Greatest cyber threat to an organization? Itself

Toby Merrill, division senior vice president, global cyber risk practice, ACE

Advisen: What do you see as the greatest cyber risks today?

Toby Merrill: Today, the greatest threat organizations face with cyber risk is themselves. Sixty-six percent of the claims ACE has handled stem from malicious insiders, employee error and lost or stolen devices or paper. In fact, only 24 percent of ACE claims have come from external hacking. The majority of losses we have seen could have been avoided with better cyber and privacy awareness by company employees. Until network security and data privacy is recognized as an enterprise-wide risk at the C-suite level and embedded into the culture of the organization – at the same level as financial, regulatory and reputational risk – we will continue to see companies mismanage cyber and privacy risks.

Advisen: What will the greatest threats be in 5 years’ time? (what are the emerging issues?)

Toby Merrill: Technology will continue to outpace privacy laws, regulations and compliance standards. As a result, we will continue to see new technological developments further impact our reliance on technology and, with it, expose companies to more cyber and privacy concerns. We have seen this in the past with the personal camera, personal computer, internet and social media. Going forward, smartwatches, the Internet of things, cloud computing and big data are all technologies that bring with them tremendous new opportunities – but also new cyber and privacy risks. Any one or a combination of these new technologies creates exponential risk for companies that incorporate them into their business without truly understanding the risks. One area in particular is the cloud. I share the well-stated concerns about the cloud that George Gerchow raised in his interview on Face Time. In fact, ACE recently wrote a white paper highlighting the benefits and risks of cloud computing.

Advisen: Is the insurance industry doing enough to adequately address these risks?

Toby Merrill: I’d like to think we are. There are a number of things the insurance industry has done really well up to this point. Many carriers and brokers have spent considerable time and resources educating organizations on cyber and privacy risks, and carriers are providing access to loss mitigation resources. Carriers have also developed data breach response teams, providing access to independent cyber resources from legal, forensics, public relations and identity restoration firms. Additionally, carriers have been financially supporting companies that experience these losses. But the truth is, similar to the path to cyber security, the efforts of the insurance industry will continue to be a journey. In insurance industry terms, cyber insurance is still in its infancy.

Advisen: What keeps you awake at night?

Toby Merrill: Donald Rumsfeld’s famous quote about weapons of mass destruction captures my sentiments about cyber. He stated it best when he said, “… there are known knowns; there are things that we know that we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns, the ones we don’t know we don’t know.” In cyber, there is an incredible amount of known unknowns and unknown unknowns – that is what keeps me up at night.

Advisen: In your opinion, what is the single most important cyber risk development in the past 12 months?

Toby Merrill: That is a tough one, as there are so many developments impacting cyber right now. The regulatory and legislative developments in the EU and U.S. are likely to be the most impactful in the next 12 months. However, the biggest development in the past 12 months would be the triumvirate of the Snowden event, the recent retail breaches and the Obama Administration’s launch of the Cybersecurity Framework. The timing of these three events has created the perfect storm – aligning the necessary pieces for organizations to see the need for, and to make, significant changes to how they manage cyber and data privacy. Cyber and privacy risk is at an all-time high and I do not see it going away, only growing.