<p><strong>Speaker 0</strong>: <span>to discuss the growth and evolution of risk in cyber and what businesses and organisations can do to build resilience. I'm joined now By Arun Banerjee Cyber risk Consulting lead at Zurich Resilience Solutions</span></p> <p><strong>Speaker 0</strong>: <span>Aaron Thank you so much for joining us. First of all, let's set the scenes now. The World Economic Forum recently ranked widespread cyber crime and cyber insecurity as one of their top global risks, both short and long term. Were they right to do so? We</span></p> <p><strong>Speaker 1</strong>: <span>live in a hyper connected world. We have connected almost everything to the network to the Internet. Uh, from toasters to national grids. Our buildings we are working on, everything is connected to the Internet.</span></p> <p><strong>Speaker 1</strong>: <span>Everything is network connected. This is creating a large attack surface which are easily getting exploited by cyber criminals.</span></p> <p><strong>Speaker 1</strong>: <span>Along with that, over 60% of our workforce are still working remotely. They are not working within the secure perimeter of their office environment. They are working over the Internet from their home from cafes and all the different places.</span></p> <p><strong>Speaker 1</strong>: <span>Along with that, what's happening? We are creating a huge volume of data. Every click every comment we make on Facebook to every with more digitalization In our business environment, we are creating huge volume of data and data are expensive because the moment you start interpreting good quality data, you start having information information about you, information about me</span></p> <p><strong>Speaker 1</strong>: <span>and data, information and data. They are always very, very expensive. In 2017, the economics magazine, uh,</span></p> <p><strong>Speaker 1</strong>: <span>had a cover page where it says that data are the most expensive resource in the world. It's no more oil, it's data. So that's why cyber criminals are getting attracted towards data. Cyber criminals are attracted towards those attack surface to exploit them and then put things like ransomware whole rand, uh, businesses at ransom so that they can financially gain out of it.</span></p> <p><strong>Speaker 1</strong>: <span>Also, there are cyber criminals who are supporting nation state strategies. They are so that's why you will see National Cyber Security Centre. They are coming. And just in this year, they came up with at least two risk in inside, which are very much talking about the threats of critical national infrastructure being targeted by cyber criminals who are supporting nation state strategies</span></p> <p><strong>Speaker 1</strong>: <span>and this whole digitalization, this whole migration towards cloud digitalization this connected ecosystem that's is there to stay because it has loads of positives. OK, but what's happening? It all boils down to how we are managing the risk which comes out of having</span></p> <p><strong>Speaker 1</strong>: <span>and implementing and running these environments. That's why cyber risk, in both short term and in long term, is one of the key risks faced by every organisation across the world of any shape and size.</span></p> <p><strong>Speaker 0</strong>: <span>Can you put some numbers on that? You you've touched on some of those themes, but can you quantify how big the issue is at the moment? How big it could be in 5 10 years time?</span></p> <p><strong>Speaker 1</strong>: <span>It depends like how big? Because right now, if you see into the percentage of organisations who have suffered cyber attacks or who have reported so department of, uh, DC MS digi, digital culture, media and sports, every year, they come up with their annual report</span></p> <p><strong>Speaker 1</strong>: <span>and there they talk about every year. What percentage of organisation has actually reported</span></p> <p><strong>Speaker 1</strong>: <span>that they have actually had a cyber attack? OK, now what's happening is a lot of organisations are having attacks which can be small scale, but then there are some of them which are becoming very, very large. The very large ones are getting reported.</span></p> <p><strong>Speaker 1</strong>: <span>But if you talk about fishing attacks, that's happening every day to every organisation in Bulkley, like thousands every day. Organisers getting bombarded with fishing attacks. They have controls. They have oil philtres and stuff which is blocking them. But still some of them manages to end up in a user inbox. So yeah, it's the scale varies. It's the scale definitely varies with what kind of attack, but all you need to remember it requires</span></p> <p><strong>Speaker 1</strong>: <span>one small malware to get deployed and we can end up in having the next type attack. You've</span></p> <p><strong>Speaker 0</strong>: <span>been working in cyber for a number of years. So so have you seen the industry evolve</span></p> <p><strong>Speaker 1</strong>: <span>like cyber industry? The cyber insurance industry? Well, the cyber insurance space. So yeah, See, I represent Zurich Insurance Zurich Insurance as the insurer has seen, uh, has faced the whole evaluation of site in the cyberspace cyber has been traditionally very much, uh, insurance space for the large financial organisations or the large um,</span></p> <p><strong>Speaker 1</strong>: <span>a very large organisation. But what has happened? The whole cyber threat horizon, it changed significantly and then more and more organisations started changing their cyber strategy to buy cyber insurance to protect themselves. That's that's why there is a huge increase in the buying of cyber insurance.</span></p> <p><strong>Speaker 1</strong>: <span>But why they are doing it? Because cyber attacks are increasing and remember, cyber attacks can be very, very expensive to handle. So all this with the increase in cyber attack, with cyber attacks being expensive to handle, and more and more organisations are buying cyber insurance as a cyber strategy to protect themselves,</span></p> <p><strong>Speaker 1</strong>: <span>the whole thing, which actually gave the rise of increase of cyber insurance, actually became one of the factors for the hardening of the cyber insurance market till the end of last year. So we were having a hardened market till the end of last year for cyber because a lot of organisations they were lacking the much needed cyber resilience,</span></p> <p><strong>Speaker 1</strong>: <span>the cyber resilience to protect themselves. So that's why and along with the factor, which I just said, like things like cyber attacks, the volume actually increasing then, uh, the claims are becoming much more expensive. So it created the hardening of cyber insurance market, and another change which has happened in the last few years is that</span></p> <p><strong>Speaker 1</strong>: <span>cyber has moved away from those 56 10 questions which an insurer ask you before they provide you insurance.</span></p> <p><strong>Speaker 1</strong>: <span>Nowadays, cyber underwriters are involving a lot of cyber risk engineers for the large risks they are getting. UH, we are getting used by the cyber underwriters to understand the exposure to understand the business environment, understand the control when they are trying to underwrite a risk. So a lot of scrutiny goes in before a company is getting a policy from any insurance company.</span></p> <p><strong>Speaker 1</strong>: <span>Nowadays. 1000 like hundreds, 1 8200 questions are asked by the brokers, the insurers to capture information about organisation. That has been one of the prime change, which I will say happened in the last five years.</span></p> <p><strong>Speaker 0</strong>: <span>And if you roll the clock forward another two or three years more cyber crime out there, harder market. Presumably, insurers will be less willing to take on cyber risk or any type of cyber risk because,</span></p> <p><strong>Speaker 0</strong>: <span>um, that there's a high chance they're just going to be taking more losses onto their books.</span></p> <p><strong>Speaker 1</strong>: <span>Um, I, I don't I don't think so, because the market is changing.</span></p> <p><strong>Speaker 1</strong>: <span>Uh, this year is not anymore. The hard market it it is showing some change and also you will see organisation. Not all but a lot of organisations are slowly understanding the need of cyber resilience. They are taking out cyber from that whole IT bracket. They are treating cyber as any other risk to their business. A lot of organisations doing it.</span></p> <p><strong>Speaker 1</strong>: <span>So they are actually fighting. They are fighting to keep their business more resilient. Not all of them. There is still significant gap, but so and cyber insurance is a very is a key factor in your cyber resilience strategy. When you think about a holistic cyber resilience strategy,</span></p> <p><strong>Speaker 1</strong>: <span>cyber insurance is a key factor. And another thing which has also happened in the last couple of years, is that the pre breed service and the post breed service which insurers are providing you they are becoming a almost the same. They are having almost the same importance as the policy itself, the pre and the post breed services. So that's why combining all those things I don't think that will ever happen.</span></p> <p><strong>Speaker 0</strong>: <span>Well, moving on to to what Zurich itself is doing with customers. I mean, how how are you helping them manage their cyber risk? Uh, and perhaps, if you could pick up, particularly on this point about resilience and sort of doing everything you can not to have a problem in the first place.</span></p> <p><strong>Speaker 1</strong>: <span>OK, Yeah. Uh, so Zurich in 2021 created Zurich Resilience Solutions. So traditionally, we are called risk consultants risk engineers.</span></p> <p><strong>Speaker 1</strong>: <span>So we got the new name of Zurich Resilience solution. So ZRS is group of risk engineers risk consultants who specialise in a lot of different fields. So I have colleagues who specialise in</span></p> <p><strong>Speaker 1</strong>: <span>proper property. I have colleagues who specialise in climate change, supply chain</span></p> <p><strong>Speaker 1</strong>: <span>motor risk and resilience. Then you have liability and casualty so different speciality, like I lead the cyber practise for UK and the ZR. So there is the cyber risk consultant that, uh so I lead the practise for that and what we have done. We have created cyber proposition for clients</span></p> <p><strong>Speaker 1</strong>: <span>to help them navigate this or develop cyber resilience, which itself also kind of says to help them navigate the complexities of the cyber insurance market. Because if you are not cyber resilient, then you are not very cyber insurable. If that's the right way of saying so. Uh so that's why our services we created what's called cyber AMP. Asset Manage protect</span></p> <p><strong>Speaker 1</strong>: <span>and we deliver services for our clients to help them develop that much needed cyber resilience for their business environment. So we carry out things like cyber healthing because a lot of organisations, especially in the mid market space,</span></p> <p><strong>Speaker 1</strong>: <span>one of their biggest challenge is having a holistic view of cyber. Now they have implemented a lot of different controls, but we help them to understand how can you actually use those control and develop cyber resilience? What's missing? Some call the gap analysis, but we call it the cyber health check. So where are you presently? We bring in the insights which we get because we work with the cyber underwriters</span></p> <p><strong>Speaker 1</strong>: <span>and we gather loads of knowledge from working with the large banks, the large manufacturing, even midsize companies. Uh, private health care, health care industries. We bring in all the knowledge and we help organisation understand. Give them the holistic picture. This is where you stand presently and this is where you need to go next. OK?</span></p> <p><strong>Speaker 1</strong>: <span>Nothing unrealistic. If you are not very good. If I give you a place to go which is like excellent, you will struggle to go there. Ok, so what is the next step to go? OK, step by step OK, we help them to do that Another thing We help them or on or we help organisations to do is carry out cyber drills Every organisation every building does fire drill, isn't it? Are you ever of any building which haven't done a fire drill? Ok</span></p> <p><strong>Speaker 1</strong>: <span>then why not Cyber drill is the risk of having a cyber attack less or high? Ok, so why aren't we doing cyber drills like practising validating that the plans which we have made are actually fit for purpose</span></p> <p><strong>Speaker 1</strong>: <span>So we help them to run cyber drills Cyber tabletop exercise We help them to develop business continuity, planning, run business continuity, planning exercise for them So we help them to develop resilience because those are resilient anticipating</span></p> <p><strong>Speaker 1</strong>: <span>that something will go wrong because in the world of cyber we deal with</span></p> <p><strong>Speaker 1</strong>: <span>not whether we will be attacked it its like when we will be attacked then what? Ok, so minimising the impact That's what we actually help organisation</span></p> <p><strong>Speaker 1</strong>: <span>to form. We create them strategies And then there are other services which we also deliver for them in the whole idea of creating cyber residues. But along with that, we also have capabilities to provide them things like manage detection capabilities or like penetration, testing and those kind of services which every company needs. OK, some of the technical services are provided by our partners, but we have created a one stop shop for every organisation.</span></p> <p><strong>Speaker 1</strong>: <span>And since you talked about like mainly focusing on cyber resilience, we also have a proposition, uh called Cyber Complete. So cyber complete is a proposition. Which the joint proposition between commercial insurance and Zurich Resilience solution,</span></p> <p><strong>Speaker 1</strong>: <span>where some of our clients they actually create free services delivered by Zurich's own risk engineers to help them develop cyber resilience, bundle services as part of their insurance premium. So</span></p> <p><strong>Speaker 0</strong>: <span>do you need to pay an existing Zurich insurance client to be able to access this ZRS cyber services? You've been talking about no</span></p> <p><strong>Speaker 1</strong>: <span>to a access ZRS cyber services. You don't need to be</span></p> <p><strong>Speaker 1</strong>: <span>existing Zurich customer. You don't need to have cyber insurance with us. We provide service for Zurich cyber insured customers. We provide service for customers who are not cyber insured with us. They might have property, insurance or other lines with us. Also, we provide service for organisation who is not? Who doesn't have any sort of relationship with Zurich because our idea is to help organisation, develop, develop cyber resilience.</span></p> <p><strong>Speaker 1</strong>: <span>So cyber resilience. That's what we are providing risk consultancy to help organisation develop cyber resilience and</span></p> <p><strong>Speaker 0</strong>: <span>from all your experience, working with cyber underwriters and clients, what would you say? The top three gaps in cyber security that you see time and time again in organisations.</span></p> <p><strong>Speaker 1</strong>: <span>The first gap I would definitely like to highlight is that there is still lack of security around identity and access management</span></p> <p><strong>Speaker 1</strong>: <span>because, uh, as I mentioned previously, uh, we are no more working like not everyone is working from the secure perimeter of their office. So we are working from home. We're working remotely, so our identity has become our new perimeter. So securing of that identity is really, really important. Like having all the multi factor authentications for privileged access managing privileged access properly,</span></p> <p><strong>Speaker 1</strong>: <span>uh, managing access, uh, for supply chain. That's very, very important for every organisation that I will say like still not 100%. That's one thing and talking about supply chain supply chain risk management cyber risk management will be my next gap, which we get to see. Uh, you will see that in the recent years most of the cyber attacks which happened they were very much targeting the</span></p> <p><strong>Speaker 1</strong>: <span>software supply chain like the solar and the latest one, the IT attack. They are all targeting the software supply chain. Uh, most organisations are still focusing on their own environment. They are still not trying to focus on the what's coming from outside. They have a back door in the supplier. So that's why we have a lot of service. We have created a lot of services to actually help organisation understand their supplier environment</span></p> <p><strong>Speaker 1</strong>: <span>and understand the risk which they bring and also manage the risk what controls, what the checks they need to have to manage that. So we have created that</span></p> <p><strong>Speaker 1</strong>: <span>and finally I will say if I have to summarise one gap, we still get organisations who are cyber secure, not cyber resilient. What's the difference between these two? Cyber security is all about having the right controls in place, the antivirus and all the things in place. Whereas cyber resilience is more anticipations like</span></p> <p><strong>Speaker 1</strong>: <span>If something goes wrong, then what? How will I recover? How will I come back to life? Organisations are still lacking that preparedness plans are perhaps there but the whole planning The validation of the plan is still lacking. That's why when when I was talking about you will see our services. They are very much on those cyber drills helping them organisations to run the cyber drills, business continuity, exercise all those things</span></p> <p><strong>Speaker 1</strong>: <span>So that's why we say cyber security. Sorry, Cyber resilience, not just cyber security. Cyber security is important and also, uh, I will echo what Linda Cameron, the CEO of NC, AC said in this year's Biba in Manchester. That cyber insurance industry is one of the few market based levers who are who actually incentivize</span></p> <p><strong>Speaker 1</strong>: <span>organisations from having good cyber security controls and resilience. So what we are doing in ZRS we are actually helping organisations to implement that much needed cyber resilience.</span></p> <p><strong>Speaker 0</strong>: <span>Final question. What's the next frontier for cyber risk management?</span></p> <p><strong>Speaker 1</strong>: <span>I would say cyber risk quantification communication between the cyber function and the business function or the the The decision maker has always been challenge in the world of cyber because the cyber the language which the cyber team speaks our vulnerabilities, threats and all those things</span></p> <p><strong>Speaker 1</strong>: <span>whereas, um, the language which the board of directors or the decision maker speaks is completely pound value dollar value at euro Euro value. So there has been a gap</span></p> <p><strong>Speaker 1</strong>: <span>which</span></p> <p><strong>Speaker 1</strong>: <span>cyber risk quantification is actually helping to bridge it is the bridge between cyber threat and business resilience. So cyber threat uh, cyber risk quantification is definitely the next frontier. So we also have a service around cyber risk quantification and we are helping organisations to actually quantify a risk in pound value. What is this Risk means to me and in dollar. And if I implement a control How What what amount of risk reduction</span></p> <p><strong>Speaker 1</strong>: <span>I'm having in dollar value in pound value? OK, what is the reduction that helps you to develop your business case? Understand? Return of investment That always helps you there.</span></p> <p><strong>Speaker 1</strong>: <span>That's CIQ I will say is the next frontier.</span></p> <p><strong>Speaker 0</strong>: <span>We have to leave it there. A thank you for joining us.</span></p> <p><strong>Speaker 1</strong>: <span>Thank you, Mark</span></p>