Aviva Cyber | Masterclass | Virtual Conference

Submitted by rose.stella-eji... on Fri, 10/06/2023 - 09:38

In this exclusive Masterclass, in collaboration with Aviva we deep dive into the world of cybersecurity: the latest trends, the experts' advice and the policies in place to protect your business. Our experts are : <ul> <li>George Thomas, Cyber Claims Lead, Aviva</li> <li>Matthew Clark, Cyber Director, Partners&</li> <li>John Clarke, Cyber Technical Underwriting Manager, Aviva</li>

Video Image

Duration

2023 - 00:48

Recorded Date

Friday, October 6, 2023

Transcript

Speaker 0: Hello and welcome to this cyber masterclass with insure TV in association with Aviva. We are focusing today on the micro and SME market in the UK extraordinarily high levels of under insurance when it comes to cyber. But what are the reasons for it and what can be done to address it? Uh, to really help clients out in this growing area of risk and threat the market? We'll discuss that. I'm joined here in the studio by George Thomas. Cyber claims lead at Aviva, Matthew Clark, cyber director, partners and group, Speaker 0: and John Clark, cyber technical underwriting manager also from Aviva. Speaker 0: Those are our panellists. Let's get things straight underway. Well, George, you're spending a lot of time obviously looking at claims. So what are some of the trends that you're seeing there when it comes to particularly to SME S. Yeah, well, well, in the SME space, the the SME S are not still immune to ransomware attacks. Um, just like the large multinational corporations, Um, but also within the SME space, they are particularly vulnerable to social engineering attacks and also business I a compromise, Um, and not and not only that they are the very Speaker 0: to payment diversion, fraud as well. Um, and that's the type of thing that we are seeing seeing in the SME space more and more how much this is Is SME S claiming on stand alone cyber policies? And how much is it SME S getting in touch and saying I've kind of got another bit of insurance, but I'm just hoping there's a bit of cyber in there. Speaker 0: It it's it's honestly, a little bit of both. Um, we do often see a lot of a lot of payment diversion frauds on our stand alone cyber insurance policies. Um, but on other on other policies as well, um, we do see often see notifications. Um, where they're asking if is is there any silent cyber here that's available for us? Thank you, Matthew Partners And you, you're working with a lot of SME S as as clients just a little bit about the mix of business that you've got. And what are some of the the trends that you're seeing in cyber Speaker 0: well partners and is essentially an an SME shop. So we serve a range of, uh, microbusinesses and small to medium sized companies. Um, up to, uh the majority probably having up to around 25 million Speaker 0: in, uh, revenue. Um, we do have clients that are much larger than that, but that But that's the exception rather than the norm. So, uh, our world right now is is is, uh, one where we are trying to get SME S onto a journey of understanding with cyber risk. I think as insurance brokers and insurers, what we are really struggling with is a landscape currently where SME S to a large extent think that cyber is something that won't happen to them. Uh, we have to overcome Speaker 0: that. That challenge and my my my day job is to help, uh, my colleagues do that and start cyber conversations with their clients in a meaningful way at the SME level. Speaker 0: And, John, can you give us your views on how some of these cyber risks are emerging, particularly from a risk management perspective, And also when it comes to communicating with clients, Speaker 1: I think a major, uh, focus for the kind of SME market has been far too much when we talk about the this cybersecurity framework, which is a good overall framework for for cybersecurity management. Speaker 1: Um There's far too much focus on identify and protect the the kind of top two layers, and they're a little bit qualitative. Uh, SME S really do require the same level of technical expertise as the large kind of compatriots, as as George was mentioning earlier. So there's different ways of cascading that information down, Um, IT providers who themselves can be SME S sometimes maybe aren't the best place to to get that information through, Speaker 1: um, insurance brokers and insurers have a plethora of information available, and they're really kind of catching up with the rest of the market. Thank Speaker 0: you, Matthew. I want to come back. What You said, though, that a lot of SME S don't think it's their issue. Cybers is something for the large companies. What? Why? Why is that? I think there are various reasons for that. If if we take just re recently the the the most topical, Speaker 0: uh, media coverage of of cyber events, it's it's, uh, impacted. Uh, the MGM resorts, uh, business in the United States, which is a A $15 billion business. Uh, many micro and SME, uh, companies that see that kind of, uh, cyber reporting Think well, that's way out of outside of of anything I can relate to. It's it's not relevant to me. They also tend to believe themselves to be Speaker 0: immune, perhaps because they're using external service providers for for their IT that it's something that they outsource or they feel that they don't hold huge volumes of data. So therefore, they're not going to be a target or they're just a small business, and they shouldn't be occupying the attention of cyber criminals. Of course, unfortunately, we know, uh, from all the research and various, um, case studies and survey reports that are available in the marketplace, that the opposite is true. That SME S are actually attacked far more frequently, Speaker 0: uh, and aggressively than than larger businesses. And John is that because SME S are less prepared? Uh, because presumably if you want to perpetrate cyber fraud, you've got a trade off. If you if you hit the jackpot, a really large company, it's a huge payout, but they'll be very well protected versus take lots of little bets, but they're probably quite easy. Individual bets to Speaker 1: crack. Well, I suppose you can argue larger corporations have a wider what we call a tax surface. So there's more entry methods in, um, SME S in this country kind of Speaker 1: employ 50% of of the populace. So you've got quite a broad attack surface there to propagate attacks such as social engineering, phishing scams that George was speaking about earlier. Um so for for one thing, training of those staff members is absolutely pivotal. And it's probably the biggest bang for your buck thing that you can do. Speaker 0: OK? And I also Matthew, I'm going to bring George in a second. Before I do. Could you put some numbers on? Uh, I mean, we've talked in general terms that this is an area of the market that's under under job. Have you got any numbers you can put on as to what that level is and what the downside is if you if you get this wrong, Yes, certainly. Well, I mean, in in terms of the the general sort of threat landscape that we're all facing right now, the the UK government actually puts out its own cyber breaches, survey reports every year, Speaker 0: and the 2023 report um, one of the key stats there showed that 32% of UK businesses report at least one cyber attack in the last 12 months, which is a huge, uh, number volume of cyber activity. Imagine if I'd said that 32% almost a third of UK businesses had suffered a fire or a flood in the last 12 months. We'd all be running around, uh, with our hair on fire W wondering where our fire insurance policy was. But cyber insurance is massively undersold. Speaker 0: Uh, there's the the different estimates that I've read, uh, range between 15 to 10 to as low as 10% as SME take up of of cyber insurance. Um, so all of our work is ahead of us in terms of educating clients in the SME sector as to the level of threat against them, Speaker 0: uh, the severity of threat and the frequency of attacks and getting them onto a AAA journey towards, uh, cybersecurity, better cybersecurity and cyber insurance as the ultimate blanket of protection and and George McLean's perspective, Um, have you got enough resources to deal with the amount of claims that are coming? You know, if this is a growing area of the market and there's a lot of under insurance, and hopefully every time that changes. Do you look around the office and think we've got enough people here to deal with all of this? Speaker 0: Yeah, well, we we we do. We do have cyber surge, uh, planning in preparation for, for for those type of events. If we do do have those events occurring. Um, we are quite, um, we are quite prepared for the event of, um Speaker 0: uh, uh a huge amount of business, EMA compromise attacks or ransomware attacks. Um, but also, we are still always still trying to increase our increase. The head count, um, for the for those people who can deal with cyber claims and assess and assess and manage them efficiently. And George, you mentioned earlier there, there's there's certainly some trends from cyber criminals OO on how they're targeting smaller companies. Could you give us an example or two of of, of what's going on and why it's such a problem? Speaker 0: Yeah. I, I think I think it's social engineering scams again. Um, social engineering scams are where, um, an attacker impersonates, um, somebody in senior management within within an organisation. And they're able to perpetrate fraud, and they can do this by telephone. They can do it via, um, a business email compromise. And then they're able to, um, divert payments that are meant to go to contractors. And so even for small businesses, not just not just large businesses. They make payments every day to suppliers and contractors. Um, and even Speaker 0: for even conveyance and solicitors as well, we We see that quite a lot. Um, they're able to divert the payments that were meant to go to to those people. Um, and they'll go to the Attackers, and then once they're in, once they're in the Attackers bank accounts, they will then divert the payments, Um, around to the, uh, separate bank bank accounts. Um, and then we're unable to recover the funds, as are the bank. Um, and as are the police. Speaker 0: So I I get it. If somebody was able, you are my boss. And I got an email that seemed seemed to come from you, but you mentioned phone as well. I mean, is this is this where a I is taking us now? Well, yeah, well, we we mentioned a I. I think there are. There are a couple of rumours around the market that there are, um there are Attackers that are able to use voice changes to Speaker 0: to impersonate senior management and able to, uh, so they're able to perpetrate fraud. Um, we haven't seen that yet within Aviva. Um, but I think that's certainly something something on the on the horizon. And what we're seeing with the telephone is that we are We are seeing Attackers being able to use the phone to be able to to ring those within the office. So perhaps an executive assistant, Um, uh, or or somebody who's not a senior manager, uh, and and able to, uh, gain access to the insured bank account or or a bank account and be able to divert payments in that way. Speaker 0: John, how do you How do you sort of, uh, you as Aviva Sort of help provide education on this? Because I suppose listening to that the short answer is, don't trust anybody unless you're sat down face to face with them. If they're discussing internal movement of funds and a Speaker 1: business IT is broad. You can have somebody who's a developer. You can have somebody as a network engineer. Security architect. Um, so it's It's Speaker 1: It's very, very difficult to sort of pin down a particular person in that SME who might have to focus on cybersecurity. But there are ways of educating and getting yourself up to speed on the various risks that you know are prevalent to SME S. Um, I mentioned previously that Speaker 1: a lot of SME S outsource their IT, and I think I think Matthew spoke about it as well. Um, in a recent science direct study, 93% of those particular organisations are themselves SME S, so they might have sort of a small area of expertise in cybersecurity. Uh, so trying to cascade the information down through, uh, insurance brokers and and in the insurance marketplace is probably a more advantageous way and that that study kind of backed that up as well. Speaker 1: Um, so there is material available. The National Cybersecurity Centre is a really, really useful place to start effectively any small business or any organisation, Speaker 0: actually, and Matthew just of interest. If you are a small business that has outsourced a lot of what you do to an IT third party, Speaker 0: why is that a problem? I mean, they're the experts. You Well, it's It's often super convenient for businesses of all sizes, actually to use external service providers. Um, it it generates efficiencies. Um, it enables them to use expert platforms and systems to enable them to perform their day to day tasks. That's fantastic. But with every use of technology comes new risk. Speaker 0: And if you're outsourcing, uh, services to a third party, uh, you're essentially extending your, uh, your supply chain vulnerabilities to encompass what that third party is doing for you. So you have to make sure that your own view of your, uh, cyber risk encompasses your reliance upon those third party providers as well. You need to understand what they're doing with your data, uh, and how they're securing the systems and data that that you're relying upon that from them. Speaker 0: The the other important thing to to bear in mind is that in the UK, uh, the data protection legislation makes it very clear that even though you might be using third parties to manage your data, for example, you still have the liability for any breach. Uh, with that data, So you have a direct responsibility to the data subject. Speaker 0: So, uh, using those third party systems creates efficiencies, but it doesn't absolve you from any blame if things go wrong. OK? So you can't fundamentally As a business, you cannot outsource your responsibilities. You can't contract out of responsibilities. That's right. Thank you, John. I want to come back to to a theme from a little earlier, which is this idea that not all but some SME S will say, Well, this is a big company problem. Speaker 0: Um, is there some truth in that? In a sense, if as to why they don't, uh, interact with with cyber policies on the basis that actually, for you as providers, you've created policies that have got all the bells and whistles on because the first people who you've gone to are the big companies, and actually you're offering something that's got expensive bells and whistles that re really they don't need and therefore they just say thanks, but no, I Speaker 1: think the the big companies Speaker 1: in the press have had kind of more coverage about the losses that they've faced and the loss that they suffered the attacks that they are actually able to recover from. Um it's the small companies that have gone bump or the small companies that have some kind of ransomware attack or some kind of, you know, damaging attacks, their infrastructure that you don't hear about in the press. And they are equally as devastating, you know, proportionally to their site. Um, SME S Speaker 1: the the the major way in, as we've we've touched on, is is that social engineering piece? Um, but all it takes is a small kind of Speaker 1: bit of what we call open source intelligence, which is just looking at any kind of publicly facing infrastructure. So we talk about the Internet, we talk about kind of marketing that you put out. That's what hackers are using to try and forge a tax. They're they're going on LinkedIn. They're trying to find out who the finance director is. They're going on to your website. They can get email addresses, telephone numbers. So SME S might be actually putting out quite a lot of information about themselves that they're not too sure about, or they're not sure that it can be used against them. Um, and they're equally as kind of Speaker 1: should we say, juicy for the, uh, for the cyber cyber activists. Speaker 0: And Matthew, presumably a lot of people as employees will also have their own digital presence in their capacity, as as individuals. What are some good policies to have as a as a small business, that sort of make sure that those two worlds are kept separate? Yes, this is this is, uh, uh the very crucial question. And and one of the the the the the starting points for us in in discussing cyber risk with SME S Speaker 0: is that they should have good corporate governance in place. And that means having the appropriate processes and procedures that they communicate effectively to their staff. Um, to make sure that staff are behaving within the confines of what the of what their company feels are at sensible rules. So that could be things like, uh, use of social media, particularly when it comes to using, uh, company devices to access those those, uh, systems. Speaker 0: Uh, and it could be, uh, the use of third party software systems using company devices as well, other other kinds of networks and systems. So there has. There has to be some governance to tighten up controls there. As, of course, it extends the company's general attack surface. Speaker 0: Hm. But but I'm wondering as well down to specific things like I don't know. I put on Facebook. We're off for a wonderful week's holiday with the family or whatever. And then somebody sees that and phones. Uh, George says George, I've been talking with Mark. I know he's away this week. I wonder if you could just do the following and send it through. I mean, Speaker 0: uh, can you have policies that that that even cover the amount of information you put out about yourself? Or is that getting a bit constrictive on on on employees in their capacity as individuals? I think I think it's important as part of those processes and procedures to have effective internal financial controls. So, for example, in terms of what we were just discussing around social engineering attempts and fishing attempts, it's useful for for a company to have, uh, very strict rules around who can move money, who can respond to requests to move money or requests from, Speaker 0: uh, counter parties to change bank account details. Uh, things of that nature and those have to be strictly adhered to. Uh, otherwise, um, you could be exposing yourself to unwanted attention from, uh, cyber criminals intent on performing those funds transfer frauds. And recently there was AD CEO letter that went out talking about the importance of making sure there's value for money. Uh um, and I think sort of cyber was part of that. So, Speaker 0: um, just can I get your thoughts on that first? What? What what are the what are the sort of the key elements in that? And how does that make or how should that be, making insurers and brokers think about what they offer? Speaker 0: Yeah, I think I think it's important to to to kind of look at the whole package in terms of in terms of what the cyber insurance policy provides. Um, it's not just just money that that cyber insurance policies provide. It's also the the response element as well. Um, And so when you look at what what cyber insurance policy provides, you've got the first party elements. Um, the first party elements are the business interruption. Um, uh, funds that they provide and the indemnities that that provide, Speaker 0: Um but then also you've got to look at the response as well. Um, and the response part is, I think is especially crucial for SME S. And that's the, uh the the ability to be able to instruct IT forensics teams and, uh, and also to be able to instruct, uh, lawyers as well to be able to provide that, um, that critical response in terms of Speaker 0: advising insured and organisations as to what their contractual and regulatory obligations are as well. So when you, uh when you've dealt with a claim and you're you're you're you're you're dealing with the customer in the round with cyber, Speaker 0: do they say, Oh, sort of. Thank goodness there was a pot of money at the end. Or is it? Thank goodness you got the right people in in touch at the right times that helped unpick this mess. What? What what afterwards is the thing, the feedback you get that provided the best value. Maybe I'm being a little bit biassed, but I think they always They always thank us for the help that we provided rather than the money. Um, but I think they're also thankful, thankful for the money as well. Um, again, it's a little bit of both. So when you look at ran attack, for example, you've got the response elements, so you've got the the Earth. Speaker 0: You got the cybersecurity response. Um, and you've got the lawyers, and then you've got the the PR and potentially credit monitoring as well and all those, uh, form into kind of a crisis management team. And that really is the backbone of the team that would help an SME. And once once they're going through an attack, and but then also on the latter end of the claim, you've then also got the business interruption and then potentially the third party liability stuff as well that you're still helping out with. So so you you're getting that help along the way. But then you're also, um, you're also getting the funds at the end. Speaker 0: There is a business interruption loss or or there is a litany of third party claims, Um, And then also, just just to remind, just remind everybody that appointing appoint these experts aren't cheap as well. And so if if an insured how to appoint them by themselves, and that would cost a hell of a lot of money. Well, as I asked you that question, I could see Matthew up there. So let's bring you in. I mean, George you know, you're absolutely right. The the real benefit that we see our clients gaining from having an insurance policy Speaker 0: is the breach response service the fir. The first, uh uh, response that a client has, uh, when they suffer this kind of attack. Uh, regardless of what type of cyber attack it is is blind panic. Often times they just don't know who to speak to. They don't know how to get the advice that helps them to respond to and recover from the attack. So having access to a kind of break glass push panic button 24 7 response. Uh, helpline is massively, uh, important. It helps them feel as though they're not going through this alone, Speaker 0: that they have, um, somebody who's on hand to triage the problem for them and then deliver, uh, using insurers, panel providers, whatever service it is that helps them to recover from that attack. And frequently that, uh, is either a combination initially of legal advice around potential notification, Speaker 0: uh, to the information Commissioner and IT forensics to to understand how the bad guys got into your system in the first place. And those are often very critical because SME S lack the ability to to access those sorts of services and knowledge themselves. John, how do you make sure you've got enough of that third party expertise? Capacity on hand? Because again, if this is a growing market, if you're working with, I don't know, eight law firms. Now, presumably you can do the math and think, Oh, we better be working with 16 by this time. Speaker 0: You know, in 2025 or 32 you know, 32 by 2035. I mean, how do you make sure you've got enough people, uh, online to help and that they themselves have got enough capacity? Speaker 1: George mentioned the kind of expense involved with appointing third party experts. Uh, if you do suffer an attack and you go with a big name in the response or the instant response category, they're going to be charging upwards of £1500 a day. 2000, maybe £2500 per day. Speaker 1: Um, you mentioned the the letter that was sent to CEO S or the D CEO letter from the FC A that I think that's correct. Um, in in regards to value for money and to kind of directly address that Aviva have worked with kind of the product team to strip out parts of the kind of cyber insurance coverage that aren't massively important. They are very important, but they're not kind of the priority for an SME. That's as you mentioned before. Uh, Matthew, the blind panic that they kind of suffer from Speaker 1: when there is an attack. So the respond products from Aviva, which is available to sub 1 million turnover companies, um, with you know, provides nil excess or very, very little excess, uh, provides you with a phone number to respond if there is an incident. So you switch on your laptop on a Friday afternoon? Um, because you've been at the pub. That's why it's Friday afternoon and you switched it on. Um, Speaker 1: and all of a sudden you're met with a ransomware attack. You can pick up the phone, call the, uh, kind of hotline that's provided and get instant access to, uh, uh, instant response specialist. Speaker 0: Ok, thank you. Thank you for that. Um, I we've talked a little bit about how this is growing out of the market, Matthew. How sensitive are clients to price on this because we've heard a lot, you know, 11, you know, it's fairly common thing. People say it's a cost of living crisis. Business is under pressure Speaker 0: that a lot of people just put off getting cyber. There's there's no doubt that that cost is an issue. Um, and the perception, Uh, certainly three or four years ago, Prepa was that, uh, cyber insurance is something rather exotic and and difficult to obtain and expensive and unaffordable for small businesses. Um, I I'd like to obviously the the insurance markets gone through, um, a rather dynamic period. Uh, since 2020 Speaker 0: the cost of cyber insurance has increased The line sizes that, uh, insurers are willing to provide has has dropped, um, insurers. Underwriters want clients to have more skin in the game with bigger excesses and retentions. It's it is. It has been a very tough Speaker 0: landscape to operate in as an SME broker. Having said that, I think that cyber insurance now the cost of cyber insurance now is more in tune with the risk that SME S are running without necessarily realising it. It's incumbent upon brokers like me to be able to to position contextually the conversation with clients as to why the price is what it is. And it's very easy to show that using the various statistics and case studies and information available in in the marketplace, Speaker 0: that cyber is very often now the number one risk that our clients have in the SME space without them necessarily realising it. So there's a certain element of reassuringly expensive pricing around cyber insurance. It needs to be considered alongside lines like professional indemnity and product liability for S for SME businesses. How do you take a a client along that journey, where they get to a stage that say yes, it's reassuringly expensive rather than? Speaker 0: Oh, God, the only thing that I haven't got insurance against is somebody telling me I have to take out more insurance. I think before clients can understand the value that insurance brings, it's necessary to position the conversation around what cyber risk is to make sure they have an understanding of that and what it can do to their business. Only then can we really relay and and, uh, intrinsically demonstrate the value of insurance and the breach response service that comes with it. So for us, um, the discovery process with clients comes first, Speaker 0: assessing their preparedness for risk and getting them, uh, in a better position in terms of their cybersecurity. Uh, then comes second. And then, lastly, that makes the insurance journey a lot easier. Speaker 0: And if you're a broker listening to this thing, that all sounds great in theory. But how long do these journeys take? If I'm going out and talking to a small client, uh, who doesn't produce a lot of premium, Speaker 0: I've got to provide them a good service. But it must be tougher to get out of bed and think, Oh, I'm gonna have six months of conversation before you know there's some business at the end of it. There's there's no doubt this is This is a marathon rather than a sprint. Um, uh, if we if we look at the size of the current, um uh, cyber insurance market, I think by accounts I've read it's about $14 billion. Globally, it's estimated to be $85 billion by 2030 Speaker 0: so it does require a bit of an investment on the part of all of our all all businesses, insurers and brokers. But the opportunity is huge I think by some estimates, the current value of the cyber insurance market is around $14 billion globally. It's estimated, though, to be closer to 85 billion by 2030. Speaker 0: So although it requires a lot of upfront investment right now, the opportunity is huge for brokers and insurers to to tackle this thorny issue in the SME space. Speaker 0: And George, you were unpacking some of the examples of what you're seeing in claims at the moment, particularly around, um, payment diversions. But what is could you talk through in a bit more detail? Some of the other trends that you're seeing? Yeah, it it's not just ransomware or or social engineering. Um, I think one of the other other big claims that we see is is business E compromise. And we see a high frequency of of business emo compromise cases. Um, Speaker 0: that is not just for, um, the the purposes of committing, uh, payment diversion fraud. This can also be to, uh, commit data exfiltration, which is, um, taking personal data, stealing it and selling it on the dark Web, Speaker 0: Um, or also, in order to further threat his ability to, uh, complete phishing campaigns to other organisations as well. And business about compromises can be quite expensive because again, you've still got to do the response piece. You've got to do the IT forensics piece as as we touched on earlier. Um and then you've also got the legal and contractual obligations. Um, oftentimes you'll have contractual obligations to some of your customers that you may not realise that are written into the contract. If you've had a cyber incident, Speaker 0: um and then you've also got the, uh, uh obligations to notify the IC O often times and to notify, uh, any date subjects that have been impacted. And so it can become quite costly, even if there's no, um, payment diversion fraud at the end of it. Speaker 0: And this is probably a very unfair question to to ask you, uh, because I, I appreciate there's a real plethora of of of cases that you that you'll you'll be dealing with, uh, each of them is unique. But when someone has been cyber compromised, how long can the business keep running before they realise it? Is it Is it pretty much instantaneous or or are there quite a lot of plans? It happened eight months ago we had, you know, this has been Speaker 0: chuntering on for for ages. Yeah, you'd be surprised at how long a threat actor can sit within an organisation system before they they pull the trigger, so to speak. I've seen tractors sit within systems up to up to 99 to 10 months. Um, but but most organisations do notice quite quickly. But even if they notice after seven days or or or even two weeks, um, you're you're still the Speaker 0: is ticking once you once you do realise in terms of, uh, your your personal date obligations, um, and then also trying to identify, contain and mitigate the breach, um, to to achieve a reasonable outcome. So presumably, there's this won't solve every problem. But a certain amount of being being wise and self help is is a good idea. So what? What are some of the things that companies can do themselves Speaker 0: to to sort of mitigate risk, to go back over things? Double check? Uh, just so that, you know, even if there is a threat actor in there, they find them sooner rather than Speaker 1: later. Yeah, I think the first and kind of most important thing I mentioned earlier is training. So training for all staff members who have access to any kind of kind of Internet facing device. Um, training on the threats of Speaker 1: potentially what might happen if they're going to click on a link that might be diverting them to somewhere else. Uh, the dangers of, Speaker 1: you know, not enabling multi factor authentication on their phone because they can't really be bothered. Just going through some of the kind of basic cyber hygiene, uh, is is the biggest bang for your buck thing that you can do. It's a lot of the times it's free if you want to go and use, um, for example, the the National Cyber Security Centre. Have a training module if you want to use third party kind of, um, implementations as well. It's not massively expensive, so training is kind of first and foremost. Uh, secondly, there are technical implementations that you can Speaker 1: work through. Um, I'm not going to go into great depth now, but, um, things like enabling multi factor authentication things like actually just having a password that's longer than 12 characters, Um, you know, multi Slavic. Uh, if it's three random words that was, uh, the Gus a few years ago. So three random things around you, Speaker 1: you can exponentially multiply the time it takes for somebody to brute force that password. And if you take an SME that they're less likely to have kind of purpose built systems internally, they're gonna be using a lot of software as a service applications and platforms, which will then mean there's lots and lots of passwords that they're going to potentially be using. Solu some, like a password manager to make sure that you're using a different and distinct password. Uh, in every single Speaker 1: different application that you're using, it makes it incredibly difficult, a kind of layer above. That is, as I said, in multi factor authentication on all those different, uh, systems. So there are, you know, multiplex of things that you can do. Um, and they're not massively expensive either, that it's just about being in the know. It's about talking to your broker, your insurer, just to figure out what kind of things should I be focusing on? Uh, we have a statement of fact at Aviva, which is nine things. Um, if you go through and work through those nine things as an SME. Speaker 1: You're probably 95%. I don't want to check a stat out there. I might get wrong, but you're above, um, the kind of national average for how secure you'll be. Speaker 0: And George, in your experience, when you look at cyber, how much of this has been human error and how much has this has been? I think what John referred to as brute force, you know, it's computing power, plus time. You haven't got a chance. Yeah, Often times it can be difficult once, once an attacks happened to be able to really drill down to the root cause. But when we do, Speaker 0: um, I, I would say it's around 70 to 8%. Result is is because of human error and then 20% is is is via brute force or or open source and open source reasons. Thank you, Matthew. Can I get your thoughts on what you can do to self help and not least because partners and is an Speaker 0: SME in its own right. So what are the challenges you've been mentioning? Things other people should do? What have you What have you been doing as an SME? Well, uh, That's a great question. We we have ourselves, um, chosen to go down the cyber essentials route. Uh, and I'm a big fan of cyber essentials. Cyber essentials is, uh, something that was developed by the UK government. It's essentially a cybersecurity certification programme for businesses. Speaker 0: Uh, it takes them through five, basic steps towards good cybersecurity, many of which we've just been discussing. But it's things like how to craft a robust core IT system. How to manage access to your to your system using authentication layers, uh, how to guard against malware attacks, how to train staff. Speaker 0: It's a little bit of self help. Really. For for SME S, it's a very convenient way of, uh, self certifying. Actually, there are two levels to it. There's cyber essentials and cyber essentials. Plus the difference, uh, with cyber essentials. Plus, which is what my firm has has has now has Speaker 0: is that you have to be externally audited and assessed and certified as part of that. But it's, uh, a very yeah, relatively straightforward, easy process. Um, it's low cost. It protects you against something like 80% of common cyber attacks. So it's a very effective way for most SME S to mitigate cyber risk in their domains. Speaker 0: John, in your experience, um, Speaker 0: presumably SME SW when they get interest in the idea of cyber and say, this is this is an issue we need to take seriously that there's got to be an internal champion. Somebody must pick that bat on us at the start. In your experience, are there particular types of people or particular roles they have in an organisation? Speaker 1: Well, in a previous role, uh, Speaker 1: I was risk management focused, uh, and I had an organisation on a on a team's call, and I was going through a bit of an open source intelligence gathering exercise with them. Uh, and whilst I was on the call with them, I was able to find their open, remote desktop server. Uh, and that was a wake up call for the business owners who were on the call. Um, but more often than not, it is outsourced IT. It is internal IT kind of experts, or or or managers who are pushing to get that cover. Um, Speaker 1: but it also comes from brokers as like like partners and in in terms of the expertise that they bring to the table and the conversations they open up with those clients, uh, which ultimately leads to the idea of maybe I should explore it. And then maybe I should, uh, further investigate it. Speaker 0: Matthew, let me get your thoughts on that with just with with your client base. Who? Who Who are the people who respond most quickly with an organisation when you get that cyber conversation going? Yeah, very often. It's, um, the IT manager or IT director that we that we speak to smaller businesses may not have one. So it could be that they outsource that function to a service provider. We will happily speak to their external IT, um, service provider. Uh, if it's a micro business, you often find that you're talking to the entrepreneur, the founder behind the business, Speaker 0: and they're wearing lots of different hats. So it's It's quite a broad church, but ultimately it generally boils down to whoever's responsible for the IT for the business. Speaker 0: And George, I suppose the world divides into two cultures. There's those who get technology and digital stuff and can speak that language, and then the bulk of people that that can't and don't So how do you knit those two communities together? When you come to the claims process where everybody in an organisation has to understand why you've come to the decisions you you have when you get some resolution around an incident, Speaker 0: Yeah, that that that that that can be difficult at times. I think I think one of the benefits of having cyber insurance is that you've got those incumbent panel vendors. Um, so you've got the digital forensics and cyber security response consultants, and you've also got lawyers who specialise in in data protection law and and they're able to simplify the Speaker 0: into plain English. Well, we are almost out of time, So I want to finish by getting a final thought from each of you. There's one thing that brokers or or SME S can be doing to think about getting better and more effective cyber coverage. What could that be, Speaker 1: John, I think knowing what's available, uh, across the market, Aviva in this space are working, you know, very, very tirelessly to try and provide suitable products for the SME market in respond. Speaker 1: Um, it, you know, chops out a lot of the camp, you know, excessive premiums that that might exist. Um, for some 1 million turnover, uh, organisations. So knowing that that is available is is kind of step one. Step two is Speaker 1: making sure that you're keeping up to date with everything you possibly can in that space. And it can be difficult, but the the you know what Matthews speaking about in terms of cyber essentials, which comes from effectively GCHQ keeping up to date with the National Cybersecurity Centre, they're two of the best things that you can follow and and get your information from. Speaker 0: Thank you, Matthew. I think, given the size of the opportunity available to us brokers and insurers just have to work together to try to make this journey easier for our clients. Speaker 0: Uh, we insurers have enormous, uh, wealth of information and technical capabilities, given their breach response, uh, partnerships. If they can make, uh, that information and trend analysis and claims data more readily available to retail brokers like myself, it just helps us have those conversations with clients. Georgia Final thought. Speaker 0: Yeah, I think it's market collaboration. So So insurers, brokers and then also, uh, the vendors that we use on our claims as well if we all work together and and and share information, um, we're able to to to provide more education to SME S as well. Um, and I think that's only gonna, uh, benefit everybody. Speaker 0: We have to leave it there. Thank you so much for watching. Do stay with us, though. We've got an interview coming up now specifically on Aviva's cyber respond product just remains for me to thank our fantastic panellists today here in the studio. George Thomas, Matthew Clark and John Clark from all of us Here. Goodbye for now Speaker 0: to discuss Aviva's latest product launch Cyber respond. I'm joined now by Claire Hardy. She is commercial product lead at the group. Claire, thanks so much for joining us. First of all, what exactly is cyber Respond. Hi there. Um, so cyber respond is, um, our new cyber product. It's our simplest cyber product designed with microbusinesses in mind. Speaker 0: So, um, ideally, for customers with, um, a million pounds or under turnover, 10 or less employees, and really importantly, quite simple cyber insurance requirements. And so it it's designed around our incident response service. Speaker 0: So the incident response service is something that we give with all of our cyber covers. But for this, um, cohort of customers is absolutely critical. These business owners are spinning many, many plates. So they are, you know, marketing their, you know, sales. They're doing everything. Speaker 0: So cyber, um, is not always top of their list. So with the cyber incident response and we provide them a solution for when that cyber incident happens, they pick up the phone, they talk to our team, and then we get the the required experts out there to help them with that incident. So how did you go about identifying the need for a particular section of the broker community and for a very particular section of their client base? Speaker 0: So we started, and, well, we always are always looking at our current, our current book. You know what's happening inside that book? How are our customers using our product? Um, and what we identified was that over 95% of the the UK business community falls into that micro sector. But when we look at our our account, it doesn't match that profile. So we knew that there was something going on there, and we wanted to dig a little bit further and find out what? That what was happening there. Speaker 0: So we continued on with our research, and we, um we spoke to brokers. We spoke to customers. We did, um, road shows. You know, we then looked internally. We looked at the metrics. How are our customers using our product? What are the product reviews telling us? What are the claims telling us? Um Speaker 0: And then, actually, what we've seen is that, um, third party organisations are starting to tell us a little bit of information as well. There was a recent report out at the beginning of September by global data that backed up a lot of our findings and and basically what that was, was the micro customers a cyber insurance Speaker 0: just too expensive for them. That's one of the main barriers to them buying insurance. So the price point was too high. The excesses were too high. They they understand the need for the cover. They understand that, um, they have an exposure now. Um, but they just can't. Speaker 0: They can't put the cover together with the the cost. You know, cyber insurance is very expensive. It tends to be significantly more than these. These customers are paying for the rest of their main business insurance. So the public liability, their employers liability. Um, and it's difficult for them to bring those two things together. And how have consumer duty requirements affect the the the shape and, uh, the the the the features of this product. So, um, Speaker 0: we've had a robust product oversight and governance and development framework in place at Aviva for many, many years. Um, and the introduction of these regulations so prod for last year and consumer duty this year, Um, they've just allowed us to to enhance that framework slightly. Speaker 0: Um, what we did do with the introduction of consumer duty, it allowed us to to take a little bit of a step back and think about things slightly differently. So, um, actually explore how our product, um, and how those outcomes affect different customer cohorts in different ways. So Speaker 0: when we looked at the micro, um, that that the micro businesses, um, and the way that they were using our cyber product, we we we knew there was something different that we had to to consider and coming back to the product itself. What's the problem? Or problems that cyber respond solves for clients. Speaker 0: So cyber respond takes our most frequently used covers. Um, covers that are, are are most likely to be used by our smaller customers and packages up with our incident response service. Uh, the key thing it does is it puts that at a much lower price point. Um, and with no excess. So basically, it puts cyber insurance within reach of these micro customers, um, and and gives them access Speaker 0: to a suite of resources and those specialists at the end of the phone to help them if and when a cyber event happens. But the core of it is if something goes wrong, you need experts that can help, rather than you need somebody who provides a check and says, Be lucky. Absolutely, absolutely. It is all about the response service and even more so for customers that that that don't have AC so that don't have an internal Speaker 0: team ready to, um to to deal with the really complex world of a cyber claim. Um, yeah, that that's the value. And at the moment, these customers can't they can't afford it, you know. And in the current economic climate as well, you know, these these customers are fighting tooth and nail for every penny. They're trying to cut costs. They're not trying to spend more. And Speaker 0: and And we knew that the the value that this product could give them was something that we really wanted to to a gap that we wanted to close. When you've been out and about talking to micro companies and SME S what have been some of the reasons for not really engage Speaker 0: ageing with cyber full stop? Yeah, there are. There are a few, um, so the the first one is it'll never happen to me. I am not a big company, I. I don't have money to give to people. Nobody is going to be interested in my data. Um, Speaker 0: I'm not digital, so I'm not a digital business, so I don't have anything. I don't have an exposure again. They don't understand necessarily the exposures that they do face, Um, the same as you. And I probably don't understand the exposures that we face when we when we, you know, use our phone on a daily basis. Um so the the there's there's there's lots and lots of reasons, but what we are seeing is that that is starting to shift. You know, customers are starting to understand, Um, the the Speaker 0: yeah, the exposure that they do have one of the things that this product seems to be keeping to core things that affect SME. So what are some of the things that would be in a policy bells and whistles that would really appeal to, I don't know, a FTSE 100 company, but really make no sense for somebody employing eight people Speaker 0: in a shop. Yeah, absolutely. So when we look at our claims data and again from our conversations with our brokers and our customers, we know that traditionally, um, micro customers don't tend to claim for some of the the more expensive, Um, the more long tail covers that are included within a cyber product. So that's things like full business interruption that we offer and cyber liabilities. So So these these elements, um, the Speaker 0: they don't see the value in these particular elements, so those are not included within the cyber respond product. But I do just want to touch on the fact that at Aviva, Speaker 0: any customer that thinks they do have an exposure to them whether they're micro or not still has access to those covers in our our standard cyber product. So they can still access all of those covers. Um, at any time, if they do feel that they have an exposure there. So if you take out some of these elements of your complete cover package that are much more applicable to large companies, what does that do to the pricing point we've touched on the the cyber liabilities and the business interruption? The fuel business and Speaker 0: corruption covers are quite expensive because of the long tail nature of them because of the, you know. So we have to reserve quite heavily for these these covers. So, actually, by stripping these out, we've been able to bring that price point down to a much more manageable, much more reachable level for our, um, cyber respond customers. And what else are you able to do to help brokers and their clients understand these cyber risk, particularly in the the micro and SME space? Speaker 0: And that's a really good question. We we really understand that cyber is, um it can be a little bit of an alien concept for for people that haven't necessarily been involved in it. So we do put a lot of effort into, um, the material that we put out there for, for our brokers. Um, so a lot of our marketing material has a very educational spin on it so that it teaches it talks to our brokers about what the risks look like, the things they should be talking to the customers about, Um, even as far Speaker 0: as talking about the differences in the sort of products that they might see out in the market because the market still isn't really standardised. So things that Aviva do and you know somebody else might not do and vice versa. So I think it's it's being transparent about that and and that there are things that they should be looking out for. Um, we have, um, material that our brokers can, um, take to their customers, um, and and have that conversation with them. Um, Stephen Ridley ahead of Speaker 0: cyber has built, um, a really strong cyber team now. And he is out and about with his team, um, across the country, speaking to brokers and talking to them about the risks that their customers might face. Um, we've got a couple of quite exciting and developments that are coming. And so we are launching a certified, uh, training course that's available through our DEV Zone service. And so that's available for brokers to, Speaker 0: um, you know, again some more training to help them. Um, with those conversations and really excitingly, we have just partnered with the Cyber Resilience Centre Group. Um, as national ambassadors tell us a little bit more about the group. So the group's purpose is to, um, engage with our smaller customers and strengthen the cyber resilience. Um, of the SME community. Um, so the group is backed by the the government and the and the police, and so it's very exciting. Speaker 0: Finally, ClA was the product available? How do brokers find out more? Our product is available on our fast trade and our digital ETrade, uh, platforms. Um, if any brokers want to find more information, you can go on to the fast trade system. There's lots of information there. There's also lots of information about all of our cyber products, including cyber respond on our Aviva broker, um pages, um, or speak to your sales manager. Speaker 0: We have to leave it there. Claire Hearty. Thank you. Thank you.

Companies

Aviva

Select Player

Media Manager 3

Video ID

e5550f93-9932-4ff6-b26d-8f1a1c66fdd0

Structured for CPD

unstructured

Primary Channel

10000128

Select Info Type

Company

People

George Thomas

Matthew Clark

John Clarke

Contact Info Company

Aviva

Add Preroll

Core Video ID

808

Owner

Aviva

Hide Contact Me

Archive Date

Friday, October 6, 2023 - 09:30

Player Subscriptions

Site Player

Insure TV Sign Off Player

Activation Dates

Friday, October 6, 2023 - 09:30 to Sunday, October 6, 2024 - 09:30

Active

Job Number

1726

Allow Player Embed

Skills And Abilities for CPD South Africa

Destination

Right of the video

Downloadable

Disable Quiz

Turn off reflective statement button

Auto Transcribe

Hide Transcript

Promote Event on Primary Channel

Video ID (MM3)

e5550f93-9932-4ff6-b26d-8f1a1c66fdd0

MM3 Thumbnail URL (hidden)

https://cdn.mediamanager.io/media-library/17255/conversions/b812fd27-original.jpg?Expires=1697644956&Signature=ARtHuUVDV6dInExhbLprRoKQCn0AEkCGzBXPc2Ewau8g5lg6iyBc9RmEosaykqPvu60iFY9d3-ibSQhS0gL4JwDQWIfr9SChO7aZxio8wYN1Ar0-2YfSWGxGNCudl0pdR8thnBxDF-0JFcE3VWkdWjCm8ixIwFH8tqf~pNNGYk~65koixySZir3z-ucw~gA52IlsuIsbgBO50WxCsn4bLB3k5zWkwxldPdG2YqWrgJU6~42HmEBJRLXQ~gBMT0yAsa4Iu1sg80lhlDTveyuMJ0ZqsiLIU3k7ax~TsOM~51lx~iDrwVYfqJzwdxvHW1YOSoUXXXrUIqAkkOX-7jAevA__&Key-Pair-Id=K3MVZAWIQAI2UT

Video Image

Duration

Recorded Date

Transcript

Tags

Companies

Select Player

Video ID

Structured for CPD

Primary Channel

Select Info Type

People

Contact Info Company

Add Preroll

Core Video ID

Owner

Hide Contact Me

Archive Date

Player Subscriptions

Site Player

Activation Dates

Active

Job Number

Allow Player Embed

Skills And Abilities for CPD South Africa

Destination

Downloadable

Disable Quiz

Turn off reflective statement button

Auto Transcribe

Hide Transcript

Promote Event on Primary Channel

Video ID (MM3)

MM3 Thumbnail URL (hidden)

Related Videos