July 23, 2025 • 25 mins
In this episode of Insurance Tomorrow, Vanessa is joined by Delvin Tillett, Head of Cyber at Allianz Commercial, and Jake Moore, Global Cybersecurity Advisor at ESET to unravel the cyber risk landscape in the wake of the recent cyber-attacks on leading UK retailers.
We delve into:
- The current cyber risk landscape and how this is impacting SMEs.
- The role of insurance in tackling these risks.
- How businesses can address vulnerabilities in their IT systems.
- What brokers should consider when advising their clients.
- Emerging cyber risks and how brokers can prepare their clients.
Enjoyed this episode? Don't forget to rate and review to help others discover the Insurance Tomorrow podcast. And, if you're not subscribed yet, tap the follow button so you don't miss out on the latest insights.
For more resources, articles, and webinars on business risks and other key topics, visit the Allianz Knowledge Centre.
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Vanessa Baffoe (00:06):
Hello and welcome back to another episode of Insurance Tomorrow.
I'm Vanessa Baffoe. Now, today we'll be looking at cyber risks.
Now this is a topic that's becoming more important than ever,
and we'll be looking at how small businesses can protect
themselves in our increasingly digital world. Well, joining me today
is Delvin Tillett, who's head of cyber at Allianz Commercial, and
(00:27):
also Jake Moore, who global cyber security advisor at ESET. And
They'll be sharing everything they know about cyber risks, as
well as offering practical tips to help small businesses to
stay safe. We'll also be discussing how brokers can lend
a helping hand to their clients. And of course we'll
be looking ahead to the future. And the big questions
really here are what's on the horizon for cyber security
(00:51):
and crucially, how can brokers help their clients to stay
one step ahead in this ever- changing landscape? It's great
to have both of you here. Thank you so much
for coming in and speaking to us here on Insurance Tomorrow. Now,
most people will be aware of the high- profile cyber
attack that's been on Marks and Spencer, the Co- op, Harrods. Jake,
let's go back to basics here as well. How do you
(01:13):
define a cyber attack?
Jake Moore (01:14):
Yeah, so I'd say there is a deliberate act to
disrupt or to steal from a business using technology. And
we see this in many different forms, but if we
look at the basics, say regarding motivation, the most common
(01:35):
motivating factor would be for financial gain. So the majority
of businesses that we are, say, talking about today will be dealing with
attackers that are focusing on stealing money from them. And
that can come in different ways. Of course, they might
use extortion to try and, say, leverage that motivating factor
(01:56):
in those demands such as ransomware, but really it could
be any form at all, and that could be any
form of disruption.
Vanessa Baffoe (02:03):
Delvin, all of this is actually quite scary, isn't it?
Delvin Tillett (02:05):
Yeah, cyber attacks come in many different forms, but the
typical attack will usually be from a nefarious threat actor
that's looking to infiltrate a company's computer system to steal
data or to then interlock systems with ransomware to stop them
being able to operate, in order to extort them for money.
Vanessa Baffoe (02:23):
So Delvin, what does the current cyber threats landscape look like?
Delvin Tillett (02:28):
It's very complicated. I think things are changing rapidly. I
think one thing with cyber is that it is constantly moving.
There's lots of different threat actors out there at the moment,
and they're all using different techniques and those techniques develop. I
think there's people like LockBit who were taken down by
law enforcement, but then sometimes it's like slaying the hide
or the head bumps up again somewhere else. So it
(02:49):
is constantly evolving, whether it's for hacktivist reasons, for financial gain,
it's a very kind of moving landscape all the time. And
that's why it's really important for companies to understand their
position on cyber and have a cyber strategy so that
they're readily prepared to act in the event that they're targeted.
Vanessa Baffoe (03:10):
That's a very interesting point there that you say cyber
strategy there. Jake, what's your point on that?
Jake Moore (03:15):
Yeah, I mean it's a monumental time. We are seeing
a time that we've never experienced before. We always expected
that criminals would get more sophisticated. We've been listening to
that theory for many years. But the fact is now
that they've got so many tools at their disposal, they've
got scale at their disposal with the likes of huge
(03:38):
amounts of data, algorithms incorporated with AI to process that data,
they're able to run so far away. If we want
to say use the cat and mouse analogy, they are
the mouse that has run so so far and we
are left as the cat further away than we've ever
been before. So we can't just sit still. We've got
to continue to run after that mouse and protect where
(04:01):
we can and to spend more money. Unfortunately, many people
won't want to hear that, but we need to keep
putting money into those resources to protect and mitigate because
it's inevitable that criminals will continue to relentlessly target us.
Vanessa Baffoe (04:17):
And Delvin, what's the significance of these incidents, particularly on small,
medium enterprises, but also what role does insurance play here?
Delvin Tillett (04:27):
Well, that's the thing. These cyber attacks can be pretty
damaging and it can actually impact the survival of an organization.
And we've seen that in the past where organizations are
not able to operate any further because the incident has
been so severe and they don't have the resources to
be able to deal with it. So they actually go
out of business. And where cyber insurance comes in is
(04:48):
that cyber insurance is there as a backstop to help
those organizations, especially in the SME space where cyber insurance
policies also assist with their incident response plans because cyber
policy will typically come with vendors. So carriers will work
with vendors and they'll have agreed rates so that they get,
you don't want to be in the middle of an
incident and then have to engage a vendor and get
(05:09):
charged as double. So carriers will partner with vendors to
have rates already agreed so that you can have somebody
come in that's able to look at your systems, get
the baddies out. They're able to help you with adjusting
your BI loss because cyber policies will look to cover
the business interruption that's taken place as a result of
that incident. And that can be quite a complex situation when
you start looking at things like accounting principles versus insurance
(05:31):
accounting principles. There can be subtle differences which could make
a difference in putting together your claim for that business
interruption loss. So as well as providing that backstop, they're
also a risk management tool for organizations to fall upon
that may not have those internal resources themselves to deal
with those kinds of situations.
Vanessa Baffoe (05:50):
And Jake, what's your take on this? Because I'm thinking
just a few years ago cyber wasn't even a topic
that we'd even be discussing, and yet here we are today.
Jake Moore (05:56):
Yeah, it used to be discussed by particularly IT departments,
probably banging on the decision- makers door saying, " Come on,
we need more money here, we need better protection." But
it slowly got into the mindsets of everyone. It's everyone's
decision to make sure that they are protecting the business
that they're in. But SMEs are unfortunately targeted primarily because
(06:21):
they might not have those extra protections in place. And
I think we need to be reminding everyone across the
board that they need to have as many different levels
of protection that is possible. It's not just the fact that they are
so small they won't get affected. Of course they should be.
So if we're looking at things like insurance, we know
(06:42):
that there's a law for having insurance if you are
driving a car down the street. But the fact that
not all businesses, we know that it's not a hundred
percent yet that are using cyber insurance, is astounding. It
just reminds us, it highlights the fact that there are
so many companies thinking we don't need that. They're not even
able to think that it's a worry or they're thinking
(07:04):
it's too expensive, but it's always going to be more
expensive if they get attacked. And I say if. That's
a small if. It's an inevitable. So unfortunately it's just
one of those extra pillars they're going to have to add to
their business.
Vanessa Baffoe (07:17):
And on that topic, do you know what I find really interesting?
I mean there are some government stats here. So 43%
of businesses reported a cyber security breach or attack in
the last 12 months, but wait for this, only 45%
of businesses reported being insured against cyber security risks in
some way. That's astonishing.
Jake Moore (07:37):
Yeah. And do you know what you're saying that only 43%
have announced it. I'd say it was way higher than that.
I mean, we even know that it's a lot higher.
The fact that a lot of these companies will only
admit it if they have to. So if, say, personally
identifiable information has been stolen, then they have to go
and tell the ICO within 72 hours. They don't always
(07:59):
want to announce it because they are worried about share price,
they're worried about trust. We know that, say, the retail industry,
that was a massive blow to them. I don't think
it will affect trust long- term with such say stalwarts
of the retail industry. Someone like Marks and Spencer's for example,
has got a big enough name to continue their power
(08:19):
in the future. But there are so many companies that
might not be so well known and they don't want
to be attributed to be known as a cyber attack
or that's the one that lost all our data. Effectively,
everyone's getting attacked, we know that. But some people are
just unfortunate and I don't think there's that much blame
even there as well. I don't think we should always
be pointing the finger at a company because they have
(08:40):
to protect all cyber attacks, but attackers only have to
get through one time. And if they're able to get
through one time, however they did it, however creative they were,
and my goodness, they are so creative these days, if
they get in and steal that data, we need to
be able to protect it once that horse is bolted.
And that's why this, say, holistic approach of, say, protecting
(09:02):
beforehand and then ensuring afterwards that seems to be a
better form of glue.
Vanessa Baffoe (09:07):
Now Delvin criminals are very capable of causing significant harm
to businesses. So one of the things that I'm really
keen to know is what's the primary motivation of doing this,
but also what kinds of businesses are often targeted?
Delvin Tillett (09:22):
Well, it really depends on the industry sector, the type
of information that's being held and how valuable that is
to the criminal. Because a lot of the time what
the threat actors are looking for is financial gain. That's
one of the primary motivations for them. They want to
get as much data as they can. They extort the
person for it or the business for it so that
they can get that money. So it really depends on
the industry sector. If you're looking at something like healthcare
(09:43):
where there's really significant personally sensitive data, that can create
a lot of demand from threat actors to try and get that
data and extort those type of businesses, but also companies
that may be perceived to have a lot more money
on the go.
Vanessa Baffoe (09:56):
And Jake, I'll throw this same question to you. What
kinds of businesses are often targeted?
Jake Moore (10:00):
Every industry, it really is a target. The fact is
they're getting so creative means that no industry can really
hide from these attackers. We sometimes find that different groups
that are say based in different parts of the world
might go for the healthcare industry or the retail industry.
And so it's often difficult to, say, pick out industries.
(10:22):
And I also don't like to pick on those because
it might mean that others think that they're say safer
right now because it's also ever- changing. We know that.
The landscape is always going to change and evolve. It
means that they're going to follow the money. And so
if there are companies out there that, say, are unaware
of their update process. For example, companies that haven't quickly
(10:47):
updated to the latest patch that has been offered by
let's say Microsoft, if there's that small gap in that
window where they are vulnerable, it doesn't matter what industry
they're in, that's when they're going to strike.
Vanessa Baffoe (10:59):
You see a lot of brokers will be sitting there thinking,
hang on a minute, how do they even target company's
IT systems?
Jake Moore (11:04):
Oh, they're able to monitor that. It's very simple to
know what system they're using. For example, we use this
in marketing, let's say SEO, search engine optimization. It's really
useful for a marketeer to know what device you are
coming into their website on. So whether they're on a
smartphone or a tablet or a laptop. And knowing the
(11:25):
screen size for example, because it then knows how to
format the advert that's on there and the colors that
are used and which format's being used. So that's information
that is really important to make it work and to
make it look like it should do. Because a website
on your mobile phone also needs to know that it's
on a mobile, but then you go to the laptop
and all the dimensions change. We don't think about that
(11:48):
as users, but they need to know that information. That's
also the information that can be scraped by criminals and
taken advantage of. If they can then work out, just
a minute, they're using certain, say, operating systems or this
is when they are updating their systems, any sort of
data that can be found. It might seem trivial. It's
(12:09):
not something that a criminal is going to, say, steal.
It doesn't really matter. But if they're able to take
advantage of that and abuse that and know that they've
created some malware that deploys on that device and will
strike at the time when they haven't patched it with
that update, then that's what's going to take them out.
(12:30):
So this is a data currency time that we're living
in and that information might seem really boring to the majority,
but to a criminal that can be the difference between
no money and no ransom and millions of pounds in
a ransom.
Vanessa Baffoe (12:44):
See, listening to you, I'm actually thinking, my goodness, it
looks as though it could be quite easy for criminals
to actually hack companies a lot more than a lot
of people would actually think.
Delvin Tillett (12:56):
Yeah, definitely. And that's why cyber hygiene is really important.
It's an important topic for organizations to think about. Resiliency
towards these threats and having things in place that kind
of bring up the drawbridge basically to protect their systems,
protect the data that they have. And that comes down
to things like segmentation of networks, how they're protecting access
to data, how they're inventoring their assets that's in their environment
(13:19):
so they know what they've got and they know what
they can protect as well.
Vanessa Baffoe (13:22):
So just listening to you as well, Delvin, I'm thinking, look, you can
sit there and think I can try my best and
hope not to be protected. There are things I can do, but
once the criminals are in, they're in. And the only
thing that can really save you is that insurance.
Delvin Tillett (13:37):
Well, insurance is like the backstop. I think it's good for
organizations to be thinking of insurance as the backstop, insuring
up themselves to make sure that they've got the controls
in place already so that the insurance is the backstop, but
then they're able to respond because that's the key part.
When these things happen, which we've seen here, it will.
It's not if, it's when. And when they do, can
(13:58):
they respond? Do they have the resources internally to be
able to look at that? And there's mitigating factors that
they can take to prevent that incident from being greater
than what it would be had they not taken those steps.
And then the insurance comes in afterwards as a backstop because, look,
they've done everything they could. This is the end- of- the-
world type situation, but we've got our insurance policy there
to fall back on and we've got that additional protection.
Vanessa Baffoe (14:18):
And Jake, I can see you want to get in.
Jake Moore (14:19):
Yeah, I mean, yeah, it's just great to hear Delvin say that. It really is.
What you're saying is absolutely right. I mean only a
few years ago I was, say, speaking to people who
had the argument that, " Well, we don't need insurance if
we've got the protection in place." They kept saying, " We've
got all this here that means no one's going to
get through. So why have something that you are paying
for that won't ever get needed or required." But of course,
(14:41):
it is a backstop and we've got to assess that risk.
And that's so important here. Once we do understand there
is that risk, whatever percentage that is for whatever size
business that is, it's always going to be a part
of this going forward picture that we are creating. And
so if we're looking at only 45% of companies showing
that they've got it, I can see that just increasing year- on- year.
(15:04):
I'm hoping that we get up to at least the 90% soon.
And I think the more people that talk about it,
the more people understand it. But what I love about
it is it can be bespoke for those businesses. So
it's not a one size fits all. I think the
best approach for an SME is to go in there and work
out where their liabilities are, where their vulnerabilities are, what
their data is worth, don't pay for the full package.
(15:26):
I don't want to see too many companies offering to
pay a ransom for example, if something happens. Make sure
they have a backup system in place and then they
won't need to pay for that ransom. So bespoke it,
understand it and then actually it will make your business
a lot better.
Delvin Tillett (15:44):
And I think that misconception as well, I've got an
insurance policy, I don't have to do anything, I'm covered.
I think that's really a role of a broker to
be able to explain to the clients that the residual risk,
because an insurance policy is just that, it has terms and conditions,
there's things that come into play which may grant or
actually take away cover. So being able to understand that
residual risk for the business as well is really important.
Vanessa Baffoe (16:07):
And so Delvin, with all of that being said, and with all of that being taken into consideration, how
then can businesses, particularly small, medium enterprises address any?
Delvin Tillett (16:16):
I think it's going back to what we're saying in
terms of that cyber hygiene. Looking at their digital footprint,
what data do we have? How sensitive is that data?
What does the regulatory environment say? How do we protect that?
And then looking at the resources that they have in
order to put those mitigations in place, I think, is
probably the first step that organizations would take.
Vanessa Baffoe (16:34):
Jake, what's your take on this?
Jake Moore (16:34):
Yeah, this is the boring bit, but it's policy and procedure.
Vanessa Baffoe (16:38):
We love boring because it's practical, it's great and it's useful.
Jake Moore (16:41):
Do you know what? It starts with policy and procedure,
but it does get more exciting. I'm a big fan
of simulation attacks. So creating a cyber attack in a
safe environment by a third party will highlight all of
those issues. And inevitably these experienced simulation attackers will get
through those defenses. They will most likely be able to
(17:04):
steal data and prove to those decision makers how important
these defenses are moving forward. It will then mitigate those
vulnerabilities at that time or that place and time. It's
a moving landscape as we've said. It changes six months,
a year down the line. So it's something that needs
to continue for all those companies. It's actually quite exciting to
(17:25):
be part of a simulation attack. So in some cases,
calling it penetration testing, when we are properly testing the
protection in those companies. And if they're able to get
through which they will, you then patch those areas and
you realize going forward, you are much better, but it's in
a safe environment. So go and have some fun.
Vanessa Baffoe (17:45):
I can see you shaking your head there practically Delvin, you want
to get in.
Delvin Tillett (17:48):
Well, because insurance also helps on that respect as well
because a lot of carriers and Allianz ourselves, we partner
with vendors on the pre- breach services. So this is
helping organizations understand what their risk landscape looks like. So
we will actually provide help to organizations via a vendor
panel that will go in and do things in terms
of tabletop exercises. So we'd be able to reimburse them
(18:09):
for those exercises. So that's kind of helping understand what
their risk looks like and that makes them a better
risk from an insurance perspective as well.
Vanessa Baffoe (18:16):
So Delvin, what are the key considerations that brokers need
to keep in mind when it comes to advising their
clients on cyber risks?
Delvin Tillett (18:24):
I think it's really important for brokers to understand their
client's business because that's going to determine the scope of
cover that their client will need. So I think that's one of
the key considerations. Also understanding the client's digital footprint, the
type of information that they're collecting and what their cyber
maturity is. Because if you understand the organization's cyber maturity,
you're able to broke that client to the insurance carrier
and obviously try to improve terms for them.
Vanessa Baffoe (18:46):
Okay, so here's what I think a lot of people
will also be thinking and also be looking at, how
can you as a broker then add value to your
clients when it comes to advising them and also when
it comes to those risks that are not immediately obvious?
Jake Moore (19:03):
Okay. So part of what I do is to try
and predict future crime. I'm fascinated with what criminals are
doing today, but even more so what are they doing tomorrow? And
I think if brokers are able to make that penny
drop with their clients, to make them really understand the
true risk that's out there from attackers, that's when they
(19:27):
start to work together. So if you are looking into the future,
I would talk a lot about AI. Of course that's
going to be part of the future. We're already seeing
it in attacks now, it's just, say, scaled what criminals
have been able to do for many years, right the
way back from say original scams that weren't even part
of the internet. The internet elevated it and now AI
(19:49):
has tenfold elevated it once again. For example, taking advantage
of something like Copilot, Microsoft's AI within Windows, we're able
to now see new styles of phishing attacks that we'd
not seen before. For example, there was recently an attack
(20:09):
that has been patched now, where a criminal has been
able to send an email with a prompt for its
Copilot hidden within the email, that when it is sent
to the victim, if the victim just opens up that
email and does nothing, no clicking, but just opens the email,
it is able to inject that prompt into the victim's
(20:32):
Copilot and do what it wants. And in this case,
it was able to then highlight all the files that
it wanted, let's say the desktop, and upload them to
the website it's told it to because it enters it
within the Copilot itself. So it's not replying with it.
It's not sending it out via an email. So it's
bypassing all of the protections that we've got in place,
(20:54):
the firewalls that would say, well, you can't be sending
that out. It was diverting away from that into a more,
let's say, very creative use of AI. And we've seen
prompt injections like this before in ways that have not used AI.
But the fact it's using the victim's AI tool that
is just sitting there wanting to be used, I think
(21:15):
is fascinating.
Vanessa Baffoe (21:17):
Alarm bells are ringing as you're saying this, I cannot
believe that.
Jake Moore (21:20):
Good. That's what we want.
Vanessa Baffoe (21:20):
This is staggering, isn't it, when you think about it Delvin?
Delvin Tillett (21:25):
It really is. And I think what we're seeing with
certain threat actor groups and how they're using AI in
terms of deep fakes, they're able to take people's voices
and use them for their own purposes to socially engineer
their way into organizations. I mean it's quite scary stuff
when you think about it
Vanessa Baffoe (21:40):
Now look, still sticking with the theme of looking ahead,
what emerging cyber risks should brokers be aware of?
Jake Moore (21:47):
Yeah, it's really thinking outside the box. And that's why
I'm looking into, say, this future crime because how are
we able to use AI in the future for good?
You've always got to balance that with how are criminals
using it for bad. So deep fakes has actually got
a really positive spin on it. Say people want to
create podcasts but might not feel comfortable speaking into a microphone.
(22:09):
You can now do that with your own voice. But
of course criminals are able to abuse that for their
own advantage. So it's also difficult to make people really
accept that until it's happened to them. And that's why
it's about bringing in these simulation attacks because only then
did they get that feeling in their stomach of, wow,
you really did get past our securities which we thought
(22:31):
were pretty good. And it really highlights it to them.
So again, it comes back to that bespoke package with insurance,
with simulation and then moving forward and continually moving forward.
Vanessa Baffoe (22:42):
And Delvin, just picking up on that point then, what
emerging cyber risks should brokers be aware of and how
can they prepare their clients for such challenges?
Delvin Tillett (22:51):
Yeah, I think it's difficult because the threat landscape changes
all the time and we are seeing things with AI, but
I think one of the good things with AI in
terms of attacks, you can use it to defend as well.
So that's also one of the positives that come out
of it. I think also from the future, which is
probably a lot further on in the horizon is quantum
computing and what that means when it comes to encryption
that we have today. Because with quantum computing comes the
(23:12):
ability to work with large mathematical algorithms and numbers to
be able to break encryption codes. So there's worry about
people harvesting data now and then decrypting it later on.
So that's another area of concern for the future. So
it feels like it's a never ending race.
Vanessa Baffoe (23:28):
Goodness. So Delvin, what should brokers take away from this? Any top tips?
Delvin Tillett (23:32):
Yeah, some of the top tips I can think of
would probably be understanding their client's business, making sure they
understand what their client's cyber maturity looks like in order
to put the best terms forward for their clients when
it comes to purchasing insurance.
Vanessa Baffoe (23:44):
Jake, what about you? Is there anything that you'd like
to add?
Jake Moore (23:46):
I think it's a really exciting time and the fact we
can use AI on both sides here. I always imagine
fire is actually used to fight fire. That's how we're
also moving towards with technology. I don't think quantum computing
is going to be a threat for at least another decade,
but it's definitely something to be thinking of now. And
(24:08):
that's something that I think has been the problem with
say cyber insurance. We haven't really worried about it until, oh,
we're a bit too late. So there's no time like
the present. So if anyone hasn't got insurance or doesn't
fully understand their own business and their protection, then there's
no time like the present.
Vanessa Baffoe (24:27):
My goodness. I could actually stay and chat to the both
of you all day. There's just so many layers to
all of this. It's fascinating. Delvin and Jake, it's been great
speaking to both of you. Thank you so much indeed
for joining us here on Insurance Tomorrow.
Jake Moore (24:38):
And you, thank you.
Delvin Tillett (24:39):
No worries, great to meet you.
Vanessa Baffoe (24:41):
So with that in mind, we'll bring this cyber risk
episode of Insurance Tomorrow to a close. Massive thank you
to our guest, Delvin Tillett, he's head of cyber at Allianz Commercial,
and also to Jake Moore, who's global cyber security advisor at ESET.
Thank you both for joining us. And thank you also
for tuning in. And don't forget you can subscribe through
your normal podcast up so you'll never have to miss
(25:02):
an episode. And while you are there, why not leave us a review?
We'd love to hear from you. Until next time, see
you soon.
Hello and welcome back to another episode of Insurance Tomorrow.
I'm Vanessa Baffoe. Now, today we'll be looking at cyber risks.
Now this is a topic that's becoming more important than ever,
and we'll be looking at how small businesses can protect
themselves in our increasingly digital world. Well, joining me today
is Delvin Tillett, who's head of cyber at Allianz Commercial, and
(00:27):
also Jake Moore, who global cyber security advisor at ESET. And
They'll be sharing everything they know about cyber risks, as
well as offering practical tips to help small businesses to
stay safe. We'll also be discussing how brokers can lend
a helping hand to their clients. And of course we'll
be looking ahead to the future. And the big questions
really here are what's on the horizon for cyber security
(00:51):
and crucially, how can brokers help their clients to stay
one step ahead in this ever- changing landscape? It's great
to have both of you here. Thank you so much
for coming in and speaking to us here on Insurance Tomorrow. Now,
most people will be aware of the high- profile cyber
attack that's been on Marks and Spencer, the Co- op, Harrods. Jake,
let's go back to basics here as well. How do you
(01:13):
define a cyber attack?
Jake Moore (01:14):
Yeah, so I'd say there is a deliberate act to
disrupt or to steal from a business using technology. And
we see this in many different forms, but if we
look at the basics, say regarding motivation, the most common
(01:35):
motivating factor would be for financial gain. So the majority
of businesses that we are, say, talking about today will be dealing with
attackers that are focusing on stealing money from them. And
that can come in different ways. Of course, they might
use extortion to try and, say, leverage that motivating factor
(01:56):
in those demands such as ransomware, but really it could
be any form at all, and that could be any
form of disruption.
Vanessa Baffoe (02:03):
Delvin, all of this is actually quite scary, isn't it?
Delvin Tillett (02:05):
Yeah, cyber attacks come in many different forms, but the
typical attack will usually be from a nefarious threat actor
that's looking to infiltrate a company's computer system to steal
data or to then interlock systems with ransomware to stop them
being able to operate, in order to extort them for money.
Vanessa Baffoe (02:23):
So Delvin, what does the current cyber threats landscape look like?
Delvin Tillett (02:28):
It's very complicated. I think things are changing rapidly. I
think one thing with cyber is that it is constantly moving.
There's lots of different threat actors out there at the moment,
and they're all using different techniques and those techniques develop. I
think there's people like LockBit who were taken down by
law enforcement, but then sometimes it's like slaying the hide
or the head bumps up again somewhere else. So it
(02:49):
is constantly evolving, whether it's for hacktivist reasons, for financial gain,
it's a very kind of moving landscape all the time. And
that's why it's really important for companies to understand their
position on cyber and have a cyber strategy so that
they're readily prepared to act in the event that they're targeted.
Vanessa Baffoe (03:10):
That's a very interesting point there that you say cyber
strategy there. Jake, what's your point on that?
Jake Moore (03:15):
Yeah, I mean it's a monumental time. We are seeing
a time that we've never experienced before. We always expected
that criminals would get more sophisticated. We've been listening to
that theory for many years. But the fact is now
that they've got so many tools at their disposal, they've
got scale at their disposal with the likes of huge
(03:38):
amounts of data, algorithms incorporated with AI to process that data,
they're able to run so far away. If we want
to say use the cat and mouse analogy, they are
the mouse that has run so so far and we
are left as the cat further away than we've ever
been before. So we can't just sit still. We've got
to continue to run after that mouse and protect where
(04:01):
we can and to spend more money. Unfortunately, many people
won't want to hear that, but we need to keep
putting money into those resources to protect and mitigate because
it's inevitable that criminals will continue to relentlessly target us.
Vanessa Baffoe (04:17):
And Delvin, what's the significance of these incidents, particularly on small,
medium enterprises, but also what role does insurance play here?
Delvin Tillett (04:27):
Well, that's the thing. These cyber attacks can be pretty
damaging and it can actually impact the survival of an organization.
And we've seen that in the past where organizations are
not able to operate any further because the incident has
been so severe and they don't have the resources to
be able to deal with it. So they actually go
out of business. And where cyber insurance comes in is
(04:48):
that cyber insurance is there as a backstop to help
those organizations, especially in the SME space where cyber insurance
policies also assist with their incident response plans because cyber
policy will typically come with vendors. So carriers will work
with vendors and they'll have agreed rates so that they get,
you don't want to be in the middle of an
incident and then have to engage a vendor and get
(05:09):
charged as double. So carriers will partner with vendors to
have rates already agreed so that you can have somebody
come in that's able to look at your systems, get
the baddies out. They're able to help you with adjusting
your BI loss because cyber policies will look to cover
the business interruption that's taken place as a result of
that incident. And that can be quite a complex situation when
you start looking at things like accounting principles versus insurance
(05:31):
accounting principles. There can be subtle differences which could make
a difference in putting together your claim for that business
interruption loss. So as well as providing that backstop, they're
also a risk management tool for organizations to fall upon
that may not have those internal resources themselves to deal
with those kinds of situations.
Vanessa Baffoe (05:50):
And Jake, what's your take on this? Because I'm thinking
just a few years ago cyber wasn't even a topic
that we'd even be discussing, and yet here we are today.
Jake Moore (05:56):
Yeah, it used to be discussed by particularly IT departments,
probably banging on the decision- makers door saying, " Come on,
we need more money here, we need better protection." But
it slowly got into the mindsets of everyone. It's everyone's
decision to make sure that they are protecting the business
that they're in. But SMEs are unfortunately targeted primarily because
(06:21):
they might not have those extra protections in place. And
I think we need to be reminding everyone across the
board that they need to have as many different levels
of protection that is possible. It's not just the fact that they are
so small they won't get affected. Of course they should be.
So if we're looking at things like insurance, we know
(06:42):
that there's a law for having insurance if you are
driving a car down the street. But the fact that
not all businesses, we know that it's not a hundred
percent yet that are using cyber insurance, is astounding. It
just reminds us, it highlights the fact that there are
so many companies thinking we don't need that. They're not even
able to think that it's a worry or they're thinking
(07:04):
it's too expensive, but it's always going to be more
expensive if they get attacked. And I say if. That's
a small if. It's an inevitable. So unfortunately it's just
one of those extra pillars they're going to have to add to
their business.
Vanessa Baffoe (07:17):
And on that topic, do you know what I find really interesting?
I mean there are some government stats here. So 43%
of businesses reported a cyber security breach or attack in
the last 12 months, but wait for this, only 45%
of businesses reported being insured against cyber security risks in
some way. That's astonishing.
Jake Moore (07:37):
Yeah. And do you know what you're saying that only 43%
have announced it. I'd say it was way higher than that.
I mean, we even know that it's a lot higher.
The fact that a lot of these companies will only
admit it if they have to. So if, say, personally
identifiable information has been stolen, then they have to go
and tell the ICO within 72 hours. They don't always
(07:59):
want to announce it because they are worried about share price,
they're worried about trust. We know that, say, the retail industry,
that was a massive blow to them. I don't think
it will affect trust long- term with such say stalwarts
of the retail industry. Someone like Marks and Spencer's for example,
has got a big enough name to continue their power
(08:19):
in the future. But there are so many companies that
might not be so well known and they don't want
to be attributed to be known as a cyber attack
or that's the one that lost all our data. Effectively,
everyone's getting attacked, we know that. But some people are
just unfortunate and I don't think there's that much blame
even there as well. I don't think we should always
be pointing the finger at a company because they have
(08:40):
to protect all cyber attacks, but attackers only have to
get through one time. And if they're able to get
through one time, however they did it, however creative they were,
and my goodness, they are so creative these days, if
they get in and steal that data, we need to
be able to protect it once that horse is bolted.
And that's why this, say, holistic approach of, say, protecting
(09:02):
beforehand and then ensuring afterwards that seems to be a
better form of glue.
Vanessa Baffoe (09:07):
Now Delvin criminals are very capable of causing significant harm
to businesses. So one of the things that I'm really
keen to know is what's the primary motivation of doing this,
but also what kinds of businesses are often targeted?
Delvin Tillett (09:22):
Well, it really depends on the industry sector, the type
of information that's being held and how valuable that is
to the criminal. Because a lot of the time what
the threat actors are looking for is financial gain. That's
one of the primary motivations for them. They want to
get as much data as they can. They extort the
person for it or the business for it so that
they can get that money. So it really depends on
the industry sector. If you're looking at something like healthcare
(09:43):
where there's really significant personally sensitive data, that can create
a lot of demand from threat actors to try and get that
data and extort those type of businesses, but also companies
that may be perceived to have a lot more money
on the go.
Vanessa Baffoe (09:56):
And Jake, I'll throw this same question to you. What
kinds of businesses are often targeted?
Jake Moore (10:00):
Every industry, it really is a target. The fact is
they're getting so creative means that no industry can really
hide from these attackers. We sometimes find that different groups
that are say based in different parts of the world
might go for the healthcare industry or the retail industry.
And so it's often difficult to, say, pick out industries.
(10:22):
And I also don't like to pick on those because
it might mean that others think that they're say safer
right now because it's also ever- changing. We know that.
The landscape is always going to change and evolve. It
means that they're going to follow the money. And so
if there are companies out there that, say, are unaware
of their update process. For example, companies that haven't quickly
(10:47):
updated to the latest patch that has been offered by
let's say Microsoft, if there's that small gap in that
window where they are vulnerable, it doesn't matter what industry
they're in, that's when they're going to strike.
Vanessa Baffoe (10:59):
You see a lot of brokers will be sitting there thinking,
hang on a minute, how do they even target company's
IT systems?
Jake Moore (11:04):
Oh, they're able to monitor that. It's very simple to
know what system they're using. For example, we use this
in marketing, let's say SEO, search engine optimization. It's really
useful for a marketeer to know what device you are
coming into their website on. So whether they're on a
smartphone or a tablet or a laptop. And knowing the
(11:25):
screen size for example, because it then knows how to
format the advert that's on there and the colors that
are used and which format's being used. So that's information
that is really important to make it work and to
make it look like it should do. Because a website
on your mobile phone also needs to know that it's
on a mobile, but then you go to the laptop
and all the dimensions change. We don't think about that
(11:48):
as users, but they need to know that information. That's
also the information that can be scraped by criminals and
taken advantage of. If they can then work out, just
a minute, they're using certain, say, operating systems or this
is when they are updating their systems, any sort of
data that can be found. It might seem trivial. It's
(12:09):
not something that a criminal is going to, say, steal.
It doesn't really matter. But if they're able to take
advantage of that and abuse that and know that they've
created some malware that deploys on that device and will
strike at the time when they haven't patched it with
that update, then that's what's going to take them out.
(12:30):
So this is a data currency time that we're living
in and that information might seem really boring to the majority,
but to a criminal that can be the difference between
no money and no ransom and millions of pounds in
a ransom.
Vanessa Baffoe (12:44):
See, listening to you, I'm actually thinking, my goodness, it
looks as though it could be quite easy for criminals
to actually hack companies a lot more than a lot
of people would actually think.
Delvin Tillett (12:56):
Yeah, definitely. And that's why cyber hygiene is really important.
It's an important topic for organizations to think about. Resiliency
towards these threats and having things in place that kind
of bring up the drawbridge basically to protect their systems,
protect the data that they have. And that comes down
to things like segmentation of networks, how they're protecting access
to data, how they're inventoring their assets that's in their environment
(13:19):
so they know what they've got and they know what
they can protect as well.
Vanessa Baffoe (13:22):
So just listening to you as well, Delvin, I'm thinking, look, you can
sit there and think I can try my best and
hope not to be protected. There are things I can do, but
once the criminals are in, they're in. And the only
thing that can really save you is that insurance.
Delvin Tillett (13:37):
Well, insurance is like the backstop. I think it's good for
organizations to be thinking of insurance as the backstop, insuring
up themselves to make sure that they've got the controls
in place already so that the insurance is the backstop, but
then they're able to respond because that's the key part.
When these things happen, which we've seen here, it will.
It's not if, it's when. And when they do, can
(13:58):
they respond? Do they have the resources internally to be
able to look at that? And there's mitigating factors that
they can take to prevent that incident from being greater
than what it would be had they not taken those steps.
And then the insurance comes in afterwards as a backstop because, look,
they've done everything they could. This is the end- of- the-
world type situation, but we've got our insurance policy there
to fall back on and we've got that additional protection.
Vanessa Baffoe (14:18):
And Jake, I can see you want to get in.
Jake Moore (14:19):
Yeah, I mean, yeah, it's just great to hear Delvin say that. It really is.
What you're saying is absolutely right. I mean only a
few years ago I was, say, speaking to people who
had the argument that, " Well, we don't need insurance if
we've got the protection in place." They kept saying, " We've
got all this here that means no one's going to
get through. So why have something that you are paying
for that won't ever get needed or required." But of course,
(14:41):
it is a backstop and we've got to assess that risk.
And that's so important here. Once we do understand there
is that risk, whatever percentage that is for whatever size
business that is, it's always going to be a part
of this going forward picture that we are creating. And
so if we're looking at only 45% of companies showing
that they've got it, I can see that just increasing year- on- year.
(15:04):
I'm hoping that we get up to at least the 90% soon.
And I think the more people that talk about it,
the more people understand it. But what I love about
it is it can be bespoke for those businesses. So
it's not a one size fits all. I think the
best approach for an SME is to go in there and work
out where their liabilities are, where their vulnerabilities are, what
their data is worth, don't pay for the full package.
(15:26):
I don't want to see too many companies offering to
pay a ransom for example, if something happens. Make sure
they have a backup system in place and then they
won't need to pay for that ransom. So bespoke it,
understand it and then actually it will make your business
a lot better.
Delvin Tillett (15:44):
And I think that misconception as well, I've got an
insurance policy, I don't have to do anything, I'm covered.
I think that's really a role of a broker to
be able to explain to the clients that the residual risk,
because an insurance policy is just that, it has terms and conditions,
there's things that come into play which may grant or
actually take away cover. So being able to understand that
residual risk for the business as well is really important.
Vanessa Baffoe (16:07):
And so Delvin, with all of that being said, and with all of that being taken into consideration, how
then can businesses, particularly small, medium enterprises address any?
Delvin Tillett (16:16):
I think it's going back to what we're saying in
terms of that cyber hygiene. Looking at their digital footprint,
what data do we have? How sensitive is that data?
What does the regulatory environment say? How do we protect that?
And then looking at the resources that they have in
order to put those mitigations in place, I think, is
probably the first step that organizations would take.
Vanessa Baffoe (16:34):
Jake, what's your take on this?
Jake Moore (16:34):
Yeah, this is the boring bit, but it's policy and procedure.
Vanessa Baffoe (16:38):
We love boring because it's practical, it's great and it's useful.
Jake Moore (16:41):
Do you know what? It starts with policy and procedure,
but it does get more exciting. I'm a big fan
of simulation attacks. So creating a cyber attack in a
safe environment by a third party will highlight all of
those issues. And inevitably these experienced simulation attackers will get
through those defenses. They will most likely be able to
(17:04):
steal data and prove to those decision makers how important
these defenses are moving forward. It will then mitigate those
vulnerabilities at that time or that place and time. It's
a moving landscape as we've said. It changes six months,
a year down the line. So it's something that needs
to continue for all those companies. It's actually quite exciting to
(17:25):
be part of a simulation attack. So in some cases,
calling it penetration testing, when we are properly testing the
protection in those companies. And if they're able to get
through which they will, you then patch those areas and
you realize going forward, you are much better, but it's in
a safe environment. So go and have some fun.
Vanessa Baffoe (17:45):
I can see you shaking your head there practically Delvin, you want
to get in.
Delvin Tillett (17:48):
Well, because insurance also helps on that respect as well
because a lot of carriers and Allianz ourselves, we partner
with vendors on the pre- breach services. So this is
helping organizations understand what their risk landscape looks like. So
we will actually provide help to organizations via a vendor
panel that will go in and do things in terms
of tabletop exercises. So we'd be able to reimburse them
(18:09):
for those exercises. So that's kind of helping understand what
their risk looks like and that makes them a better
risk from an insurance perspective as well.
Vanessa Baffoe (18:16):
So Delvin, what are the key considerations that brokers need
to keep in mind when it comes to advising their
clients on cyber risks?
Delvin Tillett (18:24):
I think it's really important for brokers to understand their
client's business because that's going to determine the scope of
cover that their client will need. So I think that's one of
the key considerations. Also understanding the client's digital footprint, the
type of information that they're collecting and what their cyber
maturity is. Because if you understand the organization's cyber maturity,
you're able to broke that client to the insurance carrier
and obviously try to improve terms for them.
Vanessa Baffoe (18:46):
Okay, so here's what I think a lot of people
will also be thinking and also be looking at, how
can you as a broker then add value to your
clients when it comes to advising them and also when
it comes to those risks that are not immediately obvious?
Jake Moore (19:03):
Okay. So part of what I do is to try
and predict future crime. I'm fascinated with what criminals are
doing today, but even more so what are they doing tomorrow? And
I think if brokers are able to make that penny
drop with their clients, to make them really understand the
true risk that's out there from attackers, that's when they
(19:27):
start to work together. So if you are looking into the future,
I would talk a lot about AI. Of course that's
going to be part of the future. We're already seeing
it in attacks now, it's just, say, scaled what criminals
have been able to do for many years, right the
way back from say original scams that weren't even part
of the internet. The internet elevated it and now AI
(19:49):
has tenfold elevated it once again. For example, taking advantage
of something like Copilot, Microsoft's AI within Windows, we're able
to now see new styles of phishing attacks that we'd
not seen before. For example, there was recently an attack
(20:09):
that has been patched now, where a criminal has been
able to send an email with a prompt for its
Copilot hidden within the email, that when it is sent
to the victim, if the victim just opens up that
email and does nothing, no clicking, but just opens the email,
it is able to inject that prompt into the victim's
(20:32):
Copilot and do what it wants. And in this case,
it was able to then highlight all the files that
it wanted, let's say the desktop, and upload them to
the website it's told it to because it enters it
within the Copilot itself. So it's not replying with it.
It's not sending it out via an email. So it's
bypassing all of the protections that we've got in place,
(20:54):
the firewalls that would say, well, you can't be sending
that out. It was diverting away from that into a more,
let's say, very creative use of AI. And we've seen
prompt injections like this before in ways that have not used AI.
But the fact it's using the victim's AI tool that
is just sitting there wanting to be used, I think
(21:15):
is fascinating.
Vanessa Baffoe (21:17):
Alarm bells are ringing as you're saying this, I cannot
believe that.
Jake Moore (21:20):
Good. That's what we want.
Vanessa Baffoe (21:20):
This is staggering, isn't it, when you think about it Delvin?
Delvin Tillett (21:25):
It really is. And I think what we're seeing with
certain threat actor groups and how they're using AI in
terms of deep fakes, they're able to take people's voices
and use them for their own purposes to socially engineer
their way into organizations. I mean it's quite scary stuff
when you think about it
Vanessa Baffoe (21:40):
Now look, still sticking with the theme of looking ahead,
what emerging cyber risks should brokers be aware of?
Jake Moore (21:47):
Yeah, it's really thinking outside the box. And that's why
I'm looking into, say, this future crime because how are
we able to use AI in the future for good?
You've always got to balance that with how are criminals
using it for bad. So deep fakes has actually got
a really positive spin on it. Say people want to
create podcasts but might not feel comfortable speaking into a microphone.
(22:09):
You can now do that with your own voice. But
of course criminals are able to abuse that for their
own advantage. So it's also difficult to make people really
accept that until it's happened to them. And that's why
it's about bringing in these simulation attacks because only then
did they get that feeling in their stomach of, wow,
you really did get past our securities which we thought
(22:31):
were pretty good. And it really highlights it to them.
So again, it comes back to that bespoke package with insurance,
with simulation and then moving forward and continually moving forward.
Vanessa Baffoe (22:42):
And Delvin, just picking up on that point then, what
emerging cyber risks should brokers be aware of and how
can they prepare their clients for such challenges?
Delvin Tillett (22:51):
Yeah, I think it's difficult because the threat landscape changes
all the time and we are seeing things with AI, but
I think one of the good things with AI in
terms of attacks, you can use it to defend as well.
So that's also one of the positives that come out
of it. I think also from the future, which is
probably a lot further on in the horizon is quantum
computing and what that means when it comes to encryption
that we have today. Because with quantum computing comes the
(23:12):
ability to work with large mathematical algorithms and numbers to
be able to break encryption codes. So there's worry about
people harvesting data now and then decrypting it later on.
So that's another area of concern for the future. So
it feels like it's a never ending race.
Vanessa Baffoe (23:28):
Goodness. So Delvin, what should brokers take away from this? Any top tips?
Delvin Tillett (23:32):
Yeah, some of the top tips I can think of
would probably be understanding their client's business, making sure they
understand what their client's cyber maturity looks like in order
to put the best terms forward for their clients when
it comes to purchasing insurance.
Vanessa Baffoe (23:44):
Jake, what about you? Is there anything that you'd like
to add?
Jake Moore (23:46):
I think it's a really exciting time and the fact we
can use AI on both sides here. I always imagine
fire is actually used to fight fire. That's how we're
also moving towards with technology. I don't think quantum computing
is going to be a threat for at least another decade,
but it's definitely something to be thinking of now. And
(24:08):
that's something that I think has been the problem with
say cyber insurance. We haven't really worried about it until, oh,
we're a bit too late. So there's no time like
the present. So if anyone hasn't got insurance or doesn't
fully understand their own business and their protection, then there's
no time like the present.
Vanessa Baffoe (24:27):
My goodness. I could actually stay and chat to the both
of you all day. There's just so many layers to
all of this. It's fascinating. Delvin and Jake, it's been great
speaking to both of you. Thank you so much indeed
for joining us here on Insurance Tomorrow.
Jake Moore (24:38):
And you, thank you.
Delvin Tillett (24:39):
No worries, great to meet you.
Vanessa Baffoe (24:41):
So with that in mind, we'll bring this cyber risk
episode of Insurance Tomorrow to a close. Massive thank you
to our guest, Delvin Tillett, he's head of cyber at Allianz Commercial,
and also to Jake Moore, who's global cyber security advisor at ESET.
Thank you both for joining us. And thank you also
for tuning in. And don't forget you can subscribe through
your normal podcast up so you'll never have to miss
(25:02):
an episode. And while you are there, why not leave us a review?
We'd love to hear from you. Until next time, see
you soon.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Medal of Honor: Stories of Courage
Rewarded for bravery that goes above and beyond the call of duty, the Medal of Honor is the United States’ top military decoration. The stories we tell are about the heroes who have distinguished themselves by acts of heroism and courage that have saved lives. From Judith Resnik, the second woman in space, to Daniel Daly, one of only 19 people to have received the Medal of Honor twice, these are stories about those who have done the improbable and unexpected, who have sacrificed something in the name of something much bigger than themselves. Every Wednesday on Medal of Honor, uncover what their experiences tell us about the nature of sacrifice, why people put their lives in danger for others, and what happens after you’ve become a hero. Special thanks to series creator Dan McGinn, to the Congressional Medal of Honor Society and Adam Plumpton. Medal of Honor begins on May 28. Subscribe to Pushkin+ to hear ad-free episodes one week early. Find Pushkin+ on the Medal of Honor show page in Apple or at Pushkin.fm. Subscribe on Apple: apple.co/pushkin Subscribe on Pushkin: pushkin.fm/plus
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com