How to manage the complexity of a cyber incident

If you haven't yet experienced a serious cyber incident such as a ransomware attack, it’s worth putting in some time to gain an understanding of the complex dynamics that can come into play.

Cameron Whittfield, who leads PwC’s legal cyber security team, was responsible for cyber incident response management and has advised on many of the region’s most recent high-profile cyberattacks.

Originally from New Zealand, Whittfield has worked in the technology sector for the last 25 years. He studied law and applied finance and has worked with some of the biggest technology companies and legal firms in the US, UK, New Zealand, France and Australia.

Whittfield will be hosting a free ANZIIF webinar to share his expertise with the industry.

High pressure environment

He says it’s important for insurers to understand the pressure organisations suffer in the first 24-48 hours of a breach and they can design policies and practices that best align with that kind of environment.

‘Given the sheer intensity and stress of decision making during those crisis moments, you can't have insurance processes be anything but totally efficient and effective,’ Whittfield says.

‘The impacted company cannot afford to waste a second.’

The insurance industry has a very critical role to play in helping policy holders develop effective cyber resilience.

Whittfield believes the cyber insurance industry’s thinking needs to shift in the way the life and health insurance sectors have done.

‘They’ve moved away from funding post incident health care towards supporting wellbeing, so policy holders stay healthy,’ he says.

‘Those involved in cyber insurance can help policy holders build cyber resilience in a similar way.’

Cyber insurance challenge

Although developing quickly, the Australian cyber insurance industry is still relatively nascent and according to Whittfield, is facing some ‘some pretty significant head-winds’.

For example, in 2021, a PwC survey of 3,600 senior executives across the globe found a disconnect between CEOs and their executive teams in relation to cyber security.

‘While many CEOs believe they provide significant support and adequate resources, and that they make funding a priority for cyber, that’s often not the perception of the non-CEO executives in the organisation,’ he explains.

‘This is changing, but it is interesting to see our survey respondents call it out.’

Complexity stifles resilience

In addition, the survey found that organisational complexity is preventing companies from achieving the level of security required.

‘Eighty per cent of the respondents in Australia and globally say their businesses are excessively and unnecessarily complex,’ says Whittfield.

‘This complexity is creating cyber and privacy risks executives find concerning. Some are anxious that their businesses are becoming too complex to secure.’

Highly complex supply chains that rely on a variety of third parties form an important part of this risk.

‘A majority of the respondents we spoke to had taken very little action to ensure robust and enduring processes around third-party risk management,’ Whittfield says.

‘That's a worry when many high-profile cyber incidents have originated from within an organisation’s supply chain, rather than the organisation itself.’

Making better use of data

Another point to note is the continuing inability to make use of good data and cyber intelligence to inform cyber strategy.

‘The majority of companies we surveyed haven't actually mapped their data holdings, so they couldn't tell us exactly where their data is held or how their most valuable data is protected,’ confirms Whittfield.

‘And that alone put them in a vulnerable position.’

Whittfield argues that the insurance industry is acutely aware of the need for good data. Policies and insurance positions require quality data for their modelling.

‘There’s no doubt the insurance industry also understands the risk of cybercrime.

‘It’s currently one of the most significant threats to insurers globally and this will continue to be the case over the next few years.

‘Cyber security has consistently been a top 2 or 3 issue in our discussions with clients and in our CEO global surveys over a number of years,’ he adds.

‘Even in the face of pandemic related issues, cybersecurity is now essentially the number one risk confronting organisations.’

Vulnerable remote workforce

Whittfield says cyber risk is more acute in the insurance industry than in others.

‘That’s partly a reflection of the fact that insurance companies are not only susceptible to attack themselves, but they are also in the business of underwriting attacks on policyholders.’

Worryingly, the severity of cybercrime increases with a greater dependence on IT infrastructure, data, technology solutions and third-party services. The insurance industry, like others, is increasingly dependent on technology.

On top of that, the COVID-19 pandemic has brought extra vulnerability as many organisations and industries continue to lag behind with the security arrangements required to safely enable a remote workforce.

‘Technology measures can often take many years to put in place,’ Whittfield points out, ‘but in March 2020, across the globe, many were forced to manage new working arrangements immediately and all at once.

‘We all went remote almost overnight, often without the benefit of appropriate planning and security management.

‘As you'd expect, those that moved without proper risk management and security controls increased their susceptibility significantly.

For those that remain in catch-up mode, the insurance industry can play a positive role in enabling increased cyber resilience.

Difficult to model

Meanwhile, for insurance companies, the risks are very difficult to model.

‘I think it's clear the industry underestimated the potential costs of cybercrime,’ Whittfield says

‘You can see that playing out in the increase in premiums and excesses, the changing nature of cyber policies and the fact that many insurers are stepping back from providing particular types of cyber insurance, or from providing cyber insurance altogether.’

Whittfield also observes the age-old problem of a mismatch in the expectations of clients and insurers around what policies do and don’t cover, particularly as policies and the threat landscape continue to evolve.

‘Certainly, there's often an ambiguity to policy wording that exists and this creates complexity during the claims process,’ he says.

Managing the regulatory landscape

If that’s not enough to chew on, Whittfield says regulatory change is another challenge to contend with for insurers that offer cyber security products.

‘The regulatory landscape is constantly moving. I haven't seen this much regulatory change around a particular issue in many years.

‘Everyone's grappling with how regulation might impact aspects of the industry, whether it relates to cyber preparedness, incident response obligations and post-incident remediation.

‘In many respects, the regulatory landscape is catching up with the current threat landscape. This creates significant challenges for lawmakers and regulators alike.’

Supporting resilience

Whittfield beleives insurance can play in building cyber resilience.

‘Insurers have a relatively unique and important role in the market as a key enabler of cyber resilience across our nation,’ he says.

For example, they need to be aware that it's not appropriate for insurance companies to be in the business of making ransom or extortion payments for policyholders.

'They need to understand the ransomware criminal “business model”, which contains three key elements: intrusion into your IT ecosystem, locking and/or extracting your data, and the payment of extortion demands.’

Whittfield asserts that the cyber insurance industry has a role to play in every one of those elements by building resilience so that policy holders can more effectively safeguard themselves.

‘If you break that chain, you have essentially stopped the ransomware business model in its tracks,’ he says.

Preparing yourself for cyber

However Whittfield also argues that insurance is just one part of the solution.

‘There can be complacency when you have insurance in place, but it is not the only solution,’ he says.

‘Insurance is part of a much broader suite of measures, including IT security, appropriate planning, people management (including appropriate governance), legal and regulatory risk mitigation, third party risk management and communication.

In that context, Whittfield says it’s important for insurers to understand how companies are preparing themselves for cyber related issues.

‘This is a real-world problem that affects real people and businesses in a tangible way,’ he says.

‘And there's some really interesting developments and trends that we're seeing coming out.

‘I want to be part of that discussion because I believe that if we are all better informed, we can facilitate the successful evolution of cyber insurance policies that can meet the threat landscape in the market.’