On Wednesday I attended a very informative seminar entitled 'A Hacker, A CISO & A Policeman' arranged by Jai Aenugu at The TechForce with the aim of highlighting the cyber threats facing businesses and the actions that could be taken.
The presentation from the three representatives advertised was excellent, as was the advice regarding the training of staff to reduce a company’s exposure, however, I was somewhat disappointed with the response, which came from the CISO, to my question to the panel.
In essence, I raised the point that as highlighted by all the panellists, the major threat to businesses today was cyber-attacks and therefore in a room of 75 plus people, how many were aware of their company or organisation having a specific cyber & crime insurance cover. Out of the room I could only see one hand raised.
I then expressed surprise that although risk management in the form of training, is the first line of defence, no system was impregnable, as had been confirmed by the hacker and that with the rise of ever widening insurance covers and reducing prices that they did not affect such a policy as a safety net.
The CISO’s response was that such policies had too many exclusions and too high policy deductibles. This opinion was formed from when he worked with a multi-national insurance broker
I am not sure when that was but I would disagree on both points – as the cyber threat becomes more widespread and damaging the insurance market has responded by developing wider and more relevant covers – as to deductibles a typical policy excess for businesses with a turnover of up to £10m would have an excess of £1,000 and for turnovers above £10m the excess would be £2,500 – hardly punitive.
My disappointment came from the fact that insurance brokers like ourselves have been trying over the past few years to educate clients on risk managing their Cyber exposure and then putting in place a risk transfer in the form of insurance, only to have doubt cast on the benefits of such protection in a public seminar dedicated to reducing the impact of cyber-attacks.
Ah, well – more missionary work required.