Cyber risk - it’s a peril that sends shivers through individuals and organisations alike, but “Insurance should not be the first line of defence”, according to Anthony Kumar from WTW’s Cyber and Technology Risk team.
Understanding risk holistically and appreciating that insurance is just one component of risk management is vital, he tells Tim Cotton.
In this podcast, Anthony provides insight as to how WTW’s proprietary cyber quantification tools can assist organisations to understand their risk tolerances and what realistic loss scenarios can look like, enabling boards to make fact-based decisions around appropriate insurance purchasing limits and a clearer picture of all the moving pieces of the cyber risk puzzle.
A smarter way to risk in Australasia: Episode 5 — Cyber risk – insurance should not be the first line of defence
TIM COTTON: WTW acknowledges the traditional custodians of country throughout Australia, and their connections to land, sea, and community. We pay our respects to their elders, past and present, and extend that respect to all Aboriginal and Torres Strait Islander peoples today.
ANTHONY KUMAR: But the implications can be absolutely enormous and expensive.
TIM COTTON: Some cyber attacks to some big and reputable brands that occurred within the last 12 months. I know I was personally impacted by the Optus One.
ANTHONY KUMAR: Insurance should not be the first line of defence is effectively the smartest way to go about it.
TIM COTTON: Hello, and welcome to our WTW podcast, A Smarter Way To Risk down under in Australasia edition. A new series where we will cover a range of global and local complex risk topics and how we at WTW are committed to delivering the best outcomes for clients through managing risk in a smarter way.
I'm your host Tim Cotton, and throughout this series, I'm going to bring in a variety of my WTW colleagues here in Australasia who have expertise and specialism in different areas of risk who will all provide their own perspective on what a smarter way to risk means to them and their area of the business. Now, I'm delighted to have with me today Anthony Kumar, who is part of our specialist cyber team here in Australasia. Welcome, Anthony. Great to have you join me today.
ANTHONY KUMAR: Great to be here, Tim. Thanks for inviting me.
TIM COTTON: No worries. So cyber-- to say cyber is a hot topic at the moment. It's a bit of an understatement, I think. I can still remember probably about four or five years ago, Anthony, cyber insurance and risk management was really starting to ramp up globally. But here in Australasia, there was almost that feeling or that thought in the public like, oh, it's an overseas thing. It's never going to happen in Australia-- cyber attacks. But then in the last 12 months or so, it's just been like bang, bang, bang.
There's been Medibank, there's been Optus, there's been Latitude Financial, there's probably been others that I'm not aware of in our region. That has really started to make cyber feel real that it's happened to some of our biggest brands here in Australia and the damages that have occurred to their reputation from that.
But I guess before we go into discussing cyber risk in a bit more detail, Anthony, could you tell our listeners maybe a bit about yourself, your role at WTW, and what you do for clients, you and your part of the business?
ANTHONY KUMAR: Yes, I am a senior associate within WTW's cyber and technology risk practice. I manage large and complex cyber for all organisations and financial and executive risk placements for technology organisations. Separate to that, I'm also chair of the WTW LGBTQ+ committee within the inclusion and diversity team.
TIM COTTON: I'm on that LGBT+ committee with you, Anthony, and I see the great work you're doing on that too. It's always great working with you. So I'm going to ask you-- we ask the hard hitting questions here on this podcast, so I'll ask you one straight up. What would you say a smarter way to risk means to you and your clients?
ANTHONY KUMAR: Yes. So within the cyber sphere to your point, there's just so much going on. And so having a complete understanding of risk holistically and how insurance is just one piece of the risk management puzzle is so important. There's just so much going on in Australia, especially around how organisations are collecting, handling, managing, and protecting their data, and it can be really confusing for a lot of clients as well.
So ensuring that a comprehensive risk management strategy, which includes all the moving pieces about how an organisation should operate to protect its data, to collect its data, and manage that data within the scope of so many moving parts around the regulatory, statutory public policy is so important. And then understanding where insurance fits within that puzzle can be very difficult.
So for us, being able to manage all of that with insurance as a core part of that piece is probably the smartest way to do things. Insurance should not be the first line of defence is effectively the smartest way to go about it.
TIM COTTON: Well answered, Anthony, that's a pretty good start. So I know that you guys and more broadly as WTW company, we use data and analytics. It plays a massive part in our value proposition to clients. And correct me if I'm wrong, Anthony, but I believe you guys have the interactive cyber quantified model, which acts almost like a cyber predictor evaluating potential losses and makes risk management strategy options based on the results moving forward. Could you tell us a bit about this or maybe more broadly how you guys use data and analytics to help your clients?
ANTHONY KUMAR: Yeah. So we do use analytics quantification tools to assist our clients with understanding their risk tolerances and then the expected risk loss sizes. So we use both benchmarking tools and through third party open port assessments such as Security Scorecard, but also Monte Carlo simulation and scenario modelling. It has been of definite assistance to our clients. Many of them still don't understand what a realistic loss scenario could look like for them.
And so the broking world I think moving forward, it's no longer or it really shouldn't be just going down the path of buying insurance for the sake of buying insurance. You need to be very proactive-- sorry, you need to be very proactive around understanding appropriate purchasing limits, but also being able to provide the board or the company itself direction as to if we were to have an event, how it could impact us as an organisation, not just financially, but from a day-to-day perspective as well.
So we use the quantification tool to show the company guidance as to what loss that they personally-- sorry, as the company can retain, but also what they can then go off and buy insurance for as balance sheet protection.
And then use that information to provide clients insights as to what their biggest exposures are, whether or not they're really exposed to third party claims, ransomware claims, or business interruption claims so the board can make proactive decisions around how to better protect themselves from those particular exposures, whether it be through scenario tabletop exercises or implementing strategies around their business continuity planning and the like.
TIM COTTON: OK. That's awesome. That sounds really sophisticated. I was going to ask about industry specialism and it's probably the answer could be no, but I'll ask you anyway because I'd imagine that cyber has prevalence to most businesses and industries given vast majority of businesses have an online presence in some way or another, don't they?
ANTHONY KUMAR: Yeah, correct. So within our cyber practice, we don't specialise in-- sorry, we don't specialise within the scope of a particular industry. We assist all around across many industry verticals, financial, manufacturing, retail, and the like. But we also do, and this is something that I do day-to-day as well is technology risk.
So emerging blended technology providers, so medical technology, financial technology, agricultural technology, legal technology, and the like because of how broad their exposure is having that specialist understanding as to what sits behind those exposures is so important, and we specialise in that as well.
TIM COTTON: So Anthony, I was going to ask you for the next question I had was global networks. So your cyber team, you fit into the wider FINEX team here in Australasia, which also has a global line of business as well FINEX. I was going to ask, with that global network that we have and the entire WTW business is a global business, obviously. How do we make sure our clients locally here are receiving all the benefits of this large global network that we have at WTW?
ANTHONY KUMAR: Yeah. So we definitely leverage a lot of the expertise that a lot of our global partners have. I think the benefit of working for a global is that you as a client whilst your needs are going to be specific to you as a company, there is going to be other organisations that fit within the scope of what you do both in terms of industry vertical revenue and also from a contractual perspective.
You are likely winning contracts with organisations that are similar globally in the sense that a telecommunications company is probably going to go after the same clients in the US and in Europe that they would in Australia. So being able to leverage expertise off there. So that if I come across a particular client, and I'm like, you know what, I've actually never dealt with a client in your industry vertical before.
I can send an email to someone in the US, in France, Spain, Singapore, and have an answer in 24 hours saying, you know what, we've dealt with a client in a very similar risk profile to the client that you're dealing with. This is everything that we did with that client laid out for you so that then I can go through it and say, this is actually very great. This is so insightful to me. I can then use that information to help my client here in Australia.
And the other thing-- the other really good thing as well is because we're such a big organisation, there's so much thought leadership that is just being published daily that I can probably just type in financial services technology emerging risk into our local intranet-- sorry, our global internet site and get 40 articles that have been written that I can just translate for the local environment as well. So I really, really enjoy working for a global, specifically for that reason.
TIM COTTON: Yeah. There's probably some regions around the world that are a bit more progressed and we can all learn off them, and then there's other areas in Australia that we're probably a bit ahead and other countries can catch on to us. So I think it works both ways. It's a really good thing for us and our clients, obviously.
So Anthony, I mentioned at the outset some examples of some cyber attacks to some big and reputable brands that occurred within the last 12 months. I know I was personally impacted by the Optus one and I know many other family and friends that were as well. And I know some that were involved with the Medibank attack. What would you say is the hottest or most topical risks that are most prevalent for your area of the business, and how are you guys approaching it at the moment?
ANTHONY KUMAR: I think the biggest one for the public at large is definitely around data governance, like to the point you raised earlier Optus, Latitude, Medibank, the fact that a hit to those types of companies has an impact to ordinary Australians in the sense that it's not just localised to those that operate in a particular vertical. It's on a national level. It's everyday Australians that have been impacted.
And actually for Latitude in New Zealand as well who have been impacted by this breach, just goes to show the extent to which an organisation might not have full oversight over its data governance practices, but the implications can be absolutely enormous and expensive. So for us within WTW, we're seeing a lot of questions around data governance strategies and implementations around data minimisation strategies. So for us, managing that exposure from a company perspective, but also from a supply chain perspective as well.
And then separately speaking from an infrastructure perspective, if an Optus were to go down, what the ramifications would be for other organisations because there is language in some insurance policies to suggest that an Optus were to go down, there could be cover available.
So insurers are very concerned around these systemic catastrophic losses which could impact their portfolio because hypothetically speaking, if an Optus, or an Amazon, or an Azure, or a Google, or an IBM, or the like were to go down, the policies could respond to those types of losses and suddenly insurers aren't just liable for one IBM, they're liable for the millions of people-- sorry, the millions of organisations that an IBM covers.
So insurers aren't just worried about data minimisation practices to the sense that how it impacts individuals. They're also worried about the implications of a large infrastructure organisation going down and the ramifications that it would have from an interruption network outage perspective. So I think there's like two crossroads that insurers are really grappling with globally as well.
And the difficulty with that is as organisations become more aware of these losses, they're buying larger insurance towers to protect themselves. And this has the benefit of obviously introducing more capital into a much needed premium pool, but the downside as well is if it hits, it's going to blow.
So insurers are getting more money, but at the same time, they're putting forward more capacity, which is great for us. But at the same time, this balancing act that they're trying to get at and insurers-- a lot of insurers are introducing language to reduce their-- I wouldn't say reduce their exposure, clarify their exposure. I feel some insurers are doing it really, really well, other insurers not so much.
And so understanding how an organisation fits within the puzzle because it's such a prevalent risk is so important. And that's why it really goes down to how well your broker understands the insurance policies because you do have one camp, which is going down the very broad exclusionary language, which is detrimental, and you have another camp which is going down providing a much higher threshold for where a trigger can-- to render the policy.
TIM COTTON: There's a lot in there to think about just if an event is to occur, the flow on effect that would happen right around the world, it boggles your mind a bit trying to think about it sometimes, but I can see exactly what you're saying.
Do you have any ideas or thoughts for what's next for cyber into 2024 and beyond? Are there any emerging risks-- I know cyber itself is an emerging risk, but is there anything that's coming in 2024 and beyond that businesses really need to take into consideration when forming their cyber risk management strategies holistically?
ANTHONY KUMAR: I think it's very difficult to your point. It's so hard to see where the next steps are going to be. The threat actors are becoming increasingly nimble. They're so agile. They're like five steps ahead of where everyone else is. So being able to get I think the foundations correct kind of sets you up with a really good strategy for how to react to an emerging threat. And a really good point I think to raise is around AI because I think the natural home for AI is within that cyber technology sphere.
These types of AI-- not generative AI, these large language model AIs that something like ChatGPT and the like, a lot of people are just putting in information very, very sensitive information with the mindset that this information is going to be stored properly. If it were to breach and ChatGPT did get breached, the ramifications of you typing in that information are quite significant. I don't think people think about what the financial harms or the reputational harms that attach to those types of breaches are.
So for us, I think we've got-- that is the next frontier, I think for us is that AI space. But from a cyber privacy perspective, I think just constantly be seeing emerging risks in the sense that just because of how fast these threat actors are compared to how we are in moving to protect ourselves.
TIM COTTON: That's such a good point. And if I relate that to everyday things like people tapping their cards now or using their phones or just inputting data Willy-nilly just because it's an easy solution. I think you're right, things are less protected when it's-- often the easier the solution, it's easier because it's quicker and you can just do things without worrying about multi-layers to doing what you want to achieve.
The easier something is, for example, it's probably means your data is going to be obtained easier as well. So I think we all need to consider when we are putting our information in to just maybe take a step back just for a second to think hang on before, I quickly and easily input my data into something. Maybe I should consider how safe or stable that platform or that technology is before I do it because you never know from the other end how protected they are.
ANTHONY KUMAR: Correct. A lot of the time, I always ask myself, why does this company need my information if I'm ordering off-- if I'm ordering in the restaurant, why do they need my home address? So just always kind of second guessing why a company needs that information is just becoming critical, and it's something I hadn't really thought about until I joined the cyber practice.
TIM COTTON: Yeah. I think we've all changed our mindsets a bit from when we worked here. We've definitely got that conservative approach to things sometimes. But it's so important because you've got to protect yourself because the consequences can be monumental I think on the other end if you don't think things through properly.
Well, Anthony, I think that might be all we have time for today. Thanks so much for taking the time out of your day to chat with me. I really appreciate those insights you provided us, and I'm sure our listeners have as well as we've sort of discussed. I don't know if cyber risk has ever really been as prevalent as it is today, which is keeping you guys extremely busy I'm sure. But I really appreciate the time that you've taken out of your day to talk to us. And, yeah, we might have to have you on again another time.
ANTHONY KUMAR: Thank you so much. Really, really enjoyed this.
TIM COTTON: But that's all we have time for today. So until next time. It's bye for now.
SPEAKER: If you'd like to hear the remainder of our Smarter Way To Risk podcast series, we encourage you to stay tuned on our WTW website. Follow us on LinkedIn and listen to our latest content wherever you listen to your podcasts.
Tim is our Digital Marketing Lead – Australasia based in our Melbourne office who has been with WTW since 2016. Since conceptualising the idea of this inaugural podcast series, Tim has played the ongoing role of director, producer and host.
Anthony is a Senior Associate in our Cyber and Technology Risk Practice based in Melbourne. He manages large and complex cyber risks along with financial and executive risk placements for clients.