Governance

Cyber insurance is on the increase. With an increasing number of high profile data breaches, not to mention the events we don’t hear about, insurance underwriters must implement realistic premiums and policy terms and conditions if cyber insurance is to be beneficial to policyholders and profitable for the insurance industry.

With life insurance, many lifestyle choices influence insurance policies and their premiums, such as smoking and participating in dangerous sports. Demonstrating a healthy weight and absence of any life-threatening or preexisting conditions reduces the risk and reduces premiums. Similar processes have evolved with car insurance and the no claims discount. For stereotypical high-risk drivers, telematics has become popular to monitor driving patterns and set premiums accordingly. Members of the Institute of Advanced Motorists, who have passed their advanced driving test, can get car insurance at a reduced premium. A typical policy restriction on car theft is that a car must be locked when unattended. Insurance companies would not pay out if a vehicle is left unlocked, or worse, with the key in the ignition, for example. Likewise, home insurance policies require doors and windows to be locked, and for locks to be up to a specific standard for insurance policies to be valid.

It stands to reason that similar standards and policies will evolve with cyber insurance. For a cyber insurance policy to payout, policyholders will need to demonstrate that they have met an agreed standard of cyber defence. In much the same way that not leaving possessions visible in a car reduces the risk of vehicle theft and claims, having better security lowers the risk and is more important than relying on insurance to pay for any damage. In addition to the growing need for cyber insurance, there is an increasing need for specific advice that people can follow to reduce exposure to risks; a minimum standard of cyber defence across the board.

Improving IT security and implementing governance controls is a high priority concern for corporate decision-makers. With IT security requirements continually changing as new threats emerge, the implementation of a strategic solution that only delivers results as some arbitrary point in the future is not always feasible when security threats exist in the here and now. Augmenting strategic delivery with tactical activity is a fundamental requirement often overlooked.

Several high-profile security breaches have been reported in the media and have been the cause of great concern, and rightly so.  But to what extent are assurance statements made to demonstrate corrective action which, in practice, have very little substance behind the words?

For example, reporting that a consulting company is undertaking a review, will publish the findings, and agree on actions based on their recommendations. This pending review might offer some protection in the event of a data breach. You could respond with “we know about the problems, and the matter is under investigation to mitigate the risks”, however, this does little in the short‑term to protect corporate systems and more to protect against ignorance and negligence.

Defining a set of tactical activities to reduce exposure to risk in the here and now, combined with a strategic review to address risk in the long-term, will make a world of difference.

This week David Cameron and other members of parliament disclosed their tax returns to demonstrate that they have not participated in tax avoidance schemes. Nobody found evidence of wrong-doing, although the disclosure identified some tax arrangements as morally unacceptable. Now that some politicians have disclosed tax returns since taking office, there is more pressure to reveal historical information and the net is widening to include other politicians. To what extent has this disclosure set a dangerous precedent, and can it be considered an irresponsible act?

From a recruitment perspective, we already have requirements for credit checks to be performed in some professions as part of due diligence, and occupational health checks have almost become a de facto standard upon commencing employment. Is the disclosure of tax returns, albeit with the best of intentions, the first step towards employers demanding to see tax returns from their employees? Will mistakes made completing tax returns come back to haunt candidates? We have already seen cases where job applicants have written something as a teenager on social media only to have their comments reviewed years later as an indication of their suitability to do a specific job.

Tax returns are supposed to be private and confidential. If someone is under suspicion of abusing the tax system, it is the responsibility of HMRC to investigate and to provide a determination using laws that are in place.

Of course, specific information is needed during the recruitment process to demonstrate a capability to do the job for which candidates are applying, but this does not include information such as date of birth, National Insurance number or full address. An employer doesn’t need these details until after a contract of employment is offered and accepted.

The problem is that job applicants will feel compelled to provide more information than is required. They will think that not providing the details may harm their chances of gaining employment; in other words, they feel they either disclose the personal information requested or lose the opportunity entirely.

Have we reached a point in time where the desire to provide transparency about who we are and what we have done is aiding and abetting people with criminal intent to use our personal information? Conversations about possible opportunities can entice personal details for identity theft and fraud, which are already at an all-time high.

Is your business at risk because critical functions or knowledge are vested in one person? What happens if this person wins the lottery and resigns, or worse still, hit by a bus? The bus test is a thought experiment for considering and exploring the consequences of losing a critical person. In some cases, a warning of impending change is available such as receiving a resignation letter. In situations such as personal injury or fatality, the changes are instantaneous, and businesses need to be resilient to such challenges.

In the case of small businesses, the death of one person can trigger the end of the company, and consequently, key-person insurance policies have become popular. Essentially the business takes out an insurance policy on key members of staff, pays the necessary premiums, and is the beneficiary in the event of death or injury, which prevents the key person from working.

Large businesses also have the option of taking out key-person insurance.  However, the issue is that staff often become key persons over time. Undocumented activities and processes become ingrained into the daily routine, others become dependent on them, and it becomes business as usual without further consideration.

There are common signs which indicate a failed bus test:

• Unable to achieve something because someone has taken the day off. Make sure there are no dependencies on specific individuals.

• Requesting information from a department and being told ‘Joe is the expert, you will need to speak with him’. Knowledge critical to the day-to-day running of the business should always be shared between team members and thoroughly documented.

• Individuals within the business keeping crucial information to themselves and being evasive when asked, rather than openly sharing their knowledge with others. A misconception on the part of some staff that if they are the only person who knows something or able to do something specific within their working environment, that their employer must keep them or pay more for their work. In practice, the reverse is true; it is less risky to remove them than to be held over a barrel.

• Staff using a different approach, different tools, or additional software from everyone else to get the job done. Having a standard way of working and using specific software means that work is transferable between staff. One person choosing a different programming language from everyone else, for example, could make it impossible for other team members to make changes.

Avoiding scenarios that fail the bus test requires a different mindset:

• Adopt the notion that process is equal to, or more important than, the outcome

• Ensure that all actions within the business are documented and repeatable

• Remember that people follow processes, and processes deliver consistent results

• When you complete business recovery exercises, randomly remove people who have been ‘impacted’ by the scenario and see how the recovery progresses without them.