Newsletter


Rosehana Amin_Clyde & Co
31 October 2024ArticleAnalysis

Cyber events and risk management

Rosehana Amin from Clyde & Co’s global cyber risk team examines what captives can do to review and potentially improve your risk management of cyber events.

IBM’s “Cost of a Data Breach Report 2024” shows that the global average cost of a data breach in 2024 is $4.88 million, a 10 percent increase on 2023. Effective risk management could, however, significantly reduce the cost to a company, and in some cases prevent the data breach altogether. Organisations are increasingly turning to captive insurance to provide cyber insurance. As a captive manager it is key to understand the underlying risks surrounding a cyber event.

One of the issues facing large multinational organisations in a landscape of continued evolving cyber risks and growing regulation is that the limits in the cyber insurance market are not sufficient. A captive is able to provide multinationals with the required level of cover as a cost-effective alternative and potentially better coverage terms. 

As captives increasingly explore writing cyber risk as a risk transfer solution, it is important for captives to consider cyber risk management beyond a capacity issue. Captive managers and insurance risk managers should consider how preparing for, and having access to the appropriate experts in place to address, a cyber incident can mitigate loss and exposure.

Readiness

Preparation is key to boosting an organisation’s cyber resilience. The business interruption, reputational risks and legal and regulatory implications of a cyber incident could be devastating. It is therefore key that businesses are fully prepared and have taken every possible step to ensure that they are cyber-resilient and equipped to mitigate the risk and fallout from such an incident. 

Captives should ensure that as part of the cyber risk management strategy, proactive steps are taken by the insured to improve the readiness and resilience of an organisation.

Legislation and regulation

Technology is fundamental to how today’s businesses operate and comes with a host of rapidly evolving new legislation and regulation which must be understood and complied with.

In order to manage constantly evolving cyber risks, it is essential for an organisation to understand its IT infrastructure and dependencies. With respect to the latter, organisations should audit and understand the supply chain risks that might arise if a third party service provider were to suffer an incident itself. The impact of July’s CrowdStrike event illustrates the need to manage risk exposure by external service providers. 

Additionally, it is important to understand how a cyber incident can compromise the integrity of either personal data or confidential commercial data held by businesses. Where personal data is impacted, it is important to consider the legal and regulatory obligations arising, including the relevant timeframes that may be triggered for reporting requirements under global data privacy legislation and other frameworks. Given the legal implications, it is important to know that you are managing, storing and discarding personal data correctly in line with the current laws and regulations of the relevant jurisdiction. 

“Being vigilant allows a continued reassessment of an organisation’s cyber risk exposure.”

A cyber event can give rise to a number of legal or regulatory considerations and/or obligations, and these frequently extend beyond mere data protection considerations. What those considerations might be varies depending on an organisation’s sector of activity, the jurisdictions within which it operates, its listing status, the terms of any contracts and other factors.

In the UK, the election of the new government has resulted in uncertainty as to reform to data and cyber-related legislation. The previous government was progressing a Data Protection and Digital Information Bill through Parliament, described as a move away from the UK General Data Protection Regulation (GDPR). With a change in government, this bill was abandoned. 

Following the election in July 2024, the State Opening of Parliament and King’s Speech set out the proposed Parliamentary agenda under the new government. While not directly mentioned in the King’s Speech, the accompanying briefing notes confirm that two bills are on the agenda which may bring reform to data protection, privacy and cybersecurity practices in the UK. They are:

The Digital Information and Smart Data Bill; and 

The Cyber Security and Resilience Bill.

While we await further news of these bills, all businesses dealing with data in the UK and EU should be aware of their obligations under the EU GDPR and UK GDPR.

Planning, policy and procedures

Careful planning is key to being cyber-ready. As part of this, business continuity planning, policies and procedures should all be reviewed and updated to incorporate data and cybersecurity plans. 

While every cyber event or data breach may be slightly different, there are some consistent factors that can be mitigated with proper planning. The key to recovering swiftly from a cyber event is to plan ahead and ensure that businesses have adequate policies and procedures in place in order to remedy the situation as painlessly as possible. 

Considerations should include:

Developing an effective Incident Response Plan

How will an incident be detected? What procedures does the organisation have in place?

The key individuals who will be involved

How any issues are escalated

How decisions are tracked and recorded

How the impact and severity of an incident will be assessed

Being vigilant allows a continued reassessment of an organisation’s cyber risk exposure and requires ensuring there is a framework in place with access to experts, tools and partners to support insureds and captives when a cyber attack occurs.

Education and training

Education and training of staff should be high on the agenda. This can aid in preventing a cyber event, being prepared for such an event, and responding to any incident.

Reports including those from risk analyst Kroll show that phishing is consistently the top initial access method used by threat actors. This is can be protected against, to some extent, by regular education and training of staff. The cost of such training is likely to be relatively insignificant compared to the cost of a cyber event which could have been prevented by making staff aware of the characteristics of a phishing email and what they should do if they spot something of concern.

It is important to educate staff as to their role in the event of a cyber attack or data breach. If everyone knows what to do, when they should do it and any reporting structure in place, then this can save valuable time, and therefore expense, in the event of a cyber incident. 

Response

Responding decisively and effectively to a cyber incident is vital to maintaining trust and mitigating loss. From the initial attack through to ongoing communications with stakeholders (such as regulators, law enforcement authorities, employees and clients), it is important to ensure that everyone involved is informed and ready to act when necessary.

Captives should have in place immediate access to trusted partners (IT experts, legal counsel, etc) who can navigate a cyber attack. That will result in better decision-making and support reducing the cost and impact of a cyber incident.

Reporting obligations

In the event of a cyber incident, appreciating whether the matter gives rise to reporting obligations for the organisation is a key question that needs to be addressed promptly. In the immediate aftermath of a cybersecurity incident, this is one of the first steps an organisation needs to consider. 

Reporting obligations may differ depending on the country in question, the regulator, law enforcement requirements, the severity of the incident and the number of people impacted. There is often only a very short period following discovery of a data breach to comply with your reporting obligations. In the UK and EU, and pursuant to the GDPR, the relevant data protection authority should be notified as soon as possible, and in any event within 72 hours. 

Other reporting obligations may be applicable (for example, under the Network Information Systems Directive 2 and the Privacy and Electronic Communications Regulations), and failure to comply with the relevant obligations could result in a fine.

It is important to consider what information needs to be included in reports to the relevant regulator. Knowing this in advance of any incident, and considering who is best placed to provide this information at the time, can aid being in the best place to comply with obligations in a timely manner, when there are numerous issues and differing priorities all fighting for attention.

It is necessary to be aware of any other reporting requirements an organisation may have, for example obligations to other regulators to inform them of data breaches, such as the Financial Conduct Authority or the UK Pensions Regulator. 

Due diligence

In the event of a ransom incident, any decision to pay the threat actor must be made only after appropriate checks and due diligence have been carried out in order to ensure that organisations do not fall foul of sanctions, anti-money laundering legislation or considerations under terrorism financing. 

Communication

Good communication with employees, customers and data controllers is crucial during the response phase of a cyber breach. It is key to consider not only the content of the communication, but also the way it is done. 

Risk managers often need to weigh up:

Who should be told (internally within the organisation and externally, such as customers and regulators), including for regulatory or commercial reasons;

Who should not be told—for example if this would present a risk to the business at that time; 

When people should be told; and 

What people should be told.

It may be that different groups of people need different information. Those involved in incident response planning are likely to need more technical, detailed communication than those who are simply being informed a breach has taken place. 

Some communications are obligatory, for regulatory reasons. The people who need to make such communications should be aware of this before any incident takes place. Other communications may involve a more commercial decision based on the risk assessment at the time.

Balancing priorities

As a victim of a cyber attack, there are lots of priorities in the immediate aftermath. Ensuring that the right thing is being done, at the right time, presents a delicate commercial balancing act.

Risk management

Risk management is key for captives. It is an essential component of reducing the cost of the cyber risk and the impact of an incident. Risk management in the cyber arena is not just investing in IT security management, but should also include:

Investing in cyber preparedness. We mention above issues that should be part of readiness planning but it can be very useful to invest in products such as cyber tabletop exercises. A tabletop exercise is a discussion-based exercise that offers an informal operational environment for team members to build their understanding of the incident response process and key cyber concepts. The team is taken through the key milestones that would generally be experienced within the first 72 hours of a ransomware incident. 

Having a panel of experts to form a crisis management team to deal with cyber incidents. Reducing downtime can mitigate risks and loss. A key aspect to this is having cyber breach counsel who can advise on legal and regulatory considerations. The Clyde & Co One network provides a panel of experts on hand for captives to access. As part of your incident response team, we can manage a cyber incident and get an organisation back to business as quickly as possible.

How we can help

The Clyde & Co cyber team and One network is a global, locally tailored, cyber risk solution. We can help you manage every aspect of cyber risk, through readiness to response and recovery. We have one of the largest dedicated cyber teams across our network of offices and offer a “follow-the-sun” model, with our teams in different regions available to assist around the clock.

Rosehana Amin is a partner at Clyde & Co in London. She can be contacted at: rosehana.amin@clydeco.com



Editor's picks

news
AI: transforming industries, workflows – and now insurance
12 March 2025

Editor's picks

news
AI: transforming industries, workflows – and now insurance
12 March 2025   How to use AI has become a major topic of conversation for insurers & brokers.
news
Captive manager rebrands as Sotera; unveils CEO
11 March 2025
news
The European captive insurance landscape is changing and growing fast
11 March 2025
news
Towle hails thriving captive insurance industry
11 March 2025
news
Captives.Insure and Accelerant unveil partnership
10 March 2025
news
AM Best withdraws Evergreen ratings
7 March 2025

Related content

New London parametric exchange created
FERMA finishes rimap certification
New acting insurance commissioner for Hawai’I DCCA
Adams to retire from NCCIA
McClure elected as CICA chair
AM Best affirms Energas ratings
Insurance Europe aims to cut red tape on new sustainability risks rules
Consulting in captive insurance: the intersection of education and independent evaluation