We were pleased to host a ransomware roundtable event in partnership with Commercial Risk. During this event we discussed the legalities of whether to pay or not pay in a ransomware attack across different jurisdictions. In this whitepaper we provide a round-up of the topics discussed in more detail. INTRODUCTION
It is now widely recognised by most risk management and IT security professionals that it is not a question of if, but when a cyber-attack will occur.
Companies rightly invest in building walls around their systems because preventing access in the first place is an obvious building block for an effective defence strategy against ransomware. Most companies still use very weak and out-dated commercial
cyber security software, forgetting that the threat is often internal.
They often focus their energy on shoring up their defences against an increasingly sophisticated, and at times, state-backed enemy invading force instead. The key is to make sure that your first line of defence against an attack is backed up by a structured and enterprise-wide approach to managing and mitigating the risk, so that the
reputational and financial impact is minimised as much as possible.
ransomware experts gathered for this discussion agreed that most organisations, including at the top board level, are thankfully becoming more aware of the scale and realities of this risk quickly.
Awareness of this issue has been boosted by the introduction of rules and regulations, such as the EU’s
General Data Protection Regulation (GDPR), which came into force across Europe last year. It was then further aided by the reporting and governance requirements introduced specifically for cyber by the Financial Conduct Authority (FCA), which were implemented in the UK financial sector.
The FCA has made it crystal clear that it wants to see an organised and structured approach to this risk, not a tick box approach. This demands leadership from the top. The key assets and vulnerabilities need to be properly identified, measured and prioritised with budget allocated accordingly on an ongoing basis. Our roundtable experts recommended allocating an element of the cyber risk budget to ongoing staff training and involving human resources (HR) in the risk strategy for it to prove most effective.
Our risk management and IT security professionals agreed that, as with all attempts to prevent, manage and mitigate business-critical risks, this is not just about structures, systems and reporting. The most important point of focus has to be the culture, education and awareness of all staff from top to bottom of the company, across all functions and departments.
As cyber is very much a human risk. Humans are the vulnerable parties and weak links in the cyber security chain. A company may spend a fortune building the most fool proof firewall possible, but, if staff are not trained and encouraged to spot the dubious email arriving in the first place and made aware of the potential impact of clicking on that link, it will have all gone to waste.
When cyber risk first emerged, the IT department generally took ownership of the risk. Attempts to ‘help’ offered by other functions, such as risk, legal and audit, were often rebuffed because they were seen as criticisms of the IT team’s ability to do their job. Thankfully now it appears that, along with the rising role of the Chief Information Security Officer (CISO), there is a fast-growing understanding that everybody ‘owns’ cyber risk.
All staff must play their role in preventing attacks from happening in the first place and then help to mitigate them when they inevitably occur. Our panellists were clear that senior business leaders should give sufficient attention to the potential threat this weak human link could pose to the company, rather than delegating the responsibility for this risk solely to the IT department.
The following key takeaway points, from the JLT/Commercial Risk Europe roundtable, sum up the key risk issues and responses required by the FCA on loss prevention and risk management:
RECOGNISE THAT HUMANS ARE THE CORE VULNERABILITY
John Harrison, Head of Information and Cyber Security at Charles Stanley: “There is a person in the chair and, no matter how many protective mechanisms are in place, people are fallible and may, in a moment of weakness, click on the phishing link. These links have become so much more sophisticated, targeted and relevant, appealing to basic human traits such as greed and fear. Apathy is also a factor. People hear so much about cyber- crime and ransomware attacks. They are asked to strengthen their passwords and not to click on links etc., but they may still be complacent thinking their company has systems in place to protect them.”
Ffion Flockhart, Norton Rose Fulbright’s Global Co-Head of Data Protection, Privacy and Cybersecurity: “It’s right that greed and fear are the basic human emotions targeted. The most successful attacks include those where HR is impersonated, especially when it occurs during the pay round process. People are told to click a link and give their username and password to find out what their annual bonus will be. Another one that works is a message from Inland Revenue telling an individual about a fine or tax rebate.”
COMPETING FOR VALUABLE TIME CAN BE CHALLENGING
John Harrison, Head of Information and Cyber Security at Charles Stanley: “It can still be difficult for security teams to secure top level engagement when it comes to cyber risk. We have an interested and actively involved Senior Management team at Charles Stanley, but if a firm was to have a CEO who wasn’t genuinely engaged, it would be almost impossible to secure the necessary buy-in and commitment from the rest of the organisation. Genuine top level management interest is vital. The problem is that there are so many demands on the Board’s time: general risk, cyber, compliance, data protection, governance and, of course, running the business on a day-to-day basis. There can be an element of fatigue that needs to be taken into consideration, and the approach to secure engagement should be adapted accordingly.”
REGULATIONS HAVE HELPED RAISE AWARENESS AND FORCE POSITIVE ACTION
Sarah Stephens, Head of Cyber/Technology E&O at JLT Specialty: “The implementation of the General Data Protection Regulation (GDPR) in May 2018 significantly increased the financial consequences of ignoring data privacy and protection. Companies are now taking a more proactive approach to their risk management strategy and further educating themselves on the various cyber threats facing them. This increased awareness has already resulted in more investment in cyber security, which should act as a deterrent for hackers who seek easy targets.”
ACCEPT THAT THEY WILL BREAK THROUGH THE PERIMETER AND PREPARE ACCORDINGLY
Winston Krone, Global Managing Director at Kivu Consulting: “A lot of the time companies have not lost everything, only a certain part of their data. Then the question is whether it is worth retrieving. An important factor to consider is whether their data is backed up or not. If it is not properly backed up, or if the attackers have been allowed to access and delete those backups, then that is what you will be paying for.”
EDUCATION IS CRITICAL – CARRY OUT TESTS
Munesh Vadher, Director Cyber Risk at Barclays: “Don’t forget that ransomware is targeting customers as well as large companies, so education and awareness on an individual basis is key. As part of our Digital Eagles programme to help small businesses and communities grow and develop, we run awareness campaigns through media channels and workshops to help educate people to become more aware about being safe online, the threats out there and what they need to do to defend themselves.”
BOARD BUY-IN IS NEEDED, BUT THIS CAN BE A CHALLENGE
Ffion Flockhart, Global Co-Head of Data Protection, Privacy and Cybersecurity at Norton Rose Fulbright: “This can be quite a challenge for many leaders. Remember Marissa Mayer, former CEO of Yahoo who was in charge when the group had to disclose the biggest cyber breach in history, ultimately had to step down. The Yahoo breach affected up to 3 billion accounts worldwide, led to class actions and devalued the company by USD 350m. You need commitment from the top and for cyber risk to be managed at executive level, not just a small group within IT. A budget must be set aside specifically for information security.”
As part of Marsh JLT Specialty's London-based Financial Lines Group, Sarah and her team work both directly with our clients and with network colleagues and independent partners to make sense of cyber, technology, and media E&O (PI) risks and create leading edge bespoke insurance solutions in the London market.
Prior, Sarah spent 12 years with Aon in a variety of roles. Her last role at Aon was Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions.
Previously, Sarah spent seven years with Aon’s US Cyber and Errors & Omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the Account Management group working with large clients and developing a keen eye for excellent client service.