Firms need cyber attack crisis plans now

By Rebecca Bole on March 2, 2014

The need for a cyber breach crisis plan is more crucial than ever as threats to private corporations grow exponentially, the audience heard at Advisen’s Cyber Risk Insights conference in London on February 25.

Lisa Meredith, Marks and Spencer’s assistant insurance manager, cited the recent launch of a new website as an example of the new paradigm in managing technology or cyber projects.

“We spent a lot of time deciding who we were going to work with on the website, including corporate communications, in case of a problem,” Meredith said.

She said cyber risk crisis management was the “latest iteration in risk planning” following pandemic-attack planning or Y2K planning in recent history.

RBS customer security executive, Michael Roberts, concurred: “In the finance sector we keep critical information on customers and its safety is vital to the corporation.

“We need to understand where the data is held and what controls are in place over its safety. And when something goes wrong, we need to know exactly what to do and when. We won’t have time in the heat of a breach to devise a plan. It has to be in place.”

When asked if the inclusion of a crisis team in a cyber insurance solution was a significant factor in making the purchase decision, the resounding answer was “yes” from Julia Graham, director of risk management and insurance at DLA Piper.

“We’ve been looking at cyber insurance for a long time, and now the topic is on the board table and in the budget for next year,” Graham said.

“Part of that offering is working with breach responders and crisis management experts. We need to know who we’re going to work with in the event of a breach, before things go wrong.”

In a separate address at the London conference, Lord John Reid of Cardowan, the UK’s former defense secretary, said that the volume of cyber threats was growing exponentially.

He noted that in the first six months of 2013, more than 1.5 million new malware strains were introduced in the UK, representing an almost 20 percent increase on the previous six-month period.

Reid added that 87 percent of small or medium-sized enterprises (SMEs) and 93 percent of firms with more than 250 employees had at least 1 data breach in 2012.

On average, data breaches cost large firms £450,000-850,000. The cost to SMEs averaged £35,000-65,000.

Shockingly, only 51 percent of UK firms have a formal response plan for a cyber attack, Reid said. Ninety-four percent of large firms have such a plan in place.

The risk manager panel at the conference all agreed cyber risk has risen to the boardroom agendas and is being taken seriously.

“Cyber is a classic enterprise risk. It doesn’t respect departments or even national boundaries and should therefore shape the way you do business,” Julia Graham said.

“I never thought cyber would be on the board’s agenda to the extent it is. I will soon be running a mock data breach with senior management, with the aim of safeguarding our firm’s reputation. That is a very big change.

However, “attempts at cyber risk elimination are futile”, Reid said. “God gave us cyber to keep us young. Every day there’s a new development.”

Rebecca Bole is EVP & Editor-in-Chief at Advisen. She has nearly 20 years of experience in the international insurance markets, both as an underwriter and a journalist. Contact Rebecca at rbole@advisen.com.