Taking a strategic approach to cyber risk

Taking a strategic approach to cyber risk

November 6, 2019

This is the third issue of Strictly Risk, our series of boardroom briefings taking you behind-the-scenes of the insurance industry and highlighting the risk management and insurance techniques that businesses use to protect and strengthen their balance sheet. In our first issue, we looked at how to appoint the right insurance broker for your business. In our second issue, we looked at how to avoid insurance pitfalls in commercial transactions. In this issue, we look at some ways that businesses approach cyber risk and how a more strategic approach can result in a more robust and holistic solution.

Often it is the IT director who leads the charge when a business is reviewing its approach to cyber risk but the ultimate responsibility for this does, of course, remain with the entire management board. So, it’s important that all board members are familiar with the key issues regarding cyber risk so they can discharge their directors’ duties when approving a cyber risk mitigation plan for the business.

As the incidence and complexity of cyber-related risk increases, some businesses respond by purchasing a standalone cyber liability insurance policy (known as cyber insurance), sticking the policy document in a drawer and hoping never to see it again. But cyber insurance is only one small part of an effective approach to cyber risk.

So, here is our suggested FIVE-STEP PLAN to help you take a strategic approach to cyber risk.


Engage a specialist risk consultant to conduct a cyber risk audit of your business’s systems and controls to identify and advise on any areas of weakness that could give rise to cyber risk. There are many specialist consultants in the market, some independent and some embedded within the assurance divisions of the larger accountancy firms and insurance brokers. It is worth carrying out a simple procurement exercise to select the right consultant for your business and then take legal advice on the terms of their service agreement.


Engage a specialist law firm to review the risk-related contract provisions in your agreements with customers, suppliers, service providers and others to identify and advise on any weaknesses where responsibility for cyber security has been or is being transferred to another party. Relevant agreements may be obvious ones such as IT support contracts or less obvious ones such as those with web developers, marketing agencies and joint venture partners. Use a law firm with proven commercial contract and insurance expertise.


Engage a specialist insurance broker to review your insurance program, with focus on cyber and business interruption risks, to identify and advise on any gaps that could benefit from additional or different cover. If appropriate, the insurance broker will be able to recommend specific cyber insurance products to plug any gaps in your current insurance program. The wording of such policies is critical and invariably benefits from a legal review to assist the insurance broker in negotiating variations to standard wording to eliminate common flaws and tailor the policy for your business.


Gather the information from these three audits and use it to put together a comprehensive cyber risk mitigation plan that can be reviewed by your risk consultant, legal adviser and insurance broker. Once approved, the plan can be presented to your board members. The plan might include recommendations to your board to seek cyber-related accreditations for the business ranging from the basic Cyber Essentials to the advanced IS0 27001. The risks highlighted in your cyber risk mitigation plan should be fed into your business-wide risk register, your business continuity plan and your data protection procedures. Importantly, any cyber risk mitigation plan should be reviewed, updated and tested on a regular basis to keep pace with the emerging risks.


A risk mitigation plan (however well compiled, reviewed, updated and tested) is unlikely to succeed in preventing losses from cyber-attacks if the culture of the organisation conveys the impression that cyber prevention is not taken seriously. Culture is set by the leaders of a business, so the message needs to be ‘do-as-I-do’ not ‘do-as-I-say’ and that admitting mistakes is a positive not negative behaviour. Putting in place practical and proportionate policies and procedures for the use of information systems will support and enhance this culture. But, most of all, good quality and auditable training of all staff will ensure that everyone understands their obligations to the business and to colleagues as well as the consequences of individuals not playing their part.

By following these five steps you should have powerful strategy for managing your cyber risk on an ongoing basis, fulfilling your management responsibilities and, importantly, safeguarding your balance sheet and stakeholders.