Cyber risk: It’s everyone’s fight

Cyber threats are evolving and growing more complex, as businesses increasingly rely on technology and computer systems to drive efficiencies and thus scale their businesses.

This increased reliance creates emerging exposures for operations and, as such, businesses need to ensure they are taking adequate and appropriate measures to minimise the risks.

Sam Bye, head of cyber, Asia & Middle East, at AXA XL, says: “Cyber security has historically been seen as the IT department’s responsibility, but this is no longer true. The responsibility falls upon everyone in the business to ensure they are practicing good cyber security hygiene.”

He adds that as employees are the first line of defence in cyber security, the c-suite plays an important role in building a culture of cyber security in the workplace.

RANSOMWARE OUTSOURCED

Cyber criminals are becoming more sophisticated, increasing the likelihood that a business will be successfully attacked. Larger threat actors have even begun to outsource attacks to smaller groups by licensing their toolkits, methodologies and lists of exposed businesses.

Bye explains: “This model is called Ransomware–as-a-Service (RaaS) and has essentially commoditised ransomware attacks, empowering less sophisticated threat actors to now be able to carry out these types of attacks with ease.”

AI has also increased exposures, for example by allowing cyber criminals to draft phishing emails in perfect English.

“These regulations not only provide greater protection for consumers but also drive increased demand for cyber insurance among businesses”

Historically, these attempts were often easy to spot as they were drafted by non-native English writers and contained grammatical errors. Now that AI has eliminated many of these errors, it is more important than ever to continually educate staff with training on how to ward against phishing.

As a response to growing threats, many Asia-Pacific countries are now introducing data privacy regulations with mandatory breach notifications and increased fines and penalties.

Bye says: “These regulations are a positive step, as they not only provide greater protection for consumers but also drive increased demand for cyber insurance among businesses that must now mitigate higher liability risks. These regulations are good moves towards safeguarding data rights and enhancing overall cyber resilience.”

Some countries have even introduced potential jail time for breaching data privacy regulations. So, it is essential for businesses to take the right steps to protecting sensitive data they may be storing or processing.

MASTER THE BASICS

Given the tricky cyber landscape, Bye says risk managers must work closely with their IT departments to understand the risks in terms of operational resiliency of the computer systems the business uses.

Equally, risk managers should be involved in developing the privacy, incident response, disaster recovery and business continuity plans for the business in tandem with the relevant key stakeholders.

Having these policies in place allows risk managers to know what steps need to be taken in the event of an incident. There should also be offline copies in case of a network outage.

Bye says: “Cyber security may sound exciting but sometimes the best practices involve making sure you consistently practice the basics, such as having a robust patch management policy, taking frequent offline backups, ensuring administrator accounts are appropriately secured, enabling MFA for all remote access. All these fundamentals will help contribute towards a resilient business.”

LOOK FOR LOCAL EXPERTISE

Of course, alongside security and resilience measures, cyber insurance is a critical part on the cyber risk management puzzle.

Bye says that having the right cover not only offers balance sheet protection, but policies can also provide benefits such as IT forensics, legal and regulatory assistance, and public relations advice.

He says: “AXA XL has been offering cyber insurance in Asia for over six years. This means we have accumulated a vast amount of localised knowledge on the varying legal, regulatory and threat landscapes across the region. As such, we have a much deeper understanding of the exposures and challenges that our client’s operations face, which allows us to accurately price and provide solutions that are most appropriate to their needs.”

AXA XL has been expanding its cyber insurance practice in recent years, focusing on partnering with clients rather than just providing a monetary payout when there is an incident.

 “AXA XL’s commitment to being a partner means that we look to be central in the region regardless of the market cycle

Bye explains: “The partnership ensures that policy terms and conditions and premiums will typically be more consistent year on year compared to that of foreign capacity.”

He stresses that there are several advantages to local solutions over international options. “Local claims expertise plays a huge role. If a client faces a cyber incident, it needs to be acted on immediately to reduce any further damage. Having a local claims contact is pivotal as the remediation work can begin straight away.”

He adds that foreign capacity has shown growing interest in Asia over the past year, as insurers look to grow their portfolios.

However, the issue with this is that when claims activity in the market worsens, these carriers are most likely the first ones to retrench their involvement in the region.

Bye concludes: “This can leave clients in a difficult situation as they will need to seek new insurers. AXA XL’s commitment to being a partner means that we look to be central in the region regardless of the market cycle. We want to help clients on their cyber security journey and not just be a pure risk transfer tool.”