A five-step framework for understanding cyber risks

Cyber security and awareness of cyber risks is a particularly important topic and can make a huge difference to how well protected an organisation is. Which is why I was pleased to see that the CII's introductory course prospectus is aimed at those who want an improved knowledge of the fast-growing cyber insurance market and identifies typical customers and their need for cyber risks insurance. If you need an introduction to cyber risk insurance, the CII is a good place to begin, offering as it does a specialist course on the subject through its broker academy.

The UK insurance authorities, as well as our friends in the US, are ahead of the game when it comes to acknowledging the cyber peril. This may at least be in part because our media outlets feed us a seemingly daily diet of horror stories alerting us to the unpalatable dangers, although I'm concerned that this does have the effect of making people think there is nothing that can be done, or just plain numbing them to yet another data breach.

Is there reason still to be concerned about the apparent lack of cyber security literacy, awareness and risk assessments among corporate officials and insurance professionals? I believe so - and I will be explaining why in a short series of blogs that I have been asked to write for the CII in the coming months.

Many surveys and investigations into cyber risks point to a lack of understanding of the exposures that face insurance companies directly, as well as their customers. The National Institute of Standards and Technology (NIST), which is the public affairs office of the US Department of Commerce, is a good repository of information if you want to learn more about cyber threats.

I would certainly recommend that all insurance risk professionals read the Framework for Improving Critical Infrastructure Cybersecurity, authored by NIST in 2014. While this is aimed at a US audience, the framework focuses (in a non-technical and more executive-friendly way) on using business drivers to guide cyber security activities and considering cyber security risks as part of the organisation's risk management processes.

The framework also references and builds upon globally recognised standards for cyber security (such as ISO 27001), so can used by organisations located outside the US, as well as serving as a model for international/cross-company cooperation on strengthening critical infrastructure cyber security.

Potentially more pertinently, from an insurance perspective: "The framework uses risk management processes to enable organisations to inform and prioritise decisions regarding cyber security. It supports recurring risk assessments and validation of business drivers to help organisations select target states for cyber security activities that reflect desired outcomes."

The framework core functions, which I will outline in more detail in upcoming blogs, are defined below in five steps:

• Identify- Develop the organisational understanding to manage cyber security risk to systems, assets, data and capabilities.
• Protect- Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
• Detect- Develop and implement the appropriate activities to identify the occurrence of a cyber security event.
• Respond- Develop and implement the appropriate activities to take action regarding a detected cyber security event.
• Recover- Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security event.

These practical functions do not provide a magic bullet that can be fired at cyber risks to make them go away but they should form part of a risk professional's advice weaponry.

If you consider that, according to the WEF's 2016Global Risks Report, cyber crimes will cost the global economy $445bn in 2016 - more than the market cap of Microsoft ($411bn), Facebook ($314bn) or ExxonMobil ($332bn) - it really is time to get introduced to cyber risks.

Darren Wray, CEO, Fifth Step