Exclusive interview: ‘Cyber is the worst type of risk’

A simulated cyber attack provided a dramatic opening to this year’s Airmic conference.

Run by the Cybercrime Research Institute – an independent research and development and risk advisory entity working with governments, international organisations and corporations - this interactive session involved a panel of four risk managers and a law firm partner acting as an incident management team dealing with a real-time cyber extortion.

Professor Dr Marco Gercke, director of the Cybercrime Research Institute, and Peter Hacker, partner at Distinction Global, a specialised advisory unit of the CRI, coordinated the hour-long session.

“What we were looking to do at the conference was increase and examine threat awareness,” Hacker told StrategicRISK. “Cyber crime and cyber security are not a major new threat to businesses. However, the scale of emerging uncertainties and risks are thriving exponentially and you can’t afford to be blind to these.

“There is no ‘golden panacea’ how risk stakeholders should think about cyber crime and cyber security and its implications on the enterprise wide risk landscape. Such risks are rather abstract – until an incident occurs. Consequently, we feel decision makers require insightful incident management, risk simulation and solution content which helps them extract core data and understand the relevance and implications of these unparalleled challenges first.”

The simulation demonstrated a specific threat by using a sequence of real scenarios and linked it to awareness, mitigation, risk control, and stress testing. It also looked at the role of insurance, and tried to point out the relevance of fundamental questions such as:

• Which attacks are most likely and what are the potential impacts?
• Is there the appropriate capacity, capability and the right strategy to defend strategically and operationally against such attacks?
• What are the fiduciary duties concerning cyber security exposure?
• What are recovery capacities, and why should they be bespoke?
• What are the potential claim pitfalls?
• Why should you undertake a pre- and post incident stress testing?

“Our primary aim at Airmic was to increase threat awareness and lay the base for a bespoke and broader organisation, enterprise or corporate understanding and dialogue,” Hacker said.

“Cyber crime and cyber security are an enterprise wide risk issue. They can’t be prevented but can be mitigated, controlled and potentially externally transferred. Cyber risks developed from an abstract risk relevant for some industries to a real threat for almost every private and public sector entity. The response needs to be led and supported top down, you need to have broad board awareness and buy in otherwise you will have problems as a risk manager.”

Hacker explained the ethos behind the bespoke simulation: “If you look at what the insurance industry does in this space, there is a focus on cyber crime and security and it is quite a repetitive pattern across the UK and Europe. This session was distinctive as it addressed the entire risk management path – from risk identification, risk quantification, risk transfer and risk control - and not just one element such as risk transfer.

“There are several issues to consider. Technological advances are skyrocketing and this means exponential changes for anyone involved with business and regulatory legal systems.

“We all know businesses digitise all aspects of operations, from client interactions to partner relationships in supply chains. Entire organisations, enterprises and corporations become electronically exposed and vulnerable to cyber crime, cyber security and wider enterprise risk implications. Globally, cyber security and cyber crime are persistently on schedules for regulators and governments. The key challenge is that new technology such as artificial intelligence (AI) is often advancing much faster than regulatory authorities, governments, the insurance and the risk management industry can often proactively respond to or resolve uncertainty about liability or other threats to their businesses.

“Moreover, what the industry calls ‘cyber risk’ needs to be defined more clearly and change. In fact, ‘Cyber’ is really more a buzz phrase and we have to think more broadly and in-depth than this. We talk about technology cycles which are linked directly to digital disruption for cloud computing, for example. It means we are restructuring and redefining the rules of doing business, assets are becoming more intangible. We need different ways of looking at intangible asset risks such as data protection, intellectual property, brand, reputation and emerging disruptive technologies.

“Cyber crime and security should be at the top of the agenda for boards. Foreseeing such change is no longer something that can be left to risk, legal and IT-security teams only.”