The rise–and rise–of cyber and privacy

The Australian insurance market continues to experience volatility driven by many factors, none more significant than the unpredictable nature and pace of technological change, which is serving to magnify the impacts of cybercrime and the challenges of big data.

Technology has and will continue to transform the way an organisation operates and engages with its customers—it’s about personalisation, big data, analytics, AI, automation and blockchain. Customer-centricity will continue to be the buzzword, deeper interrogation of customer behaviours will be the norm, bots will become more mainstream, AI will drive the claims function, and advanced drone technology will play a huge part in the insurance sector in the assessment of affected areas after a catastrophic event.

But with advances in technology comes the potential for a disruptive threat landscape, characterised by significant privacy and cyber risks. And with legislation and regulation struggling to keep up with the pace of change, and cyber risk premiums on the rise as well as a continued focus on privacy-related legislation in the Australian market, insurers need to be one step ahead in what is a competitive and consolidating cyber-insurance market.

Mark Doepel is Sparke Helmore’s cyber and privacy specialist. To understand more about the trends and challenges in the privacy and cyber space, we posed the following question to him.

Cyber and data privacy is a global issue. Given global issues can quickly become local issues, what are you seeing as being the trends that insurers need to keep top of mind as they continue to deliver on tech-driven business models designed to enhance customer-centricity?

There is so much going on. Cyber and privacy are very much pegged as a top-three enterprise risk, particularly in jurisdictions like the United States, Europe, Australia and parts of Asia where they are the subject of much media coverage and government debate. There is absolutely Board and C-Suite visibility, and management is heavily invested in developing more comprehensive cyber and privacy frameworks.

Legal compliance is a going concern. Regulatory change is accelerating, so too are jurisdictional and sectoral inconsistencies, all of which complicate organisations’ compliance efforts. Despite legislators’ best intentions, the patchwork of rules and obligations, particularly for multi-nationals, are not easily (or cheaply) implemented in practice. Organisations are (and if they are not, should be) responding to this by adopting a holistic and adaptive approach to cyber and privacy risks—essentially, building a program that can apply across the board, but nonetheless cope with jurisdictional and sectoral differences, and developments. Responding to these challenges on an ad-hoc basis is not a viable approach.

There was a time when people thought that privacy was a legal issue, and cybersecurity was an IT problem. I think there is now recognition that both require a cross-functional response. Not only should all business functions be educated about privacy and cyber risk, but they should also be actively involved in mitigating them. “Privacy by design” and “cybersecurity by design” sound like catchphrases, but proactively embedding privacy and cybersecurity considerations in the design and operation of business practices is far more effective than dealing with them retrospectively.

Third-party provider risk is on the rise. More than ever before, organisations are outsourcing certain of their core and peripheral functions—especially those with a technology component—to third parties. Those third parties often have their own third-party providers, and on the chain goes. This layered web of dependencies makes evaluating, let alone mitigating, supply-chain risk incredibly difficult. Robust supply-chain monitoring and controls are a must. Without them, organisations leave themselves exposed to business interruption, reputational damage, litigation and regulator intervention.

Underpinning all of this is a massive increase in compliance costs—and this feeds directly into the war for talent. Anecdotally, there is a sizeable gap between the number of qualified professionals to take on privacy and cybersecurity roles, and the actual demand for them. To combat the personnel shortage and the compliance burden more generally, there is a growing market for technology and “automated” offerings to fill the gap.

Lastly, the cyber-threat landscape is worth discussing. Social engineering is a common, and very successful, attack vector—even more so in today’s COVID-19 world. Human error is part of the social-engineering equation but is sometimes overlooked despite it causing a significant percentage of cyber and privacy breaches.

Ransomware continues to be highly disruptive. Not only are ransom quantums increasing exponentially, but, alarmingly, threat actors are exfiltrating data before locking systems up in a bid to apply more pressure on victims to accede to their ransom demands. One threat actor, in particular, has started charging its victims twice: $X for the decryption key and $X to delete the exfiltrated data.

Technology aside, the best defence to these threats is training and education. Building a culture of cybersecurity and privacy awareness goes a long way.