The requirements of cyber policies were said to be pushing business customers into new risk management measures 

Requirements on what is needed to purchase cyber policies is shifting the business behaviour of broker clients.

This was according to Lyndsey Bauer, partner at Paragon International Insurance Brokers, speaking at the Insurance Times Cyber Insight event yesterday.

Discussing how best to inform and engage broker clients in a panel on cybercrime and social engineering, Bauer said the market was doing a good job at pushing forward best practices. She said this was having an impact on how customers were managing their cyber risk.

“It’s a really interesting and exciting place for insurance to be at, probably for the first time since seat belts, where insurance can really, through what it will and won’t cover and through the questions they’re asking, influence behaviour,” she said.

And Bauer added that this behaviour shift was going beyond technical security.

“You now need to have a risk management culture in place,” she said. “If someone gets a phone call they can’t just send them the money. 

“There should be dual controls in place. You have to start taking things offline and do things on a less computer-based basis. 

“We’re watching this cultural shift, and insurance is part of pushing that forward.”


Gary Hawkins, manager-financial services cyber security, PwC, said as part of this behaviour shift, brokers had to start encouraging clients to focus more on the the system - rather than relying solely on employees to spot a phishing email.

“A well-crafted phishing email will look identical by every technical measure to a real email,” he said.

Hawkins has crafted phishing emails that have caught out fraud experts, and he says if he can do this, attackers will be able to build even more realistic emails.

He added: “The system itself is the target. The people are simply channeled into that system. If your strategy is dependent on your users being 100% reliable in spotting a phishing campaign or email, you will fail over time.”

He said there are relatively simplistic measures companies can take to improve their systems, but did endorse employee training as well to limit the impact of social engineering attacks.

He said this applies to all employees, no matter how much access to data they possess. 

Hawkins said attackers can target a low ranking employee and still navigate to the “crown jewles” of the customer information, the CRM system or the finance system, due to the often interconnected nature of company networks.

He added: “A contact centre has a high churn rate and companies don’t spend a lot of time training these staff because they know these employees don’t have any access to the firm’s crown jewels. But attackers know this and know there is a fair chance they can get from here to the crown jewels.

“So you can’t get away with just protecting the crown jewels. You can’t get away with prioritising certain targets. Yes we see CEO phishing because that is a quick win, but that is by no means the only area of social engineering.”