Artemis ILS NYC 2020


Reinsurance News

Report highlights potential shortcomings of organisations’ cyber controls

1st March 2017 - Author: Luke Gallin

A new report claims that insurance and reinsurance protection alone is insufficient to manage the growing threat of cyber attacks, citing that cyber controls utilised by organisations to mitigate data breaches, and similar, might not be up to the task.

The analysis and report on the capabilities of cyber controls comes from the University of Oxford and specialist Lloyd’s of London insurer, Novae Group, and highlights potential shortfalls with cyber controls that are used by organisations across the world to reduce or remove the threat of a cyber attack and the impact this can have on firms’ data and software.

Chief Innovation Officer and Head of Cyber at Novae Group, Dan Trueman, said; “We are delighted to be collaborating with Oxford University to understand more about this evolving threat. Businesses are not well prepared for data/software damage and this research demonstrates cyber controls which some companies adopt might not be fit for purpose. Much more needs to be done to understand the risk environment and prevent the potential damage to organisations from this threat.”

The report, titled ‘The relative effectiveness of widely used risk controls and the real value of compliance,’ explains that a control is a security measure implemented to reduce an asset’s attack surface, therefore mitigating the potential for harm from cyber attacks.

While the report explains that cyber controls are vital, a lack of data on their effectiveness suggests a knowledge gap exists, and the report explores a model hypothesis to assess the effectiveness of cyber risk controls, supporting the analysis of “areas where value and harm are unaddressed by current controls.”

“Insurance alone cannot manage cyber-risk; we need a holistic approach. As insurers, we may decide a cyber-risk is a good risk when the insurance buying firm has put controls in place that meet one of another set of international standards. However, this paper shows that a cyber-risk gap may diminish the value of companies’ efforts to protect their assets from cyber-harm,” said Trueman.

Research from Professor Sadie Creese of the Oxford Department of Computer Science and the Saïd Business School reveals that current standards set by global bodies, more often than not, aren’t backed up with objective and empirical research, resulting in a lack of quantifiable benefits.

Novae says this “weakens the value of compliance to risk-control standards because a compliant organisation may not be protected from cyber-harm.”

Discussing potential issues with current cyber controls, Professor Sadie Creese said; “Instead of simply working to meet standards, organisations must look carefully at the vulnerabilities inherent in the assets they want to protect. Cyber-attackers are creative and aggressive. Both the changing threat and an organisation’s attack surface must be modelled to ensure that cyber-controls offer adequate protection from harm.”

Recent Reinsurance News

Getting your daily reinsurance news from Reinsurance News is a simple way to receive only the reinsurance industry news that matters, delivered directly to your email inbox.

  • Only email is mandatory, but the more you tell us about yourself the better we can serve you in future!
  • This field is for validation purposes and should be left unchanged.

By submitting the form you are giving your consent to be emailed by us.

Read previous article:
Ariel Re to use Xuber software across Lloyd’s and Bermuda platforms

Reinsurance firm Ariel Re, which was recently acquired by Argo Group, is implementing the Xuber for Reinsurers software platform across...