It was fascinating to read the results of Xchanging plc’s survey at the end of last year, which revealed that only one-third of insurers in the London Market believe their firm could withstand a major cyber-attack, and almost half felt they were underprepared, according to a survey conducted by the company.
Xchanging rightly points out that as holders of vast amounts of client data, insurers, like many other businesses, are vulnerable to attack by cyber criminals, and reports of data breaches – such as the hacking of broadband provider TalkTalk last year – are becoming increasingly regular occurrences. TalkTalk’s data breach is estimated (according to a recent interview with their CEO) to cost the company up to £35m in one-off costs.
While 36% of respondents to the survey – conducted at the Xchanging London Market Conference 2015 – said they ‘definitely’ have sufficient measures in place to withstand a major cyber-attack, 30% felt they are only partially protected, 16% said they are insufficiently protected, and 18% were unsure. For me unsure is an interesting state to be in following the media storm and the high profile incidents both within the UK and internationally over the past couple of years.
Adrian Guttridge, Executive Director of Xchanging Global Insurance Services, said: “The insurance industry is grappling with the extensive threat of cyber-attacks from an underwriting and risk management perspective and, in the absence of enough meaningful data, modelling the risks involved remains a grave challenge. As custodians of vast amounts of data, insurers are also aware that they, too, are vulnerable to cyber breaches – and the reputational damage that this can cause.”
Guttridge added: “The recent cyber-attack on TalkTalk is the latest in a lengthy list of high-profile hacks of personal data held by government and commercial organisations.”
As I outlined in a 2015 blog (How to avoid being the next TalkTalk of the town), implementing firewalls and other IT solutions is only part of the answer to fending off a cyber-attack. All walls can be scaled, so a more holistic approach is required to protect your business in an increasingly cyber-hostile environment.
In this environment insurers need to review their policies, processes and procedures and embed its approaches into everyday tasks that are performed. Without this approach it makes it difficult to maintain a high standard, or to be certain that the standard is being maintained. For the insurers these principles apply to their policyholders as well, and we encourage insurers to consider these simple aspects in their policies.
It is to be welcomed that a new committee of chief risk officers (CRO) set up by the Lloyd’s Market Association (LMA) will promote efficient operation and the very highest technical standards in risk management for Lloyd’s managing agents
As part of its programme, the committee will examine the evolving regulatory requirements for CROs, consider emerging risks such as cyber-attacks and champion best practice. The committee will also determine and define the skills and knowledge required to fulfil the CRO role within a Lloyd’s insurance business.
The committee’s formation is a response to the growing significance of the role of CRO in the Lloyd’s insurance market and comprises around 20 CROs drawn from across the Lloyd’s managing agency community.