By James Blake, Field CISO of EMEA, Cohesity

The growing number of cyber attacks and subsequent damage has led to an increasing demand for cyber insurance. Swiss Re Insurance expects total premiums paid to more than double from $10 billion from 2020 to $23 billion by 2025. But this is being questioned by both insurance companies and by customers: is insurance effective, is it feasible, what does it cover and what does it enable?  The CEO of Zurich Insurance, Mario Greco,  said in an interview with the Financial Times recently that cyberattacks will soon become “uninsurable”. Indeed, insurance and prevention have both proved ineffective in stopping cyberattacks like ransomware or in enabling organisations to recover afterwards. Instead organisations must shift their focus onto recovery, What can companies do to meet this challenge? James Blake, Field CISO of EMEA at data management and security provider Cohesity, has three recommendations.

More than 400 million US dollars – that’s how much damage the data leak at Capital One caused in 2019. And the number of such attacks, which have catastrophic consequences for the companies affected, has continued to increase since then. According to Check Point, in the third quarter of 2022 alone, global attacks increased significantly by 28% compared to the same quarter of the previous year.

Where cyber risk used to be limited to areas such as data breaches and third-party liability, ransomware attacks have shifted the damage to core business and accountability. Cyber insurers had to react to the increased risk and have adjusted their offers, as an analysis by Swiss Re Insurance shows. According to PWC, from the insurer perspective, the fast-increasing frequency of ransomware attacks (and the growing associated impacts and ransom demands) and business interruption claims has resulted in cyber becoming a less profitable area of insurance in recent times. The situation has stabilised over the past year as customers have had to pay higher premiums and meet stricter terms and conditions. Swiss Re Insurance expects total premiums paid to more than double from $10 billion to $23 billion by 2025.

James Blake

More expensive and more difficult to qualify

This is bad news for the financial industry, as insurers are becoming stricter and asking for higher premiums. Cohesity’s legal experts looked at the leading ransomware insurance policies on the market at the end of 2022 and found that ultimately, such guarantees are little more than thinly veiled limitations of liability that benefit the providers – not the customers.

However, there are some measures that companies can use to protect themselves effectively in this new market situation:

1. The 3-2-1 strategy remains current: keep an isolated copy of the data

In some cases, organisations are required to quarantine an offsite copy of their production records as part of a 3-2-1 strategy to qualify for cyber insurance.

To do this, they can use a SaaS service which keeps an encrypted copy of the production data in the cloud, isolated by a virtual air gap. The data stored there is monitored with multi-layered security functions and machine learning, and anomalies are reported immediately.

2. Tear down silos and merge data with zero-trust in mind

In general, financial organisations should consolidate all their distributed data on a scalable data management platform and ensure they can backup their data across all their infrastructure and assets. Furthermore, the data must be protected in a zero trust model, where the data is encrypted during transfer and on this storage, access is strictly regulated with rules and multi-factor authentication. In addition, all data stored in it can be managed according to compliance requirements and, thanks to immutable storage, is better protected against ransomware.

3. Improve collaboration between IT and SecOps teams for cyber resiliency

In addition to these technical measures, financial organisations should optimise the collaboration between their IT and security teams and adopt a data-centric focus on cyber resilience. For too long, many security teams have focused primarily on preventing cyberattacks while IT teams have focused on protecting data including backup and recovery.

A comprehensive data security strategy must unite these two worlds and IT and SecOps teams must work together before the attack takes place. Both teams should be guided by the NIST framework. This holistic approach defines five core disciplines: Identify, Protect, Detect, Respond and Recover.

If a financial company can demonstrate such a mature data security strategy, this will not only have a positive effect on insurance cover, but will generally reduce the risk of incidents and possible consequential damage through failure or data loss.

By David Cook, Partner at Penta, International Financial Services

2022 has, by any measure, been a difficult year in Europe. War on the continent, runaway inflation, energy security and even a corruption scandal in the European Parliament. These problems are not going away and will continue to dominate the political arena. However, 2023 will be an important year for the financial services sector and its policymakers. The start of the year is always a good moment to consider the key themes set to drive policy in the UK and EU over the next twelve months.

2023 will be an interesting year as it precedes 2024. Although that sounds obvious, 2024 will see a new European Parliament and Commission and, in all likelihood, a general election in the UK (not to mention a Presidential election in the US). In Brussels, there will be a focus on getting the programme of the current Commission finalised as far as possible and, in the UK, the current Government will be pushing to demonstrate it should be given an extended mandate.

Pressure will be building on policymakers to act, and this will need close attention. Companies should be ready to act to influence the process, whether directly or indirectly (for example through the media).

Here I set out a few drivers for those of us watching closely where the EU and UK are going.

• Competitiveness

Despite some thawing in relations in 2022, the shadow of Brexit continues to loom over both the UK and EU and competitiveness between jurisdictions has become a key concern. In the UK, the Financial Services and Markets Bill will provide regulators with a secondary objective to consider the UK’s competitiveness. The UK government has also set out its strategy for regulation in the form of the Edinburgh reforms. These focus mainly on reform to parts of the UK system that have proven unpopular and have been badged as using Brexit freedoms. Ironically, some of the highest profile reforms are in areas, like ringfencing and the senior managers’ regime, that were not actually related to EU law.

In the EU regulation aims to provide the single market with ‘open strategic autonomy’. This nebulous label intends to boost the efficiency of the single market and the competitiveness of EU firms while not relying on ‘third countries’ such as the UK.  The EU is looking to make tangible progress on its Capital Markets Union agenda, and tech and data will be important features in the regulatory work of the EU in 2023.

A regulatory focus on competitiveness might sound attractive, but memories remain of the financial crisis, before which competitiveness was a regulatory objective, so there may be reluctance to embrace it. Also, regulators do not have a great record of promoting innovation and data driven change in Europe, so a close eye will need to be kept on this.

• Crypto

2022 has been dubbed the crypto winter with huge falls in the value of crypto currencies and some high-profile failures in the sector, including FTX and Terra. This has led to a dilemma for policymakers in Europe. The focus on competitiveness means some want to welcome this innovative technology that many people continue to believe has an exciting future. However, the risk to investors, financial stability and even the ability to police and control the supply of money is causing sleepless nights in some institutions.

The EU is, as usual, ahead of the international game when it comes to producing regulation. Its flagship regulation, MICA, is agreed and ready to pass into law (although it will be some time before it needs to be adhered to). The EU has also advanced its work on digital currencies and the ECB is currently pulling together a group on rulebook development.

Similarly, the UK is preparing consultations on crypto asset regulation and digital currency. Except for new powers around financial promotions, new regulation is not expected in 2023. However, the direction will be set in 2023.

Whether the UK and EU adopt similar approaches remains to be seen. A competitive environment could emerge where each jurisdiction seeks to be at the forefront around, for example, blockchain adoption or central bank digital currency. This might introduce risks around intended consequences, where regulatory approaches are not properly analysed in a rush to move forward. Equally, there could be excessive caution that limits the development of the sector in Europe. It will also be interesting to see how the UK and EU overcome the dichotomy of regulators, who will be very concerned about the risks, versus those who want an environment focussed on innovation.

• Sustainability and productive finance

In an environment where public finances are suffering from severe stress, governments have been focussed on how private sector finance can be used for public policy purposes and how investors can be sure their money is used for such purposes. This is most apparently seen in the regulation around climate change where the EU’s impressive array of rules, including the Taxonomy and disclosure requirements, are becoming a huge compliance challenge for many firms operating in the EU. The UK is pursuing its own agenda and there’s an ambitious approach being developed where the divergence from EU rules is creating its own challenge.

There are also plans to consider how changes in regulation can increase sustainable investment and, in the UK, other policy objectives such as levelling up and promoting innovation. Last year saw the candidates to become UK Prime Minister talking in public debates about how changes to regulation such as Solvency II could be used to promote more of this type of investment in the UK.

Changing regulation in the EU and UK will create risks, burdens and opportunities for the firms that fall into scope. New disclosure requirements are likely to be hard to meet but changing investment rules could play to particular businesses’ strengths. Firms should ensure policymakers understand what’s practical and effective.

• Energy

The events of 2022 mean that energy security and cost are a top priority in Europe and politicians have been quick to act to support markets and consumers. When it comes to financial services, there are three main concerns. First, can investment be increased to help reduce the reliance on fossil fuels generally, and Russian gas specifically. Second, have markets delivered efficiently for European consumers. Third, could energy market turbulence lead to turbulence on financial markets, as seen in markets such as the London Metal Exchange.

Of these three, the first concern has increased the urgency around creating a regulatory framework to increase investment in non-fossil fuels (as described above). For the second point, appetite for direct intervention by authorities in markets has been rising, particularly in the EU. This is very uncomfortable for those firms active in energy markets where price caps and public sector produced financial instruments (like price benchmarks) are likely to distort markets and could undermine confidence if not properly calibrated. Policymakers, lacking specific expertise, are going to need a great deal of assistance.

Finally, the third point about risk moving from energy markets to financial markets is likely to be challenging, particularly for those firms who prefer to avoid operating under the burden of financial regulation. Without proper calibration, new measures are likely to raise the costs of operating on energy markets and lead, ironically, to higher energy costs.

• Financial Crime

Finally, a focus for regulators will be around how to reduce the levels of financial crime and keep investors safe. The losses to investors caused by the collapse of crypto-currency prices have been part of the story, but there have been a number of misselling scandals that have embarrassed regulators and shaken confidence in investing. In the UK we can expect to see the FCA act to strengthen the approach it is taking to protect consumers. We should also see regulation that helps reduce scams by increasing the requirements on banks and social media providers.

In the EU there is a package of measures around anti-money laundering under development to ensure a more harmonised approach across the single marker and also create a new EU-wide regulator to enhance supervision. This is likely to mean increased compliance and due diligence costs for those brought into scope.