<p>In this exclusive Masterclass, Insure TV host Mark Colegate is joined by a panel of specialists to discuss cybersecurity and cyber risks, trends, and what cyber security regulations look like in the global environment. The speakers are:</p>
<ul>
<li>Erica Kofie, head of cyber proposition, QBE Europe</li>
<li>Jack Bassett, assistant vice president, Lockton</li>
<li>Helen Bourne, partner, Clyde & Co</li>
<li>Nick Baskett, data protection officer, Holland & Barrett</li>
Video Image
Duration
2023 - 00:47
Recorded Date
Friday, September 15, 2023
Transcript
<p><strong>Speaker 0</strong>:
<span>hello and welcome to ensure T V's masterclass with me. Mark, we are looking at cyber. What are the trends of the market? What are the latest developments in cyber insurance? Well, to discuss that I'm joined here in the studio by an expert panel. Let's meet them. They are Erica Kofi, head of Cyber Proposition at QBE Europe. We're also joined by Jack Bassett, assistant vice president at Loch Helen Bourne, partner at Clyde and Co. And Nick Basket, data protection officer at Holland and Barrett.</span></p>
<p><strong>Speaker 0</strong>:
<span>Erica, can you tell us a little bit about your role as head of cyber proposition? And how is that proposition developing at the moment?</span></p>
<p><strong>Speaker 1</strong>:
<span>Yes. So, um, the proposition, um, our insurers are are developing a lot at the moment. Um, cyber risk is in itself developing a lot. Um, and we, as insurers, no longer want to be just providing a promise to pay, but also to provide support to our insured. We know that,</span></p>
<p><strong>Speaker 1</strong>:
<span>um, lots of companies are being attacked every day, and therefore, um, there is a very overused phrase in the market where we say or in the industry, where we say that it's not if but when a company will be attacked. So we really want to be supporting our</span></p>
<p><strong>Speaker 1</strong>:
<span>clients and insured to help them prevent having a cyber incident. So providing them with pre breach services, um, as well as supporting them in the event that they do have a cyber incident with post breach services.</span></p>
<p><strong>Speaker 1</strong>:
<span>Sure, the experts are there helping them get through the incident. Thank you. When</span></p>
<p><strong>Speaker 0</strong>:
<span>you say those those services in a post rich environment are those, are you building those up in house? Or is this a question really of of building alliances with with experts in very specific niches.</span></p>
<p><strong>Speaker 1</strong>:
<span>So at the moment at QBE, we're building alliances with, um, external expertise experts, um, and probably will maintain to do that because we really do need those, um, people that do have the specific expertise and relationships with regulators, Um, that our clients need access to</span></p>
<p><strong>Speaker 0</strong>:
<span>Thank you and and Jack, you must be out and about all day, every day, seeing brokers. So how How high up their list of priorities is dealing with cyber as an issue. Yeah, So when you look at clients and their perspective on cyber, it normally ranks as their number one business priority in terms of their risk management strategies.</span></p>
<p><strong>Speaker 0</strong>:
<span>So I work with the clients to develop and evolve their current risk management strategies around cyber and their wider pieces as well, and also looking at the placement strategies. So working with the likes of Erica and QB to look at what insurance programmes can be put in place as a risk transfer strategy for them, And can you give us some idea of how big the chances of a cyber event are these days? Yeah, absolutely. So if you look at the the UK statistics statistics, the majority of firms within the</span></p>
<p><strong>Speaker 0</strong>:
<span>UK experience a cyber attack. If you look at the last 12 months alone and what's actually occurred in there, you got 39% of UK businesses having an actual attack. So the conversations we have around I'm going to use the phrase, but it's not if, but when. And I think really, that's quite critical for business owners, risk managers, et cetera. To really understand that, and that's where we come in to develop that understanding, giving them stats and statistics and also opening their eyes to what a claim may look like and what would happen in the event of a claim.</span></p>
<p><strong>Speaker 0</strong>:
<span>And, Helen, can you tell us a little bit about where you and Clyde and Co fit into this ecosystem? Of course. Yes. So, um, first and foremost, I'm a lawyer, a partner at Clyde and Co. But we also have an instant response service, so supporting the clients, the life cycle of those cyber risks that Erica and Jack have mentioned. Really? Um, we provide the cyber readiness advice, um, to help them boost their cyber resilience to ensure that they're compliant from a data protection perspective.</span></p>
<p><strong>Speaker 0</strong>:
<span>But also, we are there to support them when an incident happens and we have our own vendor panel. So we draw on that expertise as and when required. So we support the full life life cycle of all those cyber risks. Really? OK, thank you. And finally, Nick Basket as data protection officer. I mean, that's a slightly narrow row, perhaps, than looking at cyber in the round. But,</span></p>
<p><strong>Speaker 0</strong>:
<span>um, how easy is it to keep in control of your company's data and your clients and customers data in the current environment? Well, it's always a challenge because the data is always changing businesses don't stand still. They have new ideas and new ambitions. And, of course, new regulations. Come in.</span></p>
<p><strong>Speaker 0</strong>:
<span>There was that exciting time of Brexit where we decided to go our own way. That meant that, uh, even though we were regulated under the GDPR, we adopted our own version of it and the Data Protection Act 2018 and the UK GDPR. And that's starting to become a little bit different. So we're having to interpret those changes in the regulations as new bills going through in Parliament at the moment.</span></p>
<p><strong>Speaker 0</strong>:
<span>And in addition to that, of course, businesses themselves are adapting to the changes that are happening around them both, uh, directly internally and externally. Um A I, of course, is the most obvious recent one.</span></p>
<p><strong>Speaker 0</strong>:
<span>Yes. Um, OK, well, lots of ideas and thoughts. We can unpack there. Um E Echo. You made this very big distinction between pre and post breach. So can we start with pre breach? What? What are some of the latest developments there? Um, what can you do as an insurer or as a broker to to help the end client get themselves in the the the best possible position.</span></p>
<p><strong>Speaker 1</strong>:
<span>Yeah. So, um, with these pre breach services, obviously we're trying to help them not only become resilient to avoid, um, having a cyber incident, but also be prepared in the event that they will be,</span></p>
<p><strong>Speaker 1</strong>:
<span>um, So we are monitoring our portfolio of insured, um, so monitoring their networks to let them know of any any vulnerabilities that they have to allow them to be able to fix those before any hackers, uh, find out about them. Um, we also work with our insured to provide cyber simulations. So to work with, um</span></p>
<p><strong>Speaker 1</strong>:
<span>to work with, uh, the boards to help them understand what could happen in the event of a cyber incident to make sure that they have their incident response plan. Um, up to date, Um, and considered for all the, um, potential, uh, scenarios that that could occur. Make sure that they have the right stakeholders engaged and so on.</span></p>
<p><strong>Speaker 0</strong>:
<span>Thank you. And when you're out and about talking with with the brokers and perhaps sometimes the end class, I mean, how, um how up are they on these position? I mean, how much can you be?</span></p>
<p><strong>Speaker 0</strong>:
<span>Uh, sort of make yourself secure before you have to start thinking about getting third parties in. Yeah, absolutely. So I think there's different stages within the life cycle as such. And it all depends on the maturity level of the business that we're talking about and that that often comes from brackets such as SME, S and large Corporates and so on. But I think the most important thing there is it's really about the value proposition that we add and the continuous relationship that we have with our clients. And I think a way that I often break it down is in three stages, which I would look at as inform, improve and ensure.</span></p>
<p><strong>Speaker 0</strong>:
<span>And I think that's just a repetitive cycle from the moment we do have that risk transfer. From the financial perspective, we go back to that informed piece, and that's where insurers are giving constant alerts. We're looking at running tabletop exercises so that people within the business can really get to grips with not only how cyber policy</span></p>
<p><strong>Speaker 0</strong>:
<span>is and does respond, but also it's much like car insurance where you would have that ongoing repairs with your cars and keeping up to date with the trends, and I think as a marketplace. That's where we are bolstering. And we're doing a lot better to ensure that clients are well informed about the current threat landscapes and how they are evolving because it is such a hard landscape to keep a consistent control of.</span></p>
<p><strong>Speaker 0</strong>:
<span>But where it might some of the pieces be that you you dig around and to find out what's brewing out there in the world. So we work with much like QB. We work with third parties. So we have the likes of who are who are experts in their field in terms of looking at actually the threat landscape itself, where threats are coming from what threat actors are doing, so we can be quite informed</span></p>
<p><strong>Speaker 0</strong>:
<span>to our clients. We're also lucky in the concept that we have in house C OS. So we work with Peter as our in house CO, formerly of the EM Visa. He's able to supply our clients with real in depth information about how they can protect themselves, what the insurance minimum standards are and how they can continue to bolster to to hit those high maturity levels. Thank you, and</span></p>
<p><strong>Speaker 0</strong>:
<span>and from your point of view, I mean, I think From what you were saying earlier, you you tend to get more involved in in post breach events. But I mean, at that stage, are there things that you think I keep seeing this? These will be easy wins. If people have done this six months ago, 12 weeks ago, we wouldn't be in this situation now. Yeah, I think it really comes down to, unfortunately, a lack of planning and a lack of investment in that incident response plan that</span></p>
<p><strong>Speaker 0</strong>:
<span>Erica and Jack have mentioned, Really, that if if you get to a stage where you're already in the incident and you don't know what the plan is and you haven't thought about the various implications arising from an incident, it's really very difficult to get the optimal outcome at that point in time. So it's it's planning, investing the time mapping the data</span></p>
<p><strong>Speaker 0</strong>:
<span>invariably invariably from a legal perspective, a lot of the risks hang on the type of data that a company will be processing and storing. If that data has been compromised, you really need to start from a position where you've understood the data. You've got the visibility on it, so you can then map the risks that might attach to it.</span></p>
<p><strong>Speaker 0</strong>:
<span>So it all comes under the heading of planning, Really, Um, and we see a whole range of that. It depends on the sophistication of the organisation as to how much time they can invest in it. But even a very basic incident response plan that covers alternative communication channels that is printed off. So if a company hasn't got access to its system, if it's got a hard copy of the plan, everybody at at least knows what is expected of them.</span></p>
<p><strong>Speaker 0</strong>:
<span>But at a basic level, you identify your stakeholders. Who's going to be part of the incident response team? Who are you going to call upon? Who do you need to mobilise in order to support that response? Um, and invariably, that involves bringing on experts, IT experts, potentially legal advice, depending upon the nature of the incident. But all of that can be planned in advance, and I think if that is put in place, I think an organisation can</span></p>
<p><strong>Speaker 0</strong>:
<span>secure that. It's achieving mitigating the risks and achieving the best outcome and just one quick follow up. I mean, presumably if you're in a company and it's and, you know, you discover that you've been, uh, you You're the victim of a cyber crime of some sort. The stress levels must go through the roof. So, just psychologically, how difficult is it</span></p>
<p><strong>Speaker 0</strong>:
<span>to do your thinking and planning after the event? Very difficult. Not so much after the event during the event. I think when you're facing the in in the eye of the storm, so to speak, it's very difficult because people don't know what's expected of them. Invariably, they don't know who to contact,</span></p>
<p><strong>Speaker 0</strong>:
<span>and so it's if it's if it hasn't been planned for if it hasn't been considered and you're feeling your way through whilst an incident is happening and it could be a significant interruption event for the company, the company may not be able to trade, depending upon the gravity of the incident. So at that point in time, it's very difficult to start the planning, and that does cause it. Obviously, it's a huge level of disruption to the company, but also a concern as to whether everybody has done what they ought to have done</span></p>
<p><strong>Speaker 0</strong>:
<span>and Nick for, for for your role, as as data protection officer, I mean if I come back to our earlier mantra of not if, but when. If you accept that as a as a sort of something going on in the background there, Um, how much time do you spend having to think plan? Go back over plans in case the worst were to happen?</span></p>
<p><strong>Speaker 0</strong>:
<span>Well, I think the first thing I'd say is I like being the last person on this panel because I get to pick up on everything that everyone else has said and and agree with it. Um I, I say it succinctly in in in quote Mike Tyson, who said Everyone's got a plan until they get punched in the face and to illustrate that with my own personal experience. Um, I think every everyone has an idea that they will act in certain in certain circumstances a certain way,</span></p>
<p><strong>Speaker 0</strong>:
<span>and boards and directors are the same. They all think that they know what to do or that the business will act in a certain way when an incident happens. If you've never been part of an incident, that's usually not the case and the only way to get around that is not just by planning, but I think, as a couple of people have mentioned here today to do the tabletop exercises and illustrate that in the personal story, if I may, very quickly. Many, many years ago, when I was a younger person in Japan, I experienced my first earthquake, and I was at the top of a building</span></p>
<p><strong>Speaker 0</strong>:
<span>at the time. And as it happened, uh, I was just out of the shower. I just landed. I was out of the shower and I finally thought, Oh, my God, do I put my clothes on? Do I do it? Is that going to be a waste of time? I didn't know what to do. So I grabbed my towel and I ran down the stairs into reception where I thought there would be, you know, emergency services, people and</span></p>
<p><strong>Speaker 0</strong>:
<span>all sorts of action happening only to find a completely normal environment, that this was a completely normal thing to happen. And it wasn't that bad, an earthquake after all. And at that point I remembered that I left my key in the slot inside the door, so I was locked out with a bath towel around me, standing in the lobby of this hotel in Japan. That is what happens when you don't do proper planning and when you don't do tabletop exercises. So I thoroughly concur with that. And the final thing I say just to really answer your question</span></p>
<p><strong>Speaker 0</strong>:
<span>is that this is not a once, you know, a one time event that you do. This needs to be incorporated because, as you mentioned first and he asked me the question about businesses changing businesses are always changing. Things are always changing. A plan cannot be a point in time. It has to be incorporated to BAU.</span></p>
<p><strong>Speaker 0</strong>:
<span>Well, we missed type of exercises, So, um, I'll just get people's thoughts on what does one look like? Um, how many people do you get involved? How much time does it take? Um, Helen, can I start with? Yeah, of course. So when when we work with organisations to develop tabletops for them, we look at their stakeholders. We look at who ought to be part of their incident response group and then we walk them through various scenarios.</span></p>
<p><strong>Speaker 0</strong>:
<span>So a typical ransomware event, for example, where the systems are encrypted, the organisation can't function properly and we walk them through the implications of that there are various work streams that spin off that type of incident. So whether it's legal, whether it's IT forensics looking at that understanding what's happened, understanding the impact, all of those issues of developing a communications strategy to make sure that you've built out the plan that is fit for purpose for a particular organisation</span></p>
<p><strong>Speaker 0</strong>:
<span>and sometimes it comes down to who would be available, who would be available to support both internally and externally. And you identify all of those people. And as you say Nick, it needs to be updated because it's a very mobile market. People change and it so you have to revise that plan periodically to make sure it's fit for purpose. But it can, depending upon the size and scale of the organisation. It's a very bespoke process.</span></p>
<p><strong>Speaker 0</strong>:
<span>The way we the way we manage it, we come up with a range of scenarios that are sector specific. So we draw on the experience that we've got in managing breaches in those various sectors because we know what's likely to happen. What's the likely interaction with a regulator? How many regulators are you going to be needing to be interacting with? For example, What are the communication challenges likely to be like? Are they internal, external,</span></p>
<p><strong>Speaker 0</strong>:
<span>and you just map through it. You walk through those various scenarios in a way that you just practise What would potentially need to happen in an incident? Thank you. I could get your thoughts on that again. So you assume you do that. That's pretty comprehensive. I mean, is that something you should get together about the same time each year and do Is it every six months? What? What? What What's how How often do you sort of it?</span></p>
<p><strong>Speaker 1</strong>:
<span>Um well, it should, um, be done periodically. Absolutely. As Helen spoke about. It's important to look at different scenarios because there are so many different scenarios that that could occur. Um, so testing it for to make sure it it does work for different, um, scenarios is good.</span></p>
<p><strong>Speaker 0</strong>:
<span>OK, but But, uh, I suppose when people particularly business quantify something, it always comes down to money. Um, and Jack, I mean, is there a danger people look at and go? Yeah, That sounds like a £30,000 problem we can live with. It won't necessarily happen. I mean, we we all try and put a put a scale on on the issues and put some sort of pro on and as human, we're not necessarily that good at it. But we're all jolly confident. We are absolutely. And I think that</span></p>
<p><strong>Speaker 0</strong>:
<span>our role to play really in the in the risk management piece and we'll often sit down with the risk managers and say, You know what? What does the business look like at the moment? What's its current state? And I think it's that classic saying of You know, uh, pre prepared A failure to prepare is preparing to fail, and I think we'll sit down and do quantification exercises where we look at the aggregated financial exposure by running simulations, and we can present to them what a loss may actually look like. And alongside that, working with the wider teams, as Helen rightly mentioned,</span></p>
<p><strong>Speaker 0</strong>:
<span>you know, putting everyone together who may be required because I've not seen one tabletop exercise whereby a lesson hasn't been learned and the value can't be taken away. And I think it's vital that the insured or clients do involve the likes of brokers and insurers within that process. To actually really understand what each stage may look like and also for us to gain a much deeper understanding of our clients, how they respond and advise accordingly to what the market may be perceived as required.</span></p>
<p><strong>Speaker 0</strong>:
<span>And sorry I was just going to mention a good tabletop exercise would consider the supply chain to a company as well. There's a lot of vulnerabilities built into supply chain risk, so we would always factor that in as well, so effectively. It means auditing a company's supply chain and understanding where</span></p>
<p><strong>Speaker 0</strong>:
<span>those critical vulnerabilities may sit. Some suppliers may have direct access to an organisation system. It's really important that everybody is aware of that mitigates the risk of that, um, in a number of ways, but fundamentally understand where those risks are and build them into the plan.</span></p>
<p><strong>Speaker 0</strong>:
<span>And, well, Nick picking up on that, I mean, you mentioned a little earlier, um, with things like GDPR, we are slowly peeling away from Europe, but we we operate in a very global environment. So I mean, even for a business like Holland Barrett, is it a lot more global than an outsider might think? Business. But you Well, we UK now. We we're UK and Europe we've got, uh, operations in the Netherlands and Southern Ireland, which, of course, is part of the EU. And each one of these is regulated or has a a supervisory authority,</span></p>
<p><strong>Speaker 0</strong>:
<span>uh, which has a different approach. So, you know, um, France has the canal, uh, which is very sort of heavy in terms of its approach of finding big companies. And it takes a particular stance on certain issues and goes very hard. And you've got to be sure that you're absolutely on point with the issues that they have made it clear that they care about,</span></p>
<p><strong>Speaker 0</strong>:
<span>Um, the UK is a bit more pro business, uh, and a little bit more friendly. Um, they take not to say they don't mind what you do, they do, and you will get fined if you if you break the rules. But they take an approach of trying to educate first and give opportunities for you to learn and do more and engage with them. So and the island is, interestingly, used to be considered a soft regulatory environment.</span></p>
<p><strong>Speaker 0</strong>:
<span>But looking at the number of fines they gave out in 2022 I think one was for €1.2 billion against, uh, meta or Facebook. So, um, you have to take into account not just the differences in the regulation, the differences in the approach of the different supervisory authorities. And of course, any, um, what we call derogations or national differences in the way that they approach those those laws as well</span></p>
<p><strong>Speaker 0</strong>:
<span>and tying all that together with different legislation that's coming out in the EU. We've got, you know, Digital Services Act and the D MA and, uh, and, of course, we've still got what we call Peer Laing around which we never get finished. The GDPR, the UK GDPR the digital information bill in the UK coming through. It's, I want to say, a mind field, but it certainly is a complex landscape</span></p>
<p><strong>Speaker 0</strong>:
<span>that I think it's difficult to navigate unless you've got people or expertise that you can call upon. That really understands it holistically for your business.</span></p>
<p><strong>Speaker 0</strong>:
<span>And you've talked there about where you operate as business in Europe. But when you take things like supply chains because presumably some of the goods and in your your shops and so and, uh, must have come from outside of Europe, I mean, does that is there, then another level beyond that, where you're having to think about what the data rules are in Latin America or Asia. Sure, um, so there's two I'll. I'll focus on two parts. One. Is this concept of extra extra territoriality. Did I say that? Right,</span></p>
<p><strong>Speaker 0</strong>:
<span>Thank you. OK, I would struggle with that word. But it means that if you've got customers just taken, for example, you might have customers who are, let's say, Californian residents, but are maybe buying your products from outside or they're buying your services from from outside California. They don't have to be resident in California. You may be subject to the C CPA or the CPR P a, uh, out in California, which has its own set of regulations as a supply chain.</span></p>
<p><strong>Speaker 0</strong>:
<span>I always look, and I think this is a critical point, the contracts and this is something that you do in advance. You look at the contracts that you're working with customers on, and you have to be prepared, and the business has to be prepared to walk away from contracts that are not good contracts that don't protect the rights. So we've talked all the time about what? All these investigations that you do. But your supply chain has to work with you</span></p>
<p><strong>Speaker 0</strong>:
<span>when I'm looking at when we call this a data processing addendum. So the companies working with us in the in the, uh in the role as a processor, that's their role to be to find controllers and processors under the regulation.</span></p>
<p><strong>Speaker 0</strong>:
<span>So if we're determining the means of the of the processing with a controller, someone helping us do that is the processor that's a supplier. In this instance, I will look at their contract in detail. I will look to see how that data is managed, whether they can fulfil their rights under our regulation and sometimes especially dare I say American companies will fail to do that.</span></p>
<p><strong>Speaker 0</strong>:
<span>And you've got to be prepared to work with the business to say, Do we want to work and engage with suppliers that cannot allow us to fulfil our rights and the data subject rights of our customers?</span></p>
<p><strong>Speaker 0</strong>:
<span>OK, thank you. Um, well, let's move on. We talked a little bit about breaches and and and and planning, uh, how you response to them. So I want to get into what some of those breaches could be, uh, and and and and, uh, sort of how you how you solve the problem once it's taken place. So, Eric, from your perspective, what what are some of the cyber trends you're seeing in particular at the moment?</span></p>
<p><strong>Speaker 1</strong>:
<span>So at the moment, we're seeing a lot of, uh, ransomware attacks. So previously, it was, um,</span></p>
<p><strong>Speaker 1</strong>:
<span>taking threatening to take networks down or taking the network down and then asking for the ransom payment. Um, but now we're seeing it's predominantly saying that they have exfiltrate ex filtrated data and that they are going to release that onto the dark web. Um, if if the ransom is not paid,</span></p>
<p><strong>Speaker 1</strong>:
<span>um, we're also seeing a lot of business, uh, email compromise attacks. So, um, where somebody where Hacker will get into the, um, inbox, um, of an individual and send out emails to clients or perhaps somebody else in another department to say, Please make a payment or, you know, bank details have changed. Please make a payment now to this bank account, and obviously the money disappears.</span></p>
<p><strong>Speaker 0</strong>:
<span>Right? So 22 ones that are particularly big at that I mean, does, uh, from your point of view, does that? Does that sort of chime with what you're you're hearing, or are there any other other? Absolutely. The two biggest points that we're seeing Certainly from a data perspective that we receive as well. Um, they are the two and and tend to be clients concerns as well around that. So you know, when you look at what actually caused the attacks as well you can.</span></p>
<p><strong>Speaker 0</strong>:
<span>A statistic that I was given for July was that 25% of those attacks were actually caused by fishing attempts. So often, uh, businesses will say to me when it comes to cyber security, you know, their employees are actually their biggest weakness. Well, I always try to flip that on its head by saying, Well, they can be your biggest strength if you look at the components that go into RE training, how to actually detect a fishing attack.</span></p>
<p><strong>Speaker 0</strong>:
<span>And often you know, those two that we've mentioned there can be triggered straight away by a fishing attack as a very simple method of getting in from one single entry point, breaking into a system and causing quite significant damage. Really? Well, let's pick up on that point. I mean you You You mentioned there that employees can be a source of weakness or of strength. How? How do you turn them into a source</span></p>
<p><strong>Speaker 0</strong>:
<span>of strengths? What? What what can you do on the education? Well, I, I think there's a whole variety, really. But I think mainly it comes down to a senior level carrying out the table exercises where you're able to identify individuals, roles, uh, what they play within an attack and a and A. But I think at a very basic level, it's implementing a high level, uh, programme of training such as,</span></p>
<p><strong>Speaker 0</strong>:
<span>uh, simulations. So sending out emails to look at SPS obviously that are sent internally to identify who may be, uh, their set of weakness within the company to ensure they're provided with further education. Further training on how to actually identify what what looks to be a fake email. And these days it's getting very difficult. You know, we spoke about trends earlier, and we're starting to see a lot around a I chat</span></p>
<p><strong>Speaker 0</strong>:
<span>spots and so on where people can go on to chat GP T and just look at generating random emails that look quite realistic. So I think it's actually, you know, going to a point where there are, uh, third party systems that need to be implemented to look at, uh, files, et cetera, and actually stopping search elements. Uh, but I think it all looks at what the board perceive as the risk to their own employees. OK, is that something that if someone's got a policy with QB you, you're you're happy to help train staff, particularly around things like email fishing?</span></p>
<p><strong>Speaker 1</strong>:
<span>Um, yes. That is something that we we have, um, third parties that we can put our insurers in contact with that will help them with that because that the employee awareness is definitely something that we like to see. Um, companies, um, carrying out. It's very important that</span></p>
<p><strong>Speaker 1</strong>:
<span>that yeah, the employees are aware of what all the different risks are, Um, and that they are being tested, um, for fishing exercises as well. One</span></p>
<p><strong>Speaker 0</strong>:
<span>one area of education is around payment diversion, fraud. Um, I think even just increasing the cyber hygiene and awareness around the risk of payment diversion fraud. So, in other words, somebody is sending the email to the accounts payable team</span></p>
<p><strong>Speaker 0</strong>:
<span>in, or somebody in the accounts team with a view to changing bank details and obviously their fraudulent bank details. But either they're doing it by a spoof email. In other words, there's no compromise of the network as such, but it's just coming from an email that is very similar to the legitimate email, or it's actually involving a compromise of the network itself. And they're sending an email within a company purportedly to actually, um, make the change of bank</span></p>
<p><strong>Speaker 0</strong>:
<span>details now just implementing some hygiene around that, where, whereby any changing of bank details is followed up with a phone call to the to the sender. Things like that can really just catch very large losses, actually, so having building that awareness amongst the workforce, particularly within an accounts team, is really important. But how easy is sorry you want to come in, But how easy is that</span></p>
<p><strong>Speaker 0</strong>:
<span>to do culturally? Because we we we've gone through a period of time. I mean, I'm I'm not remember when the Internet was sort of coming in and emails and we went through this period where nobody trusted it. Then everyone was terribly relaxed, and now we seem to be going back into the cycle of just because it's online, you can't trust it. That must really gum a business up I. I think it is really difficult. I think it is a really difficult balance, and I think it's how over the top do businesses take it? You know, our employees forced to take training quarterly or half yearly annually. What? What does that look like?</span></p>
<p><strong>Speaker 0</strong>:
<span>Um, but I think when you go right down to basic levels like Helen mentioned putting in SOPS as standard operating procedures for small bank transfers just to ensure that employees are aware and there are procedures and policies that are put in place. And I think that really comes under that strategic risk part for a business to look at their governance, compliance, etcetera and say, How are we handling internally? Because often you know a cyber attack can happen,</span></p>
<p><strong>Speaker 0</strong>:
<span>and people will look straight to the outside say, Oh, well, you know, it was a cyber attack. They generically targeted. We got hit, but actually, can we start assessing from within? What can we do to protect ourselves? And often that starts at the very core of the basic implementations along the way, such as SOPS. And And OK, we mentioned a I a couple of times. How? How revolutionary is that? Is that a real game changer for things like online</span></p>
<p><strong>Speaker 1</strong>:
<span>fraud? Yes. So, um, a I will be revolutionary, Um, for fraud.</span></p>
<p><strong>Speaker 1</strong>:
<span>Um, we have seen that, um, it can mimic people's voices. Um, so we can also have fishing so voice fishing as well as, um as well as email fishing. Um, so I'm sure that there will be different types of attacks um, used in social engineering to help trick, um, employees or individuals into giving up information that they shouldn't be.</span></p>
<p><strong>Speaker 0</strong>:
<span>I think one of the key points and I guess to bring that to life is quite recently, I had a conversation with a client whereby they had exactly that sort of voice and attempt at which they received. They had standard operating procedures in place. An employee forwarded it on a request to make a bank transfer at which the head of accounts thought was quite suspicious. It interacted via email with the sender, at which point they confirmed they would phone to confirm the bank details and they use Bing for exactly that.</span></p>
<p><strong>Speaker 0</strong>:
<span>The it it went through and there was transfer fraud. And I would advise anyone to look at crime policies when talking about transferring money alongside cyber insurance. Um, but they actually sat in the back of the system</span></p>
<p><strong>Speaker 0</strong>:
<span>to to avoid further damage. Luckily, the insured contacts ourselves as a broker, which we advise instantly contact the insurer who provided the expertise that we mentioned earlier who went in to check instantly. Are they still within the system? Can they function? Can they cause further damage? The insurers came into play, confirmed they were still in the system and managed to have REM actions to to avoid any further damage.</span></p>
<p><strong>Speaker 0</strong>:
<span>But I think what that does is it brings to life that there are constantly evolving threat techniques that threat actors will use to penetrate entry points and cause attacks. But it's not just about the single attack that occurred that was identified. It's about what could be sitting behind that to cause further damage to that ensures,</span></p>
<p><strong>Speaker 0</strong>:
<span>really need to be aware about and have conversations about from the I think from an A I perspective, I don't think it's just the type of attacks that we're going to see. It's going to be the volume. That's likely to be overwhelming because the technology will enable the the automated attack to such a degree that that is going to be really challenging. I'm smiling because I I have exactly the same story I was actually for a while, wondering if it was the same person that we were talking about in my case. I had lunch with an investor</span></p>
<p><strong>Speaker 0</strong>:
<span>about, uh, 23 weeks ago and she was telling me a story about and she heads up a AVC firm. Um, she's a New Zealand lady, heads up a VC firm here in London,</span></p>
<p><strong>Speaker 0</strong>:
<span>and she was explaining how it is a fantastic story. She was explaining how a person called in that pretending to be the FD, but it was again using a I sounded just like the financial director and said, I need you to make a transfer of a million pounds from a to B</span></p>
<p><strong>Speaker 0</strong>:
<span>And she said, I just need to check with the managing director. And she called up the MD and she said, You know, I've got John or whatever His name was on the phone, and he he just wants to transfer a million pounds across to XY and Z. Is that OK? The funny thing was that the MD was having lunch with the FD and he's saying, You're saying you've got the FD on the phone and and the person is going yes, like, well, put them on speaker And he was like, My God, that's That's me. It sounded just like him.</span></p>
<p><strong>Speaker 0</strong>:
<span>It almost sounds unbelievable. It sounds surreal, but these things are happening. They're only going to become worse. I totally agree with what he was saying. That this volume is going to become a problem. The one positive thing I would say is that a I is gonna work on both sides of the fence, so there will be solutions coming out where you know you will have systems that use large language models and and and systems and deep learning to identify fraud when it's happening.</span></p>
<p><strong>Speaker 0</strong>:
<span>So how does how do you get hold of somebody's voice patterns? Erica is this because a lot of us are on videos that are on the YouTube, and it's that, or is there? Is there an element of these that ultimately when you dig into it, there's an inside man or woman who's providing just enough stuff to go with the technology to make it sound credible.</span></p>
<p><strong>Speaker 1</strong>:
<span>I think it could be that, um it could already be that somebody is in the network and they're able to record somebody's voice. Um, while they're on a team's meeting, for example, um to then use the technology to mimic their voice. Or or maybe they are, um, finding them on LinkedIn or on a panel of some kind.</span></p>
<p><strong>Speaker 0</strong>:
<span>OK, we should be very careful between the four. The four of the five of us, shouldn't we? We we are becoming a lot better at understanding A. I risk. I think lawyers are doing a lot of work on it as well, to actually understand what a I means to clients from a governance perspective. Compliance, uh, and develop those trashes out and also offer insurance products to hopefully could tell some of those risks that come with it.</span></p>
<p><strong>Speaker 0</strong>:
<span>OK, well, you the other trend that we mentioned was about taking data and then threatening or starting to publish it to put people under more pressure. So, Eric, can you give us a bit of an overview of of of that. What are the particular issues that throws up for for companies that are under that sort of pressure, they need to keep</span></p>
<p><strong>Speaker 0</strong>:
<span>keep in mind.</span></p>
<p><strong>Speaker 1</strong>:
<span>Um, well, there's lots of things to consider at that point. Um, so normally you would work with, uh, IT forensics experts to understand, um, has data actually been exfil traded? Do they actually have the data that they say that that they that they say that they do?</span></p>
<p><strong>Speaker 1</strong>:
<span>Um, there's also considerations around. Um, I think lots of companies panic in these moments, and they think maybe it is a very good idea to pay the ransom,</span></p>
<p><strong>Speaker 1</strong>:
<span>um, to avoid it actually happening. But something to consider is that you're dealing with criminals. So is their promise. Good. If you pay them, are they still going to release the data? And you need to think about what data, um, they have taken. Does that subject you to any requirements under any data protection regulations? Um, and then there is also the subject of paying a ransom.</span></p>
<p><strong>Speaker 1</strong>:
<span>Um, there are some, um, malware and malware strains and also some hacking groups that have been put on to sanction list. So, um, it it may not even be possible for you to to make the ransom payment. Thank</span></p>
<p><strong>Speaker 0</strong>:
<span>you again. Someone's got your data as a company, but does is all data. The same is some. You know, it's a bit embarrassing, but actually it's not particularly commercially sensitive and it</span></p>
<p><strong>Speaker 0</strong>:
<span>doesn't matter. I mean, I suggesting you have the Duke of welling defence to say publish and be damned, but I'm just wondering, how do you focus on the most important parts of it? I think it comes back to what? Trying to, as as Erica said, validating what the threat actor has actually taken, Um, there may be a difference between what they say they've got and what they've actually got. But then there could be a range of data. It could be commercially sensitive. It may be personally sensitive. It's sort of the ability to map what you've got, what's likely to have gone.</span></p>
<p><strong>Speaker 0</strong>:
<span>But then it's really ultimately a commercial decision for the company, subject to those legal requirements around sanctions as to what their preference is. In that scenario, they may not need to pay the ransom to get back to operations as business as usual, but it may, by paying the ransom on the basis that the Threat actor doesn't then go on to publish it, and that is always a risk. But it's a considered risk.</span></p>
<p><strong>Speaker 0</strong>:
<span>Um, it really is a commercial decision for the client as to get them to ascribe a level of risk to the data that is involved and to take a view as to what they would like to happen in that scenario and whether they want to mitigate that risk of publication. And Nick, from your point of view, if data gets out into the I mean, from the point of view of the regulators or someone like the information commissioner's office, how sympathetic are they,</span></p>
<p><strong>Speaker 0</strong>:
<span>um, to a business That's that's in in this dilemma as to whether it, you know, having to act to try and stop data leaking</span></p>
<p><strong>Speaker 0</strong>:
<span>WWW What What's fundamentally what's their take? Their take is that you should not make a payment. So I mean, they stated that very clearly yesterday they did a memorandum of understanding with the NCC, the national cybercrime. Um so the you've got cybersecurity centre. So you've got a agreement between the N CS C and the IC O that if a ransomware attack, if you're suffering a ransomware attack, you can go to the IC O. First</span></p>
<p><strong>Speaker 0</strong>:
<span>you can report to the, um uh to the National Cybersecurity Centre. It will probably go back to the if it's of a decent size, depending upon the size like beyond below a certain size. Unfortunately, you're sort of on your own. Um, but the fact of the matter is that that data is now considered lost. You have if your notification requirements are triggered If that data was released, it makes no difference whether you pay them off or not. Because that information has now been lost. You cannot say. Well,</span></p>
<p><strong>Speaker 0</strong>:
<span>the hacker group gave me their word that they're not going to release this information. You have to treat it as gone. That said, um, criminal organisations have business models. And interestingly enough, if you're going to take a look at the reputation of different hacker groups, some make a point of being honourable in terms of if you pay me, we will not release the data.</span></p>
<p><strong>Speaker 0</strong>:
<span>Uh, I do not know. Taking into account all the concerns the legal concerns over paying sanctioned businesses, et cetera, I don't think that will help you in terms of your notification requirements in terms of the IC O, it might help you in terms of your relationship with your customers.</span></p>
<p><strong>Speaker 0</strong>:
<span>I I wouldn't know. But from the IC OS point of view, they say, do not pay as far as your accent. At that point, you've you know you've got You are where you are. And you've, uh if you've got a notification requirement that still has to be met regardless of whether you pay the the, um the the required amount or not, Yeah, they've been very clear about that, that it doesn't actually serve to mitigate the legal implications.</span></p>
<p><strong>Speaker 0</strong>:
<span>It doesn't have a bearing on that. So if the incident meets the threshold, it's still notifiable, regardless, whether a ransom is paid and probably can I just one last point on that, which is, a lot of people talk about meeting the threshold, and one of the things that I find or or areas that I find very people get very confused about, is when is notification triggered by an event like this and there are tables and, uh, frameworks that you can use to do what's called a harms assessment.</span></p>
<p><strong>Speaker 0</strong>:
<span>And I think that's something that people should be aware of. So there's a formal way to actually look through and systematically determine what level of harm can potentially come to the data subjects because we're talking about personal data in this particular time.</span></p>
<p><strong>Speaker 0</strong>:
<span>So what potential harms can come to the data subjects and that will determine whether or not you've triggered a notifiable event? But what happens, Nick, if, um, my company has been hacked? I didn't know it. I find out today, but it actually happened three months ago. Does the IC O say, Technically, you should have told me three months ago. Mark and the clock's been running since then. Or is it from the moment you knew the clock was running? So if you went away for the weekend, we take a dim view of it. If you picked up the phone now,</span></p>
<p><strong>Speaker 0</strong>:
<span>yeah, you're not in bad. Well, there's two parts to that should you have known? And when did you know? So the awareness that the regulation says when you become aware 72 hours And of course, in my experience, and I've been through not just the and lots of other places I've been through a number of different incidents of different, uh, severity, and it's always Murphy's law. You find out on a Friday night,</span></p>
<p><strong>Speaker 0</strong>:
<span>so on Friday night you find out and the 72 hour clock starts ticking. This is where your plan comes into play because you need roles and responsibilities. Um, a AAA aligned, and you need to ensure that there's somebody allocated to work on this over the weekend. It's no good to come back and start thinking about this on Monday, so it's from when you're aware. But if it happened three months ago</span></p>
<p><strong>Speaker 0</strong>:
<span>and you and they've been operating for three months or in some cases we've seen organisations run for years where hackers have been on their network and you suddenly find out, then I think we've seen from examples where that's happened, that the regulators don't look at it very kindly. Well, we're coming to the to the end of our time, and there's a lot we've chatted about a lot more. We could, but I mean, from your point of view,</span></p>
<p><strong>Speaker 0</strong>:
<span>if there is a cyber incident, what what do you do as the broker? We've heard a lot from, you know, the insurers, the you know, the the the very technical experts, such as as Clyde and Co. But where Where do you fit into it? What's your role? That Yes, of course. I mean, our priority is that, of course, the the claim is identified straight away, and the the correct people were notified. So being in the insurer and often a mistake that that we see is,</span></p>
<p><strong>Speaker 0</strong>:
<span>uh, the The policies are not held in cold storage. Phone numbers are held on computer systems, et cetera. That obviously are primed to the attack. So number one is being accessible and having the plan in place that we've spoken about, uh, number two is, of course, we want to be one of those first phone calls. So alongside insurers lawyers, we then come in and and our role within that situation is really to be in alignment between all three parties. And if you look at the difficulty, complexity, complexity and time consuming nature of the claim</span></p>
<p><strong>Speaker 0</strong>:
<span>and the stages at which they run, it's vital that we are involved in all of them because most likely, we'll be part of the planning. The response. We have communications with the vendor and the insurer and we can play a part within that whole process. And it's also the client having comfort that someone really knows their business inside out. Someone can communicate very clearly with them and understand what's going on from all sides.</span></p>
<p><strong>Speaker 0</strong>:
<span>So read me through the lines it's get, get a filing cabinet and have hard copies. Well, yeah. I mean, there there is that aspect, but it's definitely store. You know, I. I would advise every, uh, client to to store their policy and cold storage, to have their phone numbers accessible in terms of the of panels, et cetera, And the insurer have the numbers saved somewhere. And make sure that several people have access to that. Because in the event of a claim, the most vital thing is getting things sorted very quickly.</span></p>
<p><strong>Speaker 0</strong>:
<span>Thank you for that. Let's get some final thoughts from the others on the panel. Um, Helen, if there was one tip you could leave us with, you must, in your experience of see things that I won't say everybody gets wrong, but, uh what? What? What's a simple thing you can do that? Uh, has the greatest reward if you if you get it right. It has to come down to the planning. I know we've said that repeatedly, but it is so important, and it really does mitigate the exposures. Thank you, Nick.</span></p>
<p><strong>Speaker 0</strong>:
<span>I won't take anything away from From what the others have said, I would add, This is a This is a slightly odd tip, but I would, um But I think these are the useful ones. I would say Make sure that everybody you've got a notification template ready to go. Assuming that you have to do a notification, nobody wants to submit a bunch of scraps of papers or some messy document to the IC O or whatever your regulator is. So have something that looks very professional</span></p>
<p><strong>Speaker 0</strong>:
<span>that typically to make it as easy as possible for them to read and understand what's actually happened will be in chronological order. So knowing that in advance, make sure that all the communications, because you will want to copy in communications, is part of your notification if you if you've got a serious notification you're gonna do,</span></p>
<p><strong>Speaker 0</strong>:
<span>uh, I'm talking about internal communications about this is an explanation of what we've done to technically mitigate this blah, blah, blah make sure that the people who are going to be supplying those communications</span></p>
<p><strong>Speaker 0</strong>:
<span>stick to a script. And what I mean by that is nobody should say things on there. Like I told you this was gonna happen. This is a complete nightmare. Our systems are a mess and that you don't want that to get wrapped into some communication that you want to include, because it has useful, important information. And it's time stamps, and it's an important cog, but it's mixed up in there. So I would say Make sure it's a bit of an odd one, but, um, you want to make sure that everybody has a understanding</span></p>
<p><strong>Speaker 0</strong>:
<span>that their communication will be effectively seen by the regulator and that they sort of stay on a particular script as to, you know, um, this time we did this, and this was the result. And this is why we did it. And this is where we are now. Thank you, Erica. A final thought from</span></p>
<p><strong>Speaker 1</strong>:
<span>you.</span></p>
<p><strong>Speaker 1</strong>:
<span>Um I think it's very important that insured. Understand? Um what? Um what support their their cyber insurance policy can provide them. Um, and to that end, um, to really contact, um the the crisis support service that we provide within the policy,</span></p>
<p><strong>Speaker 1</strong>:
<span>Um, as soon as possible. As soon as that. They They are aware of an event so that we can get the experts to help them and support them through the incident as soon as possible. Um, hopefully helping them to contain the incident and not let it, um,</span></p>
<p><strong>Speaker 1</strong>:
<span>be worse than it needs to be.</span></p>
<p><strong>Speaker 0</strong>:
<span>Thank you. We have to leave it there. Thank you so much for watching. Just reminds me to thank our fantastic panel or, uh, Erica Coy. Jack Bassett, Helen Bourne and Nick Basket. Thank you so much for joining us from all of us here. Goodbye for now.</span></p>
Tags
Companies
Select Player
Media Manager 3
Video ID
484e6667-a93c-425a-a570-7aebbfbc7b45
Structured for CPD
structured
Primary Channel
10000084
Select Info Type
Company
People
Contact Info Company
Add Preroll
Core Video ID
802
Owner
Hide Contact Me
Archive Date
Friday, September 15, 2023 - 10:15
Player Subscriptions
Site Player
Activation Dates
Thursday, September 28, 2023 - 11:30 to Saturday, September 28, 2024 - 11:30
Active
Site Player
Activation Dates
Thursday, September 28, 2023 - 11:30 to Saturday, September 28, 2024 - 11:30
Active
Job Number
1677
Allow Player Embed
Skills And Abilities for CPD South Africa
Destination
Right of the video
Downloadable
Disable Quiz
Turn off reflective statement button
Auto Transcribe
Hide Transcript
Promote Event on Primary Channel
Video ID (MM3)
484e6667-a93c-425a-a570-7aebbfbc7b45