Cyber Risk: It’s not a question of if, but when

John Chambers, CISCO CEO, famously said, ‘There are only two types of organisations: Those that have been hacked and those that don’t know it yet!’”

In fact, cyber security discussions are now critical for all organisations, irrespective of industry or size. A recent survey[1] of companies with a minimum of USD$100m in revenue, featuring 62 firms based in Australia and New Zealand think their exposure to technology and cybersecurity risk has increased in the past six months.

High-profile cyber events in 2022 demonstrated the effects of risk velocity. For instance, what starts as an isolated cyber risk, spirals into brand and reputation risk, litigation risk, regulatory and compliance risk, and as such, firms need to think carefully about what the total impact of such an event would be rather than viewing it in isolation. In the same survey, 54% of CFOs think the velocity of risk is of greater concern than risk likelihood or impact.

Matt Noyce Consulting (MNC) spoke to an expert in this field, Savva Pistolas, who works with the UK’s National Cyber Resilience Centre Group, about what insurers, superannuation funds and wealth managers need to be doing in this space, and this is what he shared.

In light of a recent Green Paper published by the Actuaries Institute, Cyber Risk and the Role of Insurance, good cyber hygiene and security are the first line of defence when protecting against a cyber-attack. The paper also highlights that many companies do not have baseline standards of cyber security.

According to Savva the risks and mitigations companies should be discussing and taking action on include low-hanging fruit that poses a risk to organisations and their supply chains. There is a clear need for forward and collaborative thinking. The SMEs that are brave enough to engage early with the topic will be those who are best prepared – assembling diverse teams or skill sets that can come together to discuss risk with full support from the board openly. Developing a good balance between growth goals and security issues needs to be reflected in team composition.

“It’s a daunting prospect that shrouds the landscape in fear and puts duress on all members of an organisation to make the ‘right’ decisions about which risks are too important to ignore and how to quantify their expected impact.”

SME’s can all too often take their chances with relaxed security for lack of a perceived functional alternative, and whilst it’s not guaranteed they’ll suffer an incident – it is guaranteed that SMEs who take fewer precautions will be an easier target for those bad actors. One breach is one too many – as Medibank[2], ICare[3], Spirit Super[4] and the NSW government[5] can attest to.

Cyber security is a responsibility carried by every member of an SME – whether they’re aware of it or not. Your business resilience against incidents is based on your active awareness of this responsibility. This requires a conversation about the common threats you may encounter as an SME in the financial services space and a discussion about how to attune employee engagement with security better and make people within the team accountable for it.

The best way to do this is to provide security awareness training to employees to foster a good security culture, draw attention to the types of phishing that can target your employees, and enhance your posture with the backing of a solid security policy. This will invariably require cyber security consultants to produce a vulnerability assessment to identify areas of concern or deficiencies. Possibly the most powerful approach to developing a strong security culture in an SME, is  Security Awareness Training (SAT).

As Savva says,

“Rather than falling prey to the prevalent mentality that employees are an irremediable weakness to security, instead we should conceive of them more optimistically, as a highly adaptable first line of defence.”

When done correctly, SAT can encourage a communication-led culture with respect to security that rewards exploration and discussion. It can change how people relate to the security controls that might currently inconvenience them and help mitigate the risk that employees face. It also helps protect firms against the most common means of a bad actor gaining access to a business network – Phishing.

The topic of phishing often leaves people with a mixture of anxiety and boredom – it’s spoken about enough to feel fatigued in conversations regarding it, but the advice is never specific enough to assuage concerns. The fact of the matter is that phishing is one of many ways that criminals will use digital communication to conduct reconnaissance and launch attacks against businesses and it’s an inevitable incident for most businesses. Phishing works best on tired, overworked employees caught in moments of stress, and can be launched on a personal or professional level. The foundational guidance is that all suspect or important communication should be verified via a second means if you think it’s remotely suspicious.

If you get a suspicious email, verify with your colleague a phone call or a WhatsApp. If you get a suspicious text, send an email. A key piece of advice for employers is to allocate work time to employees verifying communication, and as previously discussed, provide Security Awareness Training to develop a sophisticated comprehension of how bad actors use emails to leverage employees for access.

Clearly defined policies also help identify responsibilities and define roles. These policies can be used to demonstrate compliance and adequate precautions to avoid worst-case outcomes. However, they can easily turn into tick-box exercises that overwhelm employees and fail to meaningfully influence how we think at work.

A policy signed is not a policy read.

There’s a natural limitation to the power of policy to impact the day-to-day if policies aren’t folded into conversation and training. A workforce that communicates about security in all relevant discussions relating to their business is far superior to one that has supposedly mitigated risk by getting everyone to sign off on a few policies. 

Looking forward, what can be done to start developing your security position and folding these conversations into all parts of your business? It’s always worth building some context for yourself and reflecting on your current procedures and potential weaknesses before engaging a consultant or third party.

The Australian Signals Directorate has published the Small Business Cyber Security Guide[6], which is a great introduction to simple controls that can be implemented immediately.

When you’re ready to develop your policy-base, look to SANS[7], the world’s largest cybersecurity, research, and training organisation. SANS provides free policy templates to help shape your policy process. This will help you transform your relationship to risk and fulfil your responsibility to accommodate growth. It also paves the way for certification down the line. To achieve certification, it’s worth finding time with a subject matter expert who can tailor templates to your goals in a  cyber context and effectively help develop policies and implement them in accordance with the relevant training.

Subject matter experts are incredibly important to shaping the vision and direction of a thriving business whilst protecting customers, employees and the business against cyber risks.  There will always be an immeasurable benefit to putting cyber security at the heart of the business model and working it into the DNA of the company and its employees. Any business will need to lean heavily on its staff to protect against cyber risks, so it’s appropriate to invest in your human resources proactively and create reliable lines of communication forged through awareness and transparency.

The key message is that being cyber secure is now essential for all firms conducting any part of their business functions online. It should not be embraced purely as a means to save a firm financial loss in the case of a cyber-attack but as a mechanism to protect consumers’ personal data, stop business interruption and protect the brand that you have worked so hard to build over the years.

Alongside this first line of defence, the insurance industry needs to develop a robust cyber insurance market. Figures from Cyber Risk and the Role of Insurance2 suggest that less than 0.4% of the Australian market is cyber insurance, and there is an extreme shortage of skilled workers available.

This insurance market would not only provide a safety net if the first line of defence is breached but also provide information on best-practice standards and incentives for firms to comply with these.


CPD: Actuaries Institute Members can claim two CPD points for every hour of reading articles on Actuaries Digital.