enough, data must be actively managed, and the forthcoming EU GDPR recognises this. The EU GDPR will have a major impact on all companies that hold personal data – from Technology, Media and Telecommunications companies, to retailers, e-commerce and consumer-goods companies.
 “Many businesses which have never before been regulated in this space before will become inundated with new compliance objectives, leaving current internal systems unable to cope. Although these rules won’t come into full effect until 2017/18, we expect to see businesses starting to address and prioritise what they need to do in order to comply with this new regulation.”
  
 3. Built-in versus bolt-on risk functions as a priority for firms
 
 Cyber risk functions are a relatively new feature to a growing number of businesses. They are a direct response to the perceived and actual risks that have come with digital working, and are fundamental if companies are serious about integrating the cyber risk agenda into the boardroom.
  
 Cheryl Martin, Partner in Financial Services Cyber and IT Risk at EY, comments:
  
 “In the last decade financial services firms in particular have woken up to the dangers that cyber can pose to their business. Many firms have built cyber risk into their business model, but there are still too many which have bolt-on functions that simply cannot be expected to effectively manage the potentially catastrophic risk that cybercrime represents. It is clear that firms need a dedicated risk function, with a direct line into senior management.
 “Attacks are now coming from all angles. They are growing in sophistication and in their potential to do damage, and firms need to understand the importance of integrating risk into their business as a priority.”
  
 4. Cyber risk in your supply chain – everyone’s moving to the cloud
 
 The move to built-in security is expected to result in a new dynamic for organisations looking to refresh their IT strategy.
 Brown further comments: “No longer will cloud computing be seen as a ‘risky bet’ or insecure. Indeed, quite the opposite, as cloud service providers have recognised that demonstrable security is key to their business success. We therefore expect a significant increase in organisations moving to cloud computing, but would caution them to ensure that in doing so they balance the economic and technical benefits of such a move.
  
 “Further, the extending of the IT supply chain to cloud service provision will inevitably expand the supply chain, and therefore introduce new risks to be managed; not just in procurement, but ongoing management of cloud service providers. The supply chain is fast becoming the new network perimeter and will represent a key focus for security professionals in 2015.”
  

Back to Index


Similar News to this Story

The reserving actuary natural vs artificial intelligence
Why human actuaries still have the upper hand over AI when it comes to the nuanced art of reserving in the insurance industry. Every year, we take in
Five step approach vital for DB schemes looking to buyout
Insurers may refuse to quote and provide pricing for buy-ins and buy-outs where the DB pension schemes’ data is of a poor quality, warns Hymans Robert
What insurers must know about the hidden risks of silent AI
Anja Vischer, Senior Emerging Risk Manager at Swiss Re Institute, discusses the emerging risks of AI for insurers. She stresses the need to reassess c

Site Search

Exact   Any  

Latest Actuarial Jobs

Actuarial Login

Email
Password
 Jobseeker    Client
Reminder Logon

APA Sponsors

Actuarial Jobs & News Feeds

Jobs RSS News RSS

WikiActuary

Be the first to contribute to our definitive actuarial reference forum. Built by actuaries for actuaries.