Paul Taylor of KPMG speaks to Insurance Times ahead of his appearance on a panel at Cyber Insight 2018
What would you say are the main trends in the cyber security landscape at the minute?
So, the main trends are an increasing concern about the supply chain, so people are worried about the third parties and not just their own security but the security of people that supply them.
I think we are also seeing increases in the use of ransomware, ransomware-based attacks, building on last year’s WannaCry and NotPetya.
We are also seeing, on the technical side, the increased use of artificial intelligence and machine learning on both defensive and on the offensive side. There are criminals using machine learning to develop new versions of malware and defenders using machine learning to sort through alarms, alerts and help them decide what to investigate or not to investigate.
What would you say are the biggest cyber security risks for SMEs in particular?
I think the big ones for SMEs are procurement fraud, CEO fraud, so people pretending to be suppliers, people pretending to submit invoices to them that are false.
I think SMEs are also at risk from people who are stealing identities and looking to present themselves as being someone who they are not to SMEs.
I think SMEs are also at risk from the fact that they are not perhaps as rich as large companies and therefore maintaining good defences is not necessarily so easy. So, they need to keep themselves up to date patched and those sorts of things are hard to do if you are watching every penny that you spend.
A lot of SMEs also have a lot of intellectual capital, intellectual property that is important to them so that is very attractive for people who want to steal, that is an issue for SMEs.
In the face of that many risks for SMEs, what would you say is their best option to deal with these risks, how to overcome them?
I think if I was starting up a SME at the moment, I would look to put my presence in the cloud. I think taking yourself into the cloud, whether it be Amazon, Microsoft or Google is a great way to deal with these risks.
The people who produce the security in the cloud invest millions to it and have many hundreds of people doing it.
So you can get benefit of that, if you were an SME and have to maintain your own in-house security, Amazon, or Google or Microsoft can do it for you. That is what I would do.
So, cloud computing?
Why is cyber insurance important?
Well, cyber insurance is important because of the things that your current insurance doesn’t cover.
So many organisations will have insurance already that cover them for a range of events. With cyber insurance, the events are unique.
So, for example, it might cover you for instant response, it might help you contact someone who can help you actually manage the incident. It might then also cover you for things such as identity protection. So, if you lose a large number of email addresses or customer data, then protecting people’s identities for the next few years can be very expensive and cyber insurance can cover that. It can also cover some of the legal costs associated with the picking up on data protection claims afterwards, those sorts of things.
What is the role of GDPR?
So if you lose sensitive data, then you are going to be fined up to 4% of global turnover. If you have some cyber insurance, it should stop the loss of data earlier. Your insurance may even help you with all of the legal costs around dealing with the GDPR breach.
What some people have been saying is that GDPR can be used, can actually boost cyber insurance sales. Would you agree with that?
I am not sure if GDPR can be directly linked to cyber insurance sales but it certainly makes you think about the consequence of a breach which is a very good thing. Very good to make people think about GDPR.
Would you say that the rate of progression in preventing cybercrime right now is enough? Or is there more that should be done?
I think that at the high end we are doing quite well at finding the networks, but at the commodity level there is more to be done.
So many people are victims of cyber fraud or cybercrime and the criminals make a billion dollars each a year, when they take maybe a thousand dollars in each crime.
So it is at low-level cybercrime that I think is the most worrying to me. At the other end, there are crimes where they are attacking the actual network, so we have seen attacks on the SWIFT banking network and we have seen attacks on those underlying money transfer platforms that keep the money systems going. Those attacks are quite worrying, and I would quite like to see more being done about those.
And what can the audience expect from you at the Cyber Insight event?
I will be talking about my experiences talking to boards about cyber. What is happening at board level is my thing. So, I will be able to answer questions on what is currently occupying the minds of the people in the boardroom.
And finally, why should insurers and brokers come to Cyber Insight this week and why is it so important right now?
Paul: Because it is a very topical question, it is on the mind of most boards, it is on the mind of the regulators, it is on the mind of customers and I think they should get together and talk about the key issues and it is very important to go to that forum.