Airmic

Dramatic cyber-emergency simulation raises tough questions

Dramatic simulation of a cyber emergency raises tough questions – and opportunities – for delegates

“You can’t prepare for a cyber attack from your desk,” Proferrsor Marco Gercke, director of the Cybercrime Research Institute, told delegates in the opening keynote address at Harrogate. “If you put someone in a real life situation, they will behave completely differently.”

To hammer home this message, Gercke and Peter Hacker, partner at Distinction Global, part of the Cybercrime Research Institute, simulated a dramatic and intense scenario of a cyber attack on a fictional company. A live panel of Airmic members and industry experts – designed to represent the company’s executive board – were grilled about how they and their insurance policies would react in a crisis situation.

How would you respond to contortion? Do you have a bitcoin account in order to pay a ransom? Would you risk losing clients in order to safeguard your computer systems? How open will you be with the media? These were just some of the challenging questions raised.

Cyber attacks cannot be prevented, Gerke noted, but they can be controlled. There is no blueprint for responding to an attack, and so “the important thing from this is to start to answer these questions. Each enterprise needs to go through an individual risk assessment and really analyse it in depth.”

Cyber crime is a board level issue, Hacker said. Chief executives can and do lose their jobs over how they respond in a crisis situation. And it’s impossible to overstate the lengths criminals will go to: he cited one example when cyber criminals organised an entire conference in order to fly out the CFO of a large company, offering him VIP treatment. During the 30 seconds he handed over his mobile phone at the conference security, they bugged his phone. An elaborate and convincing guise with devastating consequences.

This may be a board-level issue, but there are huge responsibilities and opportunities for the risk management and insurance buying community, the audience heard. You must understand your cover, Hacker said: and yet less than 10% of companies currently conduct a pre-incident stress test before they buy an insurance product.

Parties across the company must work together to understand how an ERM-wide approach will work in practice, Gerke said. “This is a big chance for the risk management and broker community to innovate. But it requires a different approach, one based on enterprise risk management.”