The article below, by Nicky Stokes, Head of Management Liability and Financial Institutions at New Dawn Risk, was originally published in Insurance Day magazine on 21st March 2020.
Historically, directors and officers (D&O) insurance has not seen significant demand across markets in the Middle East. There have been a number of factors behind this. Perhaps most significantly, the region is home to a swathe of large and wealthy family-owned private companies who have simply not seen the need for this type of risk transfer product. With demand for D&O insurance low, pricing of the product has been relatively cheap and it has been viewed as something that is a nice-to-have rather than as a necessity. Furthermore, the litigation environment – a potentially key driver for claims to be brought against directors and officers – has been comparatively benign in the Middle East.
Regulatory developments
However, there are signs that the situation is changing. Up until recently, there had been a patchwork of litigation regulation across region; requirements are different under United Arab Emirates’ law and in the Dubai International Financial Centre, for example. But governments across the Middle East are keen to attract inbound investment into emerging markets and to compete with Western economies on a level playing field. In order to achieve this, standards of accountability and responsibility need to be approached in the same way. As a result, the regulatory burden is increasing as Middle Eastern states look to align with global standards and reporting requirements.
In the Kingdom of Saudi Arabia (KSA) there is a massive drive to regulate the financial services industry as part of the government’s National Transformation Plan 2020 and Saudi Vision 2030, designed to reduce Saudi Arabia’s dependence on oil, diversify its economy, and develop public service sectors. One key development among a string of reforms under Vision 2030 was the introduction of a Bankruptcy Law in 2018, to further encourage the participation of foreign and domestic investors by structuring the business legal framework and putting new regulations around businesses operating in KSA. This is having a direct effect on directors and officers as it makes it much easier to identify where obligations have not been met. Where duties are codified into law, it much more straightforward to bring a claim.
In another development in December 2017, in a first for the region, the Capital Market Authority in KSA introduced a new class action regime for claims by shareholders of listed companies in the country. Earlier this year, the first lawsuit filed under the regime was brought against the former Board of Directors of Al-Mojil Group, its senior management and its auditor for alleged violations committed during the subscription in the company’s shares as part of its 2008 IPO. We should expect more to follow.
An international market
Meanwhile, recent events have underlined the global nature of the insurance market. A combination of increasing litigation and regulatory risks, more notifications, and profit pressures following years of premium reductions are prompting underwriters to carefully manage the capital they deploy for D&O risks. This has diminished insurer competition for buyers and resulted in higher rates and less favourable coverage terms for most buyers.
Rates for D&O insurance have been hardening in the UK, and latterly the US, for some time. But in the last few weeks we have seen prices in the Middle East follow suit, broadly in line with US levels with increases ranging between broadly flat up to 15% to 20%. Because the D&O market is comprised of a large number of international insurers, price changes in the region are being driven from a top-down perspective. Those that have been hit hard in terms of losses in the UK and US for example, are looking to remediate their books elsewhere.
Looking ahead, risks facing directors and officers in the Middle East are broadly in line with those that their counterparts are exposed to elsewhere in the world. Cyber is high on the agenda and there been a number of recent cyber events in KSA that have hit both government ministries and petrochemical firms, generating significant losses with the potential to impact the D&O market. Saudi Aramco has seen an increase in attempted cyber attacks since the final quarter of 2019, which the company has so far successfully countered, but is seeing a trend of increasing magnitude and frequency of incidents, a trend it expects to continue.
It is unknown at this early stage, but likely that we will also see a string of claims against directors and officers as a result of the coronavirus pandemic. The situation is changing rapidly but businesses in the Middle East and elsewhere should brace themselves for a likely flood of shareholder lawsuits. We have already seen massive share price drops and if investors feel they were not fully informed about supply chain vulnerabilities or distribution problems, they may choose to litigate. While there is no guarantee that these claims will be upheld, there is a potentially significant exposure to directors and officers in terms of defence costs. Underwriters and brokers alike are tracking D&O developments in the Middle East closely.
Nicky Stokes is Head of Management Liability and Financial Institutions at New Dawn Risk
The original article can be viewed here
For the time being, while the infection risks from COVID 19 are high, and in line with government advice, we have taken the decision to switch all the New Dawn Risk team to a home working protocol.
The good news is that we have upgraded the quality of our remote working facilities across the board, with this eventuality in mind. This means that our entire team will still be accessible on their office phone numbers (or via their mobiles), by email and by videoconference (using Microsoft Teams, or indeed any other videoconference channel).
Both we and the London Market remain very much open for business, and we are in continuous contact with our underwriters. If you are having trouble connecting with London insurers through other channels, I have no doubt that we can assist. Please feel free to call or email any of us. You can find phone numbers and email addresses here:
https://www.newdawnrisk.com/our-people/
We look forward to working with you in new ways, via conference calls and videoconferences, for as long as the health issues remain significant.
Stay safe and healthy!
Max Carter, CEO at New Dawn Risk
The article below, by George Styles, Professional Risks Broker at New Dawn Risk, was originally published in Insurance Day magazine on 28th February 2020.
Steps are being taken to legalise marijuana, but the opportunity is too significant for insurers to hang around for the law-makers to catch up with the market
The legal medical and recreational marijuana industry in the US is already sizeable. In 2018 it was estimated at $10.4bn, outstripping the American population’s collective spending on Netflix.
This is set to grow further. Marijuana companies raised $13.8bn in funding in 2018, four times the amount raised the previous year, according to cannabis industry research firm Viridian Capital Advisors. With a growing number of states voting to legalise marijuana, a report by AM Best released last year forecast the market for legal sales is projected to increase to $22bn by 2022.
The industry already employs hundreds of thousands of workers, spanning a range of business segments. These include cultivation, processing and harvesting, manufacturing, testing, distribution and retail. Each business has need of protection against a selection of specific risks including crop insurance, equipment breakdown, motor liability, directors’ and officers’ liability, errors and emissions, cargo, employee theft and so on. But despite this growing demand, many carriers are reluctant to get involved.
Unusual situation
The US cannabis industry is operating in something of an unusual situation at the moment. Thirty-three US states and the District of Columbia have laws allowing the use of medical marijuana. Ten of those 33, as well as DC, have legalised recreational marijuana. However, the plant remains illegal under federal law as a Schedule 1 drug.
As a result, it is difficult for companies in the cannabis industry to secure banking and insurance relationships. The Lloyd’s market, for example, does not provide coverage for businesses in the US because of the drug’s federal status as an illegal substance. In contrast, it does in Canada, where its use became legal in 2018.
Insurers are wise to be wary – this is something of a legal minefield. For example, the Federal Bank Secrecy Act requires financial institutions – including insurers and broker-dealers – to report to the Department of the Treasury any transactions in excess of $5,000 they have reason to believe involve assets derived from illegal sources. The penalties for failing to do so are severe, including prison terms.
Elsewhere, the Money Laundering Statute makes it a felony for any person to engage in a financial transaction the individual knows involves the proceeds of an unlawful activity. This would include any activity involving (directly or indirectly) the proceeds of cannabis and penalties include up to 20 years in prison.
Crucially, enforcement of these laws depends on the view of the attorney-general, who directs the attitude of the Department of Justice with regards to prosecution. In 2019, attorney-general William Barr said he will not pursue cannabis businesses that are operating legally within their state jurisdiction. However, insurers have no assurance these comments extend to financial institutions engaging with cannabis businesses, nor is there any guarantee the policy extends beyond the tenure of the incumbent attorney-general who made this statement.
On top of this is the judiciary, which, all the way through to the Supreme Court, has shown a more consistent willingness to affirm and uphold criminal prosecutions involving cannabis.
Moving forward
Against this backdrop, carriers are unlikely to enter into the market until marijuana is decriminalised at the federal level and banking regulations change. However, we are seeing steps being taken towards legalisation.
For example, the Secure and Fair Enforcement Banking Act, which would enable banks to offer loans and other banking services to marijuana businesses, including contractors and vendors who never touch the plant, passed through the House of Representatives last year, but it is uncertain if or when it will get through the Republican-controlled Senate. Meanwhile, the Marijuana Opportunity, Reinvestment and Expungement Act, which would remove marijuana from the Controlled Substances Act, continues to make slow but steady progress though the House.
While it is exceedingly unlikely this legislation will be passed this year, it seems certain to be at some point – the momentum behind legal marijuana appears unstoppable. The insurance industry cannot afford to wait and is not hanging around for law-makers to catch up with the market.
In December, the National Association of Insurance Commissioners’ cannabis insurance working group approved a white paper outlining the challenges for the insurance industry in regulating cannabis and establishing a guideline for state insurance regulations. In the same month, the US National Cannabis Risk Management Association set up a member-owned insurance company to help it manage and transfer its risks.
These are positive steps forward but there are clearly issues still to be resolved. This is an emerging area and insurers are just finding out the full scope of the risks they may have to deal with and the types of claims they may get. This means both personal and commercial lines insurers need greater access to quality statistics on actual losses. That will come through studying early claims in states where marijuana has been legalised to help determine their risk appetite.
Ultimately, the size of the opportunity is significant – all stakeholders in the insurance industry need to work together to understand the issues and develop innovative solutions to be able to maximise it
George Styles is a professional risks broker at New Dawn Risk
The original article can be viewed here
The article below, by Tom Malcolm, Head of UK Cyber at New Dawn Risk, was originally published in Insurance Day magazine on 3rd February 2020.
Most people look forward to retirement, and many have a ‘bucket list’ of ideas for what they want to do.
However, in the rapidly moving world of cyber risk, one fact of growing importance that is regularly missed by new retirees is that the withdrawal of the corporate umbrella also means the withdrawal of corporate cyber protection. Once the company laptop and phone are handed in, retirees are on their own with IT, and will, possibly for the first time in their lives, have to navigate their own way through the murky waters of cyber safety.
A critical multiplier of this problem is that not-for-profit organisations which interact with the retired community tend to have much lower levels of cyber protection than actively commercial companies. This means that this area is high risk and yet also severely under-protected – an almost perfect storm of increased vulnerability.
Active retirement
Most people who retire want to try something new, and the most common list of ideas includes taking holidays, volunteering or joining a club.
Unfortunately, all of these activities are characterised by high levels of cyber risk. Take travel. With 81% of holidays being booked online (Association of British Travel Agents) it is estimated that only 29% of travel sites offer full protection against phishing attempts. Holiday money firm Travelex was subject to a large-scale ransomware attack in January 2020. Although denied by Travelex, the hackers claim they had been in the Travelex systems for six months and had taken 5GB of sensitive customer data.
Meanwhile, local clubs and volunteer organisations also carry high data risk for participants. Almost all clubs and volunteer organisations have extremely low levels of data protection and limited cyber awareness. Payment protocols for club membership fees can be very insecure. Sports and social clubs and the like often have amateur committees, which leave levels of cyber awareness low-level and subject to chance. For example, if the club treasurer’s computer gets hacked, the direct debit and payment details of all members can quite easily be accessed.
With the exception of a few of the largest, very few charities also have the manpower to manage and protect fully against cyber risk. At their core, charities are looking to help the people they serve. This is done by maximising the money spent on their chosen sector and so additional spend and allocation of time on other security matters is limited.
But at the same time, they hold funds as well as personal, financial and commercial data. There are signs that this risk is now being recognised. The number of charities who treat cyber security as a high priority has gone up to 75% in 2019, compared with just 53% the year before, and is now at the same level as businesses.
With good news at the charity level, individuals here can help widen awareness of the issue by focusing on cyber security for any small community organisations that they’re involved in, and by asking whether some form of protection can be afforded.
Ill health and social care
Many older retirees have issues with health, mobility and care. People become more vulnerable, and yet the organisations that they interact with are not famed for their ability to protect the people they look after from hacking and related issues.
Hospitals and doctors’ surgeries have been at the centre of large-scale hacking incidents more than once, while care homes are acknowledged as often lacking strong central IT resources, let alone the risk factors that come from large numbers of care workers having direct access to residents’ belongings, including bank cards and data. A glance at the findings of Australia’s recent Royal Commission on care for the elderly gives some horrifying evidence of how regularly those who live in homes can be preyed upon by the teams that are supposed to care for them.
Individuals can do little to influence hospitals or doctors’ surgeries, but here the risks have become more well-known since the 2017 Wannacry attack paralysed 60% of NHS services. We are all reliant on both private and NHS organisations investing in cyber protection and ensuring that they prioritise the safe management of patient data. Of course, it is worth considering that private medical facilities are in some ways more of a risk than the NHS because, although better funded, they will hold details of patients’ payment information alongside their medical records, doubling the impact for those involved.
Creating a cyber shield
Those who are cared for at home will also be vulnerable. They are often alone, accessible to casual visitors, and with their bank details and cash available to anyone who visits the home. The risks are obvious, but what is less clear is how to take action to build a complete protective shield around the growing retired community, helping them to ensure that they, their data and their finances are protected throughout the later years of their lives.
Families cannot shoulder the whole burden. So, what can those businesses who work with the elderly do to protect their community? Care homes are a particularly vulnerable part of the front line, as they hold a huge amount of PII (Personally Identifiable Information) data on their patients. Much work could be done here, in terms of increased training and awareness for care home staff and for families of residents, combined with an up to date and well-maintained IT infrastructure. Insurance coverage also needs to be increased, with a step change needed in residential home groups awareness of the need to protect their residents from cyber risk at every level.
Solutions can be found
Action is needed, and the insurance industry can help with this. Care homes, private hospitals and charities are at the front line. All of them need to tighten their cyber protections, and also develop greater awareness of the need to knit together full protection for the people in their care. Let’s work with these groups to build their educations and protection as much as we can.
Tom Malcolm is Head of UK Cyber at New Dawn Risk
The original article can be viewed here
The article below, by Amal Jallouq Head of Treaty Placement at New Dawn Risk, was originally published in Insurance Day magazine on January 9th, 2019.
The turnaround of the Egyptian economy in the past three years has not gone unnoticed and last year it was hailed by investors as the best reform story in the Middle East. The country’s economic growth rate in 2018 was the highest since 2010 and Egypt’s deficit fell to 8.2% of GDP in June 2018 from 12.2% three years ago.
The reforms launched by the authorities cover competition policy, public procurement, industrial land allocation and state-owned enterprises and sustained implementation will be essential to ensure statutory changes achieve meaningful results in the business climate. Alongside this, the government has also begun to strengthen its financial services regime, which, combined with strong economic growth, makes Egypt an emerging economy to watch for insurers in the next 12 months.
The authorities are introducing new insurance regulations. The current capital level for life and non-life companies is set at E£60m ($3.7m). The Financial Regulatory Authority (FRA) said the minimum capital of life and non-life insurers will be raised to E£150m, while the capital of non-life insurers covering oil or aviation risks will be set at E£300m and the minimum capital of health insurance shall be established at E£60m. The minimum capital of reinsurance activities will be set at E£1bn and the minimum capital insurance and reinsurance brokerage shall rise from E£2m to E£5m.
With the introduction of the new amendments, healthcare companies will be controlled by the FRA.
In compliance with the new law on minimum capital, eight Egyptian insurance companies – Misr Takaful, Suez Canal Life, Suez Canal P&C, Mohandes Insurance, Mohandes Life, Delta Insurance, Royal Insurance and Egyptian Takaful – have increased their capital.
Risk management
Under pressure from the supervisory authorities, Egyptian insurers are establishing risk management committees to meet the credit rating requirements of international agencies such as S&P Global, AM Best and Moody’s. The objective is to comply with the new regulatory and prudential requirements imposed by the new international standards.
The FRA has granted takaful insurance companies an additional six months to comply with the new regulatory requirements. The deadline is set for February 24, 2020. However, the companies involved were required to submit a plan of action to the FRA by September 30, 2019.
A new comprehensive health insurance system has started with a pilot in the coastal governorate of Port Said in July last year, registering close to half a million citizens. The system will be rolled out nationwide by 2032. The scheme was first announced in 2018 as a mandatory subscription to health insurance at a cost ranging from E£1,300 to E£4,000 a year, on a scale linked to income. Poorer families, reckoned by the government to account for about one-quarter of the population, will receive cover free of charge.
The FRA has recently made it compulsory for microinsurance institutions to provide borrowers with insurance protection against death and total disability. The limit is equal to the balance of the microloan owed by the borrower. There are 650 microfinance institutions and the target audience is a new segment that has not been served before.
In recent years, the Egyptian market has seen the formation of a number of risk pools, with the newest being the compulsory motor insurance pool with a total member count of 18 companies. Older pools include one covering trains and subway accidents. The motor pool was approved in February 2019 by the FRA.
There have been proposals by private sector companies to establish pools for aviation and oil risk to retain more of the risks within Egypt and allow smaller, newer companies to write a share of the risk
The Insurance Federation of Egypt has announced it is working on a pool covering natural disasters. In addition, there have been proposals by private sector companies to establish pools for aviation and oil risk to retain more of the risks within Egypt and allow the smaller, newer companies to write a share of the risk, as opposed to it being concentrated with more established companies.
Finally, the FRA has proposed a bill imposing an insurance cover against divorce. This insurance will be compulsory for any marriage. According to the authorities, the objective of this law is to protect the Egyptian woman in case of divorce.
However, there are a number of ambiguities surrounding this project. For instance, the conditions for the designation of the policy’s beneficiary are not clear. Also, no clarifications have been made on the scope of the law: will it apply to all communities? FRA is preparing an actuarial study to determine the insurance premiums and compensation amounts in the event of divorce. As of 2017, the divorce rates in Egyptian cities skyrocketed to 60%, while some villages reported 39% and some reported less. Most divorcees fall in the 25- to 30-year-old age group.
Amal Jallouq is head of treaty reinsurance placement at New Dawn Risk
The original article can be viewed here
In an interview with Middle East Insurance Review, New Dawn Risk’s Head of Treaty Production, Dermot Dick, explained why small reinsurance brokers are finding a niche in emerging markets as more customers are prioritising value over price.
The article considers how independent, nimble intermediaries are better placed to focus on areas of a client’s business that the larger players may not really be interested in or are not capable of dealing with. This is leading to a shift back to small and medium-sized brokers who are often more responsive to client needs and have the ability to offer bespoke products instead of just providing something off the shelf.
CEO Max Carter was recently interviewed in Singapore by Asia Insurance Review magazine for an article titled: A new dawn for liability in Asia?
The piece highlights New Dawn Risk’s growth plans in the region, including how we are aiming to provide insurers in Asia with greater provision to write liability risk through broader reinsurance treaty arrangements. This will help forward thinking insurers to compete on a level playing field with the big international players that are already operating in these markets.
The article below, by Amal Jallouq, Head of Treaty Placement at New Dawn Risk, was originally published in Insurance Day magazine on October 20th, 2019.
In recent years the Indian government has made a number of moves designed to strengthen the domestic reinsurance market, while at the same time opening up opportunities for foreign players. These included the raising of foreign ownership limits from 26% to 49%, permitting Lloyd’s to set up a platform in India, and introducing changes to the regulations pertaining to foreign reinsurers which have seen most of the world’s largest international players set up branches in the country.
The appeal to these businesses of doing so is clear – India offers huge potential. GDP growth, while slightly down on forecasts in 2018, this year remains at around a healthy 7%. It is the world’s second most populous country, yet insurance penetration remains low, albeit growing. In 2017, it reached 3.7%, up from 2.7% in 2001, but still some way behind mature insurance markets.
A growing insurance industry
A number of factors will continue to drive the development of the insurance industry in India. These include rising levels of wealth, growing awareness of the role of insurance, increased risk of natural catastrophes due to climate change and growing involvement from a government that is recognising the societal good that insurance can deliver.
Recent Indian government initiatives include the introduction of: a National Health Protection Scheme to provide coverage of up to 500,000 rupees to more than 100 million vulnerable families; an agricultural crop insurance scheme that benefitted 47.9 million farmers in 2017-18; a life insurance policy of 200,000 rupees to those who previously had no access to such services; accidental death and disability cover; and a recently launched research project that is trialling a number of complementary solutions, including drought and flood insurance, improved seed varieties, weather forecasting services and climate-smart farming practices. These developments offer tremendous potential to the re/insurance industry.
Technology is another key growth driver. While Indian re/insurers initially approached insurtech-led innovation with a degree of caution, they witnessed the change that it could bring to other industries and are now embracing it wholeheartedly. As they seek to make up for lost time and generate real value, whether by way of data analytics, cost reductions, process efficiencies or radical changes to the customer experience, the insurance landscape in India is being transformed.
Playing the long game
As international reinsurers consider these opportunities, they rapidly come to realise that the Indian reinsurance market is unique. It is intensely competitive, marked by a dynamism and an entrepreneurial culture that sets it apart from other more conservative emerging insurance markets, such as those in the Middle East.
Buyers negotiate adroitly; they drive a hard bargain and are not afraid to walk away if they think they can get a better deal elsewhere. Many are looking for the broadest coverage on the cheapest terms and as a result are placing business all over the world, including in locations with no established reinsurance track record. Inevitably, a decision to buy mainly based on price may not ultimately have a positive outcome, but this is part of a steep learning curve.
The Indian reinsurance industry can benefit greatly from more hands-on support from established international players, who can share knowledge and experience to help accelerate the development of the market. For example, to properly assess and price risks of export-oriented Indian manufacturers, technology, and business service companies with US exposure, it is vital to understand the effect of the US legal system – characterised by high defence and legal costs, class actions, and large awards/damages – on professional, product, and management liability claims. Other knowledge and expertise transfer opportunities exist for cyber, terrorism, space and aviation and natural catastrophe coverage.
This, of course, can be a two-way street: an exchange of information can be mutually beneficial as non-Indian reinsurers need guidance of their own to navigate what is, after all, a foreign market with its unique forms of business systems and institutions, and a distinctive form of capitalism that cannot be understood using the Western frameworks. To this end it is vital to seek out and build strong, mutually beneficial relationships with local entities, as well as the regulator.
Indeed, those with intentions to operate in the Indian reinsurance market need to have a long-term strategy. According to IRDAI, out of the nine foreign reinsurance branches in India, in FY18 only three reported a net profit while the rest reported losses.
A global reinsurance hub?
Yet the regulator’s ambition is undimmed – IRDAI has now set its sights on making India a global reinsurance hub. Its annual report in 2018 highlighted the ample scope for the re/insurance industry to expand “aggressively and inclusively”, and claimed that India’s geographical location in the heartland of South Asia, as well as its relationships with the Chinese and Middle Eastern markets, will position it to become a reinsurance leader.
The regulator also points to the development of Gujarat International Financial Tec-City (GIFT City) in Ahmedabad as a step in the right direction, indicating India’s aspiration to compete with global financial centres like Singapore, London and Tokyo.
However, a potential fly in the ointment is the current need for foreign reinsurance branches in India to maintain a minimum retention of 50% of Indian business, and IRDAI has upheld its order of preference rules that give first refusal in reinsurance contracts to the country’s only active domestic reinsurer, GIC Re. Some feel that the regulator should first create a level-playing field for reinsurers in the country and then look at making India a reinsurance hub. In the meantime, insurance businesses of all sizes operating in India need to position themselves for the opportunities that are right around the corner.
Amal Jallouq, Head of Treaty Placement, New Dawn Risk
The original article can be viewed here
The cyber health of an organisation can be measured with some accuracy. A company’s attitude towards its cyber security, training, accreditations and insurance gives a clear picture of how well-managed cyber risk is by that individual firm.
For many firms, however, their measured score on this topic would be disappointingly low. Cyber risk has been a buzzword for the last three or four years, and corporate focus has heightened further due to the GDPR legislation, which shifted responsibility for data security firmly into each individual firm’s lap.
Firms such as British Airways have lost or been fined millions for cyber breaches, and many organisations, including NHS hospitals have had their operations closed down temporarily by cyber hackers.
Human nature is the problem
But human nature is amazingly resistant to change. In spite of numerous high-profile attacks in the last couple of years, there is still a fundamental lack of true cyber awareness in many businesses and a low adoption of cyber basics. Just take a look at your own online profile and consider the following statements.
- We all know we should change our passwords often (but rarely do).
- We all know that we shouldn’t open suspicious looking emails and links but we often do it anyway.
- Many organisations have outdated firewall and anti-virus software, in spite of having teams dedicated to managing their cyber security.
Training can help
The unpalatable truth is that the cyber security community is beginning to understand that corporate firms need government support. This is most important in the areas of education and training. In most regulated industries there is a requirement to Know Your Customer (KYC). It is also mandatory for the company to deliver ongoing training and learning programmes to all staff, as well as CPD (continuing professional development), and compliance training.
Love or hate the regulated environments that exist, they promote and maintain high levels of safety and financial security for the industries they serve.
By contrast, the 2019 UK government survey on cyber security found that only 38% of small firms were aware of Government cyber security initiatives and accreditations, rising to 48% in large firms*. However, 80% of the cyber-attacks occurring every year could be prevented by adherence to the five controls recommended by the UK Cyber Essentials training programme
Cyber Essentials
Now, for the first time, decisive steps are being taken by the government to provide education and training, and firms need to be aware of them. The Cyber Essentials Scheme was first off the blocks. This is the UK government accreditation, designed to educate the workforce, and protect organisations from the most common cyber-attacks. Find out more at https://www.cyberessentials.ncsc.gov.uk
The Cyber Essentials programme had an initially high uptake but, has since disappointed with low corporate retention. Many firms have slipped behind and are now non-compliant with the accreditation. This lack of focus has forced the government for the first time to take measure to push education in the field.
From 2020 all UK government vendors will be required to hold the Cyber Essentials accreditation, and to keep it updated. This move is intended to create a non-regulated half-way house, making it important for firms to become accredited; and for the Cyber Essentials credential to become widely accepted as a pre-requisite for doing business with any organisation.
Regulation is not here yet, but it is clear that the government is serious about ensuring firms prioritise and manage their cyber security. Firms who do not currently do this need to up their game.
Attack the issue on several fronts
Even if your firm is not prepared to work towards Cyber Essentials, there are other steps that can be taken. All firms, no matter how big or small, should be reviewing their cyber exposure and regularly checking the controls they have in place are adequate. Educating the workforce is a further important step to consider. All this can then be supported by a cyber insurance policy, which if these measures fail to prevent a cyber incident, will help an organisation to mitigate the effects both during and after the event, and get back on their feet again.
In summary, there is much that can, and should be done to protect a firm of any size against this new and pervasive risk to businesses.
Next steps
If you fit into the category of ‘let down by human nature’ and would like to do more to cyber-secure your organisation, here is our checklist of steps to take to improve your cyber status:
- Check your GDPR position and ensure you are compliant
- Sign up to Cyber Essentials, and ensure you stay current with training requirements and updates
- Invest in education for your workforce – helping them to behave in a safe and secure manner online
- Protect your organisation with a cyber insurance policy, should the worst happen
Tom Malcolm is Head of UK Cyber at New Dawn Risk and advises clients on all aspects of cyber cover, protection and risk. For further information please get in touch cyber@newdawnrisk.com
Board members are key decision makers for every firm. They also play a pivotal role in safeguarding a company from both internal and external pressures. In a listed firm the board will look to protect the interests of shareholders and employees; while in a private company the focus is usually on helping management to make consistent and effective decisions for the business.
However, it is a fact that boards are not generally perfectly structured for assessing and prioritising cyber risk. Age is one factor. But there is also recruitment bias to contend with. When recruiting for the board, the typical skillsets that are favoured by recruiters include law, regulatory expertise, financial and accounting qualifications or HR experience. Notably missing from this list are IT, risk management or cyber security expertise.
The UK government’s own 2019 survey found that currently only 38% of small firms have in place board members or trustees with responsibility for cyber security. In large firms, less than 60% have a specific board member with oversight of this key risk. Worst of all are charities, where the number is only 30%*.
This is shocking, given the potential impacts a cyber event can have on a firm – from prevention of trading to loss of reputation, or data theft fines and reparations.
The challenge to be faced is increased by the fact that, not only are a board’s external Non-Executives are unlikely to have been recruited because of IT skills; but frequently a firm’s staff Chief Information Security Officer (CISO) – or equivalent – will often not sit on the board, leaving a gap in decision-taking expertise, and sometimes even in board awareness of the risk at all.
The challenge is not just one of ‘being in the room’. Attitude and communication are also important barriers to board’s understanding of how to manage cyber risk. Former CEO of Lloyd’s, Dame Inga Beale commented that “communicating in the same language is one of the barriers to effective collaboration between boards and information security functions”** The challenge is for an IT specialist to speak clearly to the board, to address their main priorities; and in doing so, to move beyond technicalities and into overall business risk
How can this be achieved? There are some simple rules which can make a big difference. Firstly, it is critical to use effective and simple tools to illustrate the risk, for example, using financial models to demonstrate the cost of a data breach, rather than system maps showing outages in terms of time and physical areas affected.
The CISO needs to team up with other departments to clearly analyse the effect of a cyber incident, including looking at elements that are not within their remit such as public relations and associated negative publicity, legal ramifications and impacts on share price / revenues or profits. These issues are ones that boards understand and can respond to much more easily than system-focused descriptors.
Overall, the approach must be to give the board issues that they can quantify and use to measure the potential financial impact to the business. Conversely, don’t use jargon that may make the board feel out of their depth, as this will make them reluctant to question, become involved or take decisive action. The point of having a board is that regardless of their technical knowledge they should still be able to provide valuable advice and help management steer around both new and old risks.
Managing a board is a skill in itself, and getting the decisions made that you need becomes doubly tricky in the relatively new and complex field of cyber risk. If cyber security is your responsibility in a firm, you need to arm yourself with the understanding of a board’s approach, as well as taking time to talk in their language. The board’s input can be valuable. The key to getting the best out of them is to articulate clearly the whole-business impacts of a cyber risk. It is simply a case of learning how to speak the language of the board.
Tom Malcolm is Head of UK Cyber at New Dawn Risk and advises clients on all aspects of cyber cover, protection and risk. For further information please get in touch cyber@newdawnrisk.com
** SOURCE:
https://www.infosecurity-magazine.com/interviews/infosec19-interview-dame-inga-1-1-1/
