In 2013, Ben Beeson was relaxing on vacation in France when he received a phone call from
Lockton Companies’ head office in Kansas City.
“They wanted me to go to Washington, DC, for a meeting at the White House within two days,” he recalls. “And I thought, ‘This doesn’t sound right. It must be a joke!’ Within 48 hours, I was sitting with other industry leaders in front of one of the president’s lead advisors on cybersecurity and a number of lead agencies representing the insurance industry. The federal government basically wanted to engage us in helping to roll out the NIST [National Institute of Standards and Technology] Cyber Security Framework, which they had devised to help US businesses understand the risk and how to deal with it.”
Beeson is Lockton’s US cyber risk practice leader, a role he took on in January. But his involvement in the cyber risk space dates back to 1999, following a career in London’s reinsurance market. Beeson joined Lockton in 2007, just after the company made the decision to become a global broker, and Beeson and his colleague, Emily Freeman, founded Lockton’s cyber risk practice in London.
“Working with leading underwriters in Lloyd’s, we built a platform that provided both client advisory and placement services to our global clients and became the leading team in the London market,” Beeson says.
Beeson’s extensive experience in cyber insurance has even given him the opportunity to testify before the US Congress in March 2015, about the evolution of the cyber insurance market. He calls it one of his proudest achievements in the cyber space to date.
“That was a great moment, having made the decision to relocate to our Washington, DC, office in 2014 and only been in the US a year, to be asked to do that,” he says. “And what resonated with me at that point was what a great opportunity we have, as an industry, on this risk issue. We mustn’t lose that, and [we] have to capitalize on that if lawmakers are giving us that type of attention.”
Increased awareness
After years of high-profile cyber attacks, there’s no doubt that the business world has a greater appreciation of cyber risk in 2016.
“The good news is, the awareness is much better than it was, say, two years ago, particularly at the board and executive level,” Beeson says. “I think that, generally speaking, businesses understand there is a risk.”
However, he says, there remains a lack of understanding as to the best way to deal with the threat.
“That’s because the issue has traditionally been owned by the IT department, the
technical people who are invested in the box of tools – the firewalls [and] the anti-virus software – to keep the problem at bay,” Beeson says. “That approach no longer works because prevention is very difficult, and so you have to build resilience across the organization because you should expect you are going to get hit, no matter how much you try to mitigate.”
He says building that resilience requires ensuring that the effort extends right across the organization.
“It includes the people you hire, what access you give them to what information, and how you engage with third-party vendors who deal with your organization. And that all requires a strategy that comes from the top of the firm, starting in the boardroom.”
Beeson says too many companies misinterpret cyber as a risk that only involves their handling of individuals’ personal information.
“They view it first and foremost, and maybe only, as a privacy issue – the liability to the company from handling customer data or employee personal data or their healthcare information,” Beeson says. “Of course, that’s a big risk, and that’s certainly where the insurance industry has been focused for the last 15 or 16 years, but it’s way broader than that now, and it’s only just being understood that it’s broader.”
Beeson raises the theft of a company’s intellectual property and cyber espionage as key examples of cyber risk unrelated to personal information.
“[Cyber] is not a product; it’s a peril, and it’s a peril that can have lots of different types of consequences. We have to start talking much more broadly about cyber risk as a peril that can have different consequences, depending on who the buyer is, and change that perception of it only being something that we’re focused on as a privacy issue.”
Keeping pace with change
As quickly as the business community is becoming aware of the nuances of cyber risk, the threats are evolving at an even faster rate.
“It’s growing as rapidly as technology advances, so very fast,” Beeson says. “The bad guys are still ahead of the good guys. That’s the problem – we’re still playing catch-up with the bad guys, because the economics are much easier for the bad guys than the good guys. The bad guys only have to succeed once, essentially. We’re continually investing in mitigation, playing catch-up, to keep every attack at bay. The economics dictate that it’s much harder to do that.”
While the insurance industry offers products that provide breach response services, Beeson says there’s substantial work to be done with respect to the pre-breach side – the time before things go wrong.
“Most companies right now are really struggling, for example, to understand how to identify the critical assets they want to protect,” he says. “How do they quantify the risk to those assets? How do they understand what the ROI is on mitigation to those assets, and whether they should or should not buy cyber insurance and how much should they buy?
“Those questions, we as an industry right now are trying to work on and help clients answer,” he adds, “but we haven’t solved that yet, and it’s incumbent upon us to come up with those answers.”
