What Companies Can Do to Increase Cyber Resilience

January 2, 2017

Company News, Risk Management

As cyberattacks intensify, companies need to prepare for the inevitable, according to Marsh & McLennan’s Executive Vice President and General Counsel Peter Beshar in a recent interview with The Wall Street Journal.

In the interview, Peter discusses how businesses are now facing digital threats that affect the physical world — industrial control systems, power systems, transportation networks and even the financial system — and the ways they can address them, including the sharing of best practices. Full text of the interview below.

How Companies Need to Address Cybersecurity Risks in 2017
From The Wall Street Journal, December 19, 2016
By Ben DiPietro

Peter Beshar, executive vice president and general counsel of Marsh & McLennan Companies, a global professional services firm that includes Marsh, an insurance brokerage and risk advisor, speaks about the current state of cyberthreats, what companies should be doing to protect themselves and the potential impact the Trump administration will have on cybersecurity.

How would you describe the state of cybersecurity risk?

Mr. Beshar: It’s a rapidly intensifying threat environment, markedly worse than a year ago, and it will likely be markedly worse a year from now. We’ve moved from a focus on credit card theft…to the world we’re in now, where the attacks are moving from the digital world into the physical world–kinetic attacks as people in the industry refer to them. Threats against critical infrastructure, industrial control systems that operate infrastructure, the dam attack in Rye, N.Y., chemical plants, nuclear facilities, transportation networks, the aviation industry, telecommunications networks, the financial system. That’s the way the threat has morphed and why some military officials say cyberattacks now pose potentially the greatest threat to national and economic security, even approaching nuclear weapons.

What should companies be doing to assess their risks?

Mr. Beshar: We are engaged in a race without a finish line, in which our adversaries are repeatedly changing their methods of attacks. For corporations, the objective is resilience, to be able to have a cyberattack occur and still be able to maintain the relatively smooth running of core operations. It is not credible to avoid any breach whatsoever at any time. Cyber resilience is the goal that all of us should be striving toward.

A good first step is to conduct a benchmarking exercise or assessment of your own cyberdefenses against some sort of industry benchmark. Just be credible and faithful in trying to say, if the industry standard is here then I am here at this point. Then, what are the most logical steps you should be taking? One of the best responses is to enhance password protection, something like multifactor authentication. Training is important, trying to communicate how easy it is to be lured into clicking an improper attachment, whether through social media or email. What are your protocols for patching known vulnerabilities? You also should have a serious incident response plan, operating on the premise you will be breached. What would you do? Who would be notified? At what point might you choose to disclose it? Under what circumstances would you reach out to law enforcement?

Is there a point of diminishing returns for companies where they decide it’s not worth having a digitally based business?

Mr. Beshar: You need to recognize the incredible benefits, the boon to productivity, the ability to execute so much more quickly on transactions—all of the work that has arisen as a result of this tremendous degree of connectivity. If you savor and enjoy all the benefits that come with that, you have to understand there will be a downside. The idea of disengaging from the digital world is artificial and not something we can credibly do and maintain the degrees of productivity. Perhaps there are certain pieces of data that may not automatically be connected to everything else, but in general this is a process where tremendous benefits have arisen.

How will the Donald Trump administration affect the way companies approach cybersecurity?

Mr. Beshar: President Obama’s cybersecurity commission issued its report and traced out a number of proposals. [Internet of Things], for instance, the recommendation is IoT security need not solely rely on the end user, that is not the only person who has the responsibility to change the default password. Manufacturers and developers have an obligation to try to embed sounder security into these systems so they don’t have IoT become a new frontier of attack. That could lead to new requirements being imposed.

A Trump administration is less likely to regulate, though, so companies should try to develop best practices and reach out to the tech industry to find ways to convert best practices into common practices. We believe the power of the cyberinsurance underwriting process creates a number of economic incentives that have the potential to drive behavioral change in the marketplace. When a company embarks on the underwriting process, the first thing the broker or underwriter will do is ask what the current risk profile is like. That prompts the company to go through some sort of analysis and a candid assessment of its strengths and vulnerabilities.

Is the insurance industry keeping pace with coverage that meets companies’ evolving needs?

Mr. Beshar: We are heartened that a number of government institutions have identified the power of what cyberinsurance can do to encourage best practices and behavioral changes. Partly from those comments, but also from a focus on board members placing significance on cybersecurity, the cyberinsurance market is increasing significantly. The expectation is the volume of premiums in the standalone cyberinsurance industry will grow from $2.5 billion in 2015 to $14 billion by 2022.

The amount of coverage for many companies was a question of $20 million, perhaps $50 million, to cover the costs of credit monitoring and notification. But as the threat morphs from data to critical infrastructure, the sums and potential damages are growing. Marsh is now seeing companies buying $300 million, $400 million, $500 million of coverage. So the question is, what is the right way to assess a company’s cyber resilience for the underwriting community? Underwriters are experimenting with different tools, different price tags. The expectation is, as the threat continues to intensify the cyberinsurance market will continue to grow significantly.

It doesn’t seem as though any amount of new technology or money can stop cyberattacks, what else can companies do?

Mr. Beshar: There is no point a year from now, two years from now, where we declare victory and say the job is completed. This is going to be a dynamic back and forth, with new vectors of attack identified, potentially against new targets. We will be grappling with this issue for the rest of our careers.

Linkedin Facebook Twitter Email

About David Burjoski

As the Director of Communications for J.W. Terrill, David is responsible for all aspects of marketing, advertising, public relations, social media, and branding.

View all posts by David Burjoski

No comments yet.

Leave a Reply

Time limit is exhausted. Please reload the CAPTCHA.