A new report claims that insurance and reinsurance protection alone is insufficient to manage the growing threat of cyber attacks, citing that cyber controls utilised by organisations to mitigate data breaches, and similar, might not be up to the task.
The analysis and report on the capabilities of cyber controls comes from the University of Oxford and specialist Lloyd’s of London insurer, Novae Group, and highlights potential shortfalls with cyber controls that are used by organisations across the world to reduce or remove the threat of a cyber attack and the impact this can have on firms’ data and software.
Chief Innovation Officer and Head of Cyber at Novae Group, Dan Trueman, said; “We are delighted to be collaborating with Oxford University to understand more about this evolving threat. Businesses are not well prepared for data/software damage and this research demonstrates cyber controls which some companies adopt might not be fit for purpose. Much more needs to be done to understand the risk environment and prevent the potential damage to organisations from this threat.”
The report, titled ‘The relative effectiveness of widely used risk controls and the real value of compliance,’ explains that a control is a security measure implemented to reduce an asset’s attack surface, therefore mitigating the potential for harm from cyber attacks.
While the report explains that cyber controls are vital, a lack of data on their effectiveness suggests a knowledge gap exists, and the report explores a model hypothesis to assess the effectiveness of cyber risk controls, supporting the analysis of “areas where value and harm are unaddressed by current controls.”
“Insurance alone cannot manage cyber-risk; we need a holistic approach. As insurers, we may decide a cyber-risk is a good risk when the insurance buying firm has put controls in place that meet one of another set of international standards. However, this paper shows that a cyber-risk gap may diminish the value of companies’ efforts to protect their assets from cyber-harm,” said Trueman.
Research from Professor Sadie Creese of the Oxford Department of Computer Science and the Saïd Business School reveals that current standards set by global bodies, more often than not, aren’t backed up with objective and empirical research, resulting in a lack of quantifiable benefits.
Novae says this “weakens the value of compliance to risk-control standards because a compliant organisation may not be protected from cyber-harm.”
Discussing potential issues with current cyber controls, Professor Sadie Creese said; “Instead of simply working to meet standards, organisations must look carefully at the vulnerabilities inherent in the assets they want to protect. Cyber-attackers are creative and aggressive. Both the changing threat and an organisation’s attack surface must be modelled to ensure that cyber-controls offer adequate protection from harm.”