QBE: Minimise exposure: finance functioning against cyberthreats - James Tuplin

Finance directors are waking up to the risk posed by cyberattacks, but it can be hard knowing exactly what to do about it. James Tuplin, cyber-portfolio manager at business insurer QBE, speaks about those first important steps and how finance can help mitigate the risk of a cyberthreat.

For many companies, the data they possess is their most valuable asset - more valuable than any technology, or bricks and mortar could ever be. The big-data era that we find ourselves in did not arrive overnight but is the culmination of three decades of network building, a process of connecting increasingly different computers and data sources accelerated by the rocket fuel of high-speed internet.

This process has had a considerable impact on many businesses, affecting everything from shopping habits to the reliability of the cars we drive and the way we communicate, and has helped level the playing field for small companies that, in many markets, no longer need big upfront capital to compete.

The problem is that every network connection is also an access point, open to exploitation by the wrong people. According to the annual cybercrime survey published by PwC, reported levels of cybercrime spiked this year, moving from fourth to second in the list of most common white-collar crimes. A quarter of respondents said they'd been the victim of cybercrime and, perhaps most worryingly, 18% were not sure whether they had or not. Around 50 organisations claimed to have suffered losses of more than $5 million, with a third of those experiencing losses in excess of $100 million.

For James Tuplin, cyber-portfolio manager for the European business of insurance company QBE, this spike in activity is feeding through. After previously managing cybercrime as one product area of a portfolio, the workload got big enough that in February this year a dedicated cyber-role was created.

"Since I joined QBE in 2014, the amount of cyberpremium we've written has increased ten-fold," he says. "Two years ago, I'd see two or three quotes a month. Now I'm seeing three or four cyberquotes a day, and we are picking up multiple each month."

Everyone's problem

While once cybercrime was considered very much an IT problem, it is increasingly becoming a board level, multidivisional consideration - finance included. CFOs and finance directors are increasingly being asked to sign off on multimillion-dollar IT security or software, a decision that requires knowledge of the threat faced and the likely effectiveness of any mitigation measures put in place. In these situations, communication between the IT, risk and finance teams is often the first hurdle that has to be overcome. It has to be made clear that cybersecurity is a business-critical issue, not just an IT issue.

"The CEO or CFO generally has to make those [investment] decisions on incomplete knowledge," Tuplin says. "The IT person who's going to suggest the product is not a risk person. They're a technology person, so they are often not particularly good at articulating the benefits or drawbacks of paying for a security system. Then you go to the risk manager and they say 'That's IT risk, not business risk'. Risk managers need to wake up to the fact that IT risk is as important as any other area of business risk, and they need to be able to build a common language with their IT function. Between the two of them, they can come up with a more complete understanding of the benefits and drawbacks."

Deep impact

Once all are on the same page, it's important to take a deep dive into the data on your company's computer system. What data do you have? How much is there and what proportion of it is highly sensitive? How is it secured and have you deleted everything that is no longer needed?

"You might have an important database but you forget that you've given access to a third party, which has downloaded it," Tuplin says. "You've now got it in two places. They then produce a backup, so you've got a third copy stored in the cloud. Your one database, which may be the lifeblood of your company, may be in four or five places. Look into your own company. What is the key data and how does one make sure it's secure?"

Insuring security

Once a company has a clear picture of its data, it can assess the current risk level and decide if more mitigation measures are needed. An insurance policy might well be the best course of action; in which case, the type of business you run and the nature of your data retention systems comes into play.

There are three main types of exposure to cybercrime. One is an incident that causes disruption to your business, an attack on IT that prevents you from operating normally. Two is the breach or misuse of data. The third area is a linking factor, the liability you face from either of the other two events taking place. The type of protection you need and the size of your insurance premium can vary considerably based on the nature of your business, so an initial period of self-examination is required.

"There's a huge variance of risk depending on the company," says Tuplin. "If your company is heavily exposed to web retail sales and your website is taken down, you're obviously very exposed to business interruption. If you are all on long-term contracts and you don't have computers for a week, it might not really affect your business so you have very minimal business interruption exposure. The same goes for data. The more data you have, the more sensitive you are to a breach. The less well you've secured it, the higher the losses are likely to be."

Need to understand

It's also important to have a thorough understanding of what is covered by your cyber and crime insurance policies, and what isn't. It's a common misconception that any crime involving a computer is, by nature, cybercrime. This is far from the case. A common computer crime at the moment is social engineering, essentially using deception and impersonation to steal money. An example of this is a criminal finding out personal information about a company CEO, calling the accounts department of their company and convincing an employee to wire money to what they believe is a legitimate bank account.

"The perception of something like that is that it's cybercrime but, honestly, it's fraud," says Tuplin. "No-one has actually hacked your system, or got passed your firewall or passwords. They are trying to make you believe that this glass is diamond; the kind of thing that's been covered by crime policy for a long time. If you are buying a cyber-policy or a crime policy, check what they cover because it might be that you need both."

A personal matter

Knowledge of cybercrime and the risk it represents is certainly growing in the finance community, a process likely to accelerate going forward. A growing trend in the US is the filing of directors' and officers' (D&O) liability claims in cases where cyberattacks cause financial or reputational damage. At least two securities class-action lawsuits were filed against US retailer Target after 70 million sets of credit card data were stolen from its systems. The risk of personal liability is focusing the minds of directors and it's increasingly common to see IT security specialists taking non-executive roles on boards.

Then there is the 2018 introduction of the General Data Protection Regulation (GDPR), which will signal one of the biggest ever changes to data protection governance. It essentially gives individuals back control over their own data, allowing them to find out exactly what is being done with it and who they want to have it in the first place. If they haven't already, businesses are going to have to begin that process of data discovery to see what exactly is in their possession and how well protected it is. Luckily, the simplest, most obvious measures to keep data safe are often among the most effective.

"The basics are often quite easy, quite cheap," Tuplin says wryly. "Password protection is easy to govern, it takes minimum security, yet the top password time and time again is 123456 followed by 1234567, password and qwerty. That's why these things are hackable. It is this kind of thing that is easy to govern but can stop a lot."

James Tuplin, cyber-portfolio manager at business insurer QBE.