The insurance industry can become a force for good for national security by helping to raise organizations’ cyber security standards, according to the Rt Hon Lord John Reid of Cardowan, the UK’s former defense secretary.“Governments and corporations need to recognize that the insurance industry has key role to play in managing risk, but also in helping to raise organizations’ cyber security maturity levels,” Lord Reid told a record 350-strong crowd at Advisen’s annual Cyber Risk Insights Conference in London on February 25.
Lord Reid – who is also a principal at the Chertoff Group and Chair of the Institute for Security and Resilience Studies – added that the insurance sector had previous experience of influencing standard-setting.
Reid cited a focus on differentiating health premiums for smokers and non-smokers and requiring those with poor house maintenance to pay higher buildings insurance premiums as examples of standard-setting in broader society.
He noted that knowledge of cyber threats among the public and private sectors was “abysmal”, considering cyber risk is undergoing constant change and permeates all sectors of society.
He also acknowledged that governments have a crucial role to play as well, as the reliance of critical national infrastructure on technology posed a major threat.
“If a nation is going to war, why build a bomb?” Reid asked. “Use a phone instead. It acts as the warhead, the missile and the delivery system in one. Infrastructure is no longer physical, but now lies in software.”
The devolution of responsibility to private corporations for critical national infrastructure posed a “potential disaster” for the UK if any of the corporations were hacked.
Reid called for a “collective effort” between the public and private sector – especially insurance – to identify the “weakest link” in the supply chain and strengthen it.
“We need to raise general awareness of cyber threats, but make the weakest link in the supply chain as aware of the vulnerabilities as the more high-profile links in the chain,” he said.
In a separate panel discussing government initiatives to drive cyber security frameworks and standards, BAE Systems Detica’s Mark Fishleigh noted that a weak understanding of cyber risk among the private sector placed the onus on action more firmly at the public sector’s door.
“In a 2014 BAE Systems survey, just 50 percent of respondents said that their boards of directors fully understood cyber risk, “ Fishleigh, who is director of the financial services practice, said.
“Governments are concerned that it is both easier and cheaper to launch global attacks and they are rightly concerned about national security,” he said.
Fishleigh cautioned that governments need to be sensitive in their dealings with the private sector, however, adding that getting the full engagement of industry will be a “real challenge.”
Russell Price, chairman of the Continuity Group, concurred. “Govenrments are there to act as a force to try and create change. Most boards aren’t stepping up and addressing cyber risk appropriately. The solution needs to address business needs and not just technology needs.
“That’s where insurance has a part to play – in engaging senior leaders,” Price added.
Sarah Stephens, Aon’s head of cyber and commercial E&O for the EMEA region, said that insurance “definitely” had a role to play.
However, “government-driven standards can provide a common framework and language – like an ERM framework” as well, Stephens said. “Standards can also provide risk managers or CISOs with the appropriate language to have a conversation around cyber risks.”