Cyber insurance complements security controls, says Aon

Cyber insurance is a good complement to a high level of information security controls, says Aon Risk Solutions

Cyber insurance is a good complement to a high level of information security controls, says Aon Risk Solutions.

Despite high levels of controls to match high levels of risk, almost one-third of financial services companies have experienced data breaches or significant system failures in the past 12 months, according to a study by Aon.

The study is based on analysis of responses submitted to the firm’s online Cyber Risk Diagnostic Tool to help organisations identify and consider the key factors that affect their levels of cyber risk. 

“The tool provides a high-level assessment of controls, and scoring is based on the size and type of business,” said Sarah Stephens, European head of cyber and commercial errors and omissions insurance at Aon Risk Solutions.

“We are now starting to do some analytics on the data gained from around 700 responses, so that not only can businesses benchmark themselves against their peers, but they can also get an idea of what other risk profiles look like in different industries or for different-sized organisations.”

Aon plans to release the results of its analysis of responses from financial services institutions at the UK Financial Services Cyber Security Summit in London on 15 July 2014.

In an exclusive preview of the analysis results, Stephens said financial services reported the highest level of laptop encryption, with 52.4% of all respondents stating they had a consistent process to ensure all data on company laptops was encrypted.

“While this is the largest percentage across all the sectors involved, it also shows that a surprisingly large proportion of companies across all sectors, including financial services, may not be adequately protecting the sensitive/critical information they hold on their mobile media,” said Stephens.

The analysis also revealed that 35% of financial services companies report on cyber risk to their boards “through normal business operations only”.

“One way to interpret this is that this percentage [of firms] relegate cyber risk to being 'an IT issue' and therefore are not actively engaging in this business-critical risk from a senior management level,” said Stephens.

Despite the high level of controls, the analysis also identified some weak areas, including the management of outsourcing relationships as well as mobile device management, she said.

At the Financial Services Cyber Security Summit, Stephens will also discuss the topic of cyber risk insurance, including how many institutions in the sector are buying such insurance and some of its typical costs.

“We find that banks and other financial institutions have not yet fully baked cyber risk into their operation risk processes,” she said.

“Including cyber risk trigger scenarios in operation risk processes is step one, and step two would be checking how the controls they have in place are working and whether there are any weaknesses or gaps in those controls, such as check for encrypting sensitive data on mobile devices.”

Stephens said organisations need to identify potential weaknesses in control processes and how these weaknesses can be eliminated or mitigated.

“And while there is a greater emphasis on cyber attack prevention for financial services institutions, we see that attacks cannot always be avoided, so part of a good strategy is to round out that prevention with some risk transfer through appropriate insurance cover,” she said.

Read more on IT risk management