We are excited to announce our next interview with Sjaak Schouteren, Cyber Development Leader, working in the insurance industry. In that position, he tackles the growing cyber security threats and improves cyber resiliency for European companies. In this interview, Sjaak offers key insight on how small businesses can do a better job of protecting themselves against cyber-attacks and at what stage businesses have to consider buying cyber insurance.

1. Can you give us an introduction about yourself, Sjaak? How you ventured into the cyber security world?

About 11-12 years ago, I was working at a loss adjusting company, currently known as Sedgwick, as a business developer and I was thinking about what could change the insurance industry. There were three topics that came to mind: 3D printing, nanotechnology and cyber/privacy management. I took the cyber train and invested a lot of time and energy to grow my knowledge, expertise and my network. I set up a cyber team there.

After a couple of years I left to join Aon where I led the cyber team and was responsible for the cyber offering for the Netherlands. In that period, I also  served as the Chairman of the Cyber Platform at VNAB (Dutch Insurance Association), which brought together insurers, brokers and clients to gain a better understanding of cyber risk and its implications for risk management.

Before joining Marsh JLT Specialty in 2018, I was leading the continental Europe Cyber Team to support the expansion of JLT Specialty’s market-leading cyber risk offering. After JLT was acquired by Marsh, I am excited to work with our Marsh JLT Specialty Cyber team as we combine our expertise in risk management to tackle the growing cyber security threats and improve cyber resiliency for European companies.

2. What soft skills do you think are most important for cyber security professionals?

I feel cyber risk management is not sec a ICT topic it needs and deserves a holistic approach. Therefor one of the most important things me and my colleagues do is break the silo’s within organizations.

Contrary to popular belief amongst specialist, this means a lot listening not talking and making sure that everyone who needs to be heard is heard. In that way you can truly understand the business (needs) and the impact of a cyber incident for the organization and the persons involved and their motivation for (in)action).

3. What motivates you to keep pushing ahead every day in the security field?

I actually have a really positive view on cyber risk management. I see our team as the brakes on a race car. This does not mean e.g. we stop innovation or lengthen time to market. No, because the race car has such good brakes that it is able to take off and make enormous speed. The same goes for cyber risk management. We help organizations qualify, quantify and manage the risk up front, so they are able to innovate and grow in a sustainable way. We are an enabler for business.

4. Could you please tell us what was the most important cyber security lesson you learned in 2020?

Do not assume the person you are talking to is on the same page as you are.
As a specialist, it is easy to walk (and talk) into your own silo. After more than 10 years I would have thought that everybody (CFO, risk insurance manager, HR, and ICT) would see the risk and impact of cyber incidents. This is still not the case because different people view the news (if they see it) in a different manner.

Given the above, I actually ‘dummied down’ my presentations again. I was expecting that we as a society would be more cyber risk savvy. But actually, the presentations I gave 10 years ago are still the ones that resonate the best.

5. Now let’s talk a bit about data breaches. Are data breaches unavoidable? If yes, is there a right and wrong way to deal with them when they occur?

Of course, there is a lot to be done to avoid data breaches. You can take technical and organizational measurements to mitigate the risk. But 100% security does not exist. So it is important that you know how to act when something does occur. We have an online cyber self-assessment tool based on NIST and from the data we see still a lot of companies are improving on ‘Identity’, ‘Protect’, and ‘Detect’. Unfortunately, a lot still lack behind on ‘Respond’ and ‘Recover’.

If you follow the news you often see this happening in what I cynically call the life cycle of a data breach:

• “There was a small breach, we found out at an early stage and nothing material was stolen/breached.”
•  “We found that the criminals were in our systems a bit longer than we thought and they might have their hand on more data than expected.”
•  “Actually, the criminals were in our systems for more than 100 days have taken a lot of sensitive data of our clients and we should have been aware of this a few months ago c.q. we were made aware of the risk and have not taken appropriate actions.”

In most companies, they do fire drills, and they know who to follow when something happens. This is unfortunately still not the case with cyber incidents like data breaches.

6. What are some examples of how small businesses can do a better job of protecting themselves against cyber-attacks?

The above applies to most companies. For smaller companies we often see that they are very reliant on their ICT service provider. They do not take into accounts that a service provider is something different than a security partners let alone a first/Incident response expert. So good questions to ask to the service provider is: “What can we expect from you to mitigate the chance and impact of a cyber incident and how will you help us are you able to help us?” In our practice we see that these questions are seldom asked explicitly.

Also, a good way to get insights into the scenarios and impact of a cyber risk is to ‘play a game” where you take the premise that you are a disgruntled employee who wants to hurt the company via ICT systems they (can) have access to. If you do this with a variety of colleagues this often results in interesting and unexpected scenarios.

7. What are some of the problems with the cyber-insurance industry?

We are currently working on our Cyber Claims Report and at the moment we see that the rise of claims outgrowths the rise of taking up cyber insurance. On the one hand, this is not a big problem because we now see the proof that cyber insurance is doing what it is there for. On the other hand, we see the financial impact of incidents is growing, especially from ransomware attacks. We, therefore, see that insurers are demanding more from candidate insured. This can be technical (MFA, Offline backups), organizational (Business Continuity Management and Disaster Recovery Plan), and also looking at the human factor by mandatory cyber awareness training.

Not all organizations are able to implement all of these demands. We as Marsh JLT Specialty are privileged that we have 65 risk consultants to help our clients with this, but I see that a lot of brokers do not have that expertise and/or knowledge and for their clients it can be difficult to get an insurance in the coming years.

8. How do you think: at what stage a business should buy cyber insurance?

Cyber insurance is not the solution to all cyber risk-related problems but should be seen as a very important part of good cyber risk management. The most favored route we take is that we first qualify and quantify the cyber risk, so we know that cyber insurance is the appropriate way to transfer the risk and that we set the correct limits and deductibles. But some organizations also first take out cyber insurance so they have an umbrella because they know it could rain and then take the time in the next year to see how hard it could rain and how big the umbrella should be.

We also increasingly see the cyber insurance as a business enabler. Many organizations are closely linked in their business column and are exchanging data and are reliant on each other business wise. In contract negotiations we often see the demand of a cyber insurance being present. Not only from a monetary or liability view but also because the cyber insurance has an incident response module of forensic ICT, legal and PR experts in place that could prevent an incident from coming a crisis.

9. What trends do you expect to see in cyber security in the next 3 years?

Ransomware is here to stay for the coming years, and I expect to see quite some incidents resulting from Covid-19 e.g., phishing mails, working on private devices, failures in security with remote desktops and the fact people are getting more distant from their company (literally and figuratively). Furthermore, there is an interesting conversation starting in the Netherlands concerning the duty of care of ICT providers. It will be interesting to see how they will anticipate to these discussions. 

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.