You cannot put all your money into cyber risk prevention but must invest in resilience, Augusto Perez Arbizu, Director of Corporate Risk and Insurance, Telefonica, and President of IGREA, told the OECD-Marsh conference on cyber insurance taking place yesterday and today in Paris. “You cannot be 100% secure.
Sooner or later, you will have an attack, and the question is not if, but when. Therefore, it is important to invest not only in prevention, but also in ‘cyber resilience.’”
With this warning, he explained that Telefonica applies a cyber resilience methodology based on five pillars: identify, protect, detect, respond and recover. When in May 2017, like many others the company faced the ransomware attack Wannacry. It put its response protocols into effect not only to limit the impact of the malware but as importantly, to maintain customer service. In the event, the framework was robust and the financial impact was not significant.
As part of critical infrastructure, Telefonica decided to communicate quickly and regularly with the Spanish security and cyber authorities and its business customers. It could also advise corporate customers who were affected by Wannacry how they should react. In this way, Augusto says, Telefonica was not just a good business partner but also part of the solution thanks to its knowledge.
This conference brings together policy makers, risk managers, insurance market participants and risk experts to address the challenges to the development of the cyber insurance market. Augusto explained that Telefonica had been aware early of the ever-growing importance digital technology. One of the company’s most critical concerns was continuity of service for its customers.
It concluded that just insuring “cyber risks” like liability for data breach left it exposed to other potentially more serious losses arising from its digital assets, such as systems malfunctions or software design errors.
Telefonica set to work around the gaps in cover. Several years ago, it put together a global programme to insure both types of losses, consisting of so-called silent coverage under existing policies, such as property and business interruption, errors & omissions, general liability and crime, that did not exclude cyber, and another layer for non-damage business interruption (first party cyber insurance). A big event could trigger more than one policy; the most common is triggering two at the same time: first party cyber insurance and errors & omissions.
This was in 2008, early days in the cyber risk insurance market, and Telefonica’s request was challenging. The limits available were modest and the company had to rely significantly on its captive. Over the last ten years, the market has developed so that Telefonica can now buy five times more cover for the same premium and has cut the retention in its captive by half.
Looking back, Augusto says the insurance programme has worked well, responding to several incidents. Wannacry was not one of them, but it still was, he says, a good stress test scenario for a managing multi-company, multi-continent event. “We really are comfortable with the current level of cover, but at the same time we have to be cautious and keep watching.”
FERMA SEMINAR 2018: Two exceptional guest speakers will share their experience of large-scale cyber attacks on their companies in 2017.
The risk managers of Maersk and Telefonica will describe their level of preparation before the incident, the way they managed the crisis and the lessons learned.