2. REPRINT • FINANCIER WORLDWIDE • JULY 2019 www.financierworldwide.com
A N N UA L R E V I E W
C Y B E R S E C U R I T Y &
R I S K M A N AG E M E N T
EMANUELE CAVALLERO
Tokio Marine HCC
Senior Underwriter
+34 93 530 7322
ecavallero@tmhcc.com
Emanuele Cavallero is a senior
underwriter for Italy, Greece and
the Middle East at Tokio Marine
HCC, with over 10 years experience
in financial lines products. Over
the last five years, he has been
focusing on the underwriting of
cyber risks with the ultimate goal
of customising cyber security
insurance products for his markets.
Mr Cavallero holds a Bachelor’s
degree in Economics from the
Università degli Studi di Torino
and he speaks Italian, English and
Spanish.
Italy■
■ Q. In your opinion, what are the major
cyber threats to which today’s companies
are vulnerable? Could you comment on any
recent, high profile cyber attacks in Italy?
CAVALLERO: Today, cyber attacks are perpetrated
from a variety of places, using constantly evolving
methods and techniques. Though some threats
are more invasive than others, they can be
equally devastating for unprepared businesses.
Consequently, understanding the state of cyber
security is key to successfully protecting a business
from advanced cyber attacks. Not having a cyber
security plan creates high-risk situations, including
the potential compromising of private data, costly
recovery expenses or weakened client trust. Italy
fell victim to two major cyber attacks during the
last two months of 2018. The first saw a server
near Rome targeted and accessed by unknown
hackers. The server handles certified email accounts
for public administrators. Then, less than a month
later, an Italian oil company, Saipem, was targeted
by hackers utilising a modified version of the
‘Shamoon’ virus. Due to this, hundreds of the
companies’ servers and personal computers in
the United Arab Emirates (UAE), Saudi Arabia,
Scotland and India were taken down.
3. A N N UA L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N AG E M E N T
JULY 2019 • FINANCIER WORLDWIDE • REPRINT 8www.financierworldwide.com
ITALY • EMANUELE CAVALLERO • TOKIO MARINE HCC
■ Q. Given the risks, do you believe
companies are placing enough importance
on cyber security? Are board members
taking a proactive, hands-on approach to
improving policies and processes?
CAVALLERO: Many companies think IT
systems security is important, but only a few
have a formal strategy in place to protect their
data and devices. Cyber threats can no longer
be considered exceptional circumstances for
businesses. Until recently, most companies had
a small group of staff responsible for their IT
and cyber security. Organisations now need
greater defences as hackers and malware
become increasingly sophisticated. With around
4000 ransomware attacks being conducted per
day, and the frequency of ransomware attacks
estimated to occur every 14 seconds by the end
of 2019, building defences against ransomware
should, therefore, be a top priority for companies
worldwide.
■ Q. To what extent have cyber security
and data privacy regulations changed
in Italy? How is this affecting the
way companies manage and maintain
compliance?
CAVALLERO: Organisations need to conduct
data protection impact assessments (DPIAs) as
part of the General Data Protection Regulation’s
(GDPR’s) mandate. DPIAs are required in
specific circumstances and used to identify,
understand and address any privacy issues that
might arise when developing new products
and services that involve the processing of
personal data. Nevertheless, some of the main
risks to businesses continue to stem from
cyber security. In addition to fines for a lack of
compliance, businesses that are not on top of
security could face very real risks arising from
socially engineered attacks, ransomware and
other targeted, advanced assaults. In the first
nine months since the GDPR came into force,
just over €55m was collected in fines issued by
the European Union’s (EU’s) data protection
supervisory authorities (DPAs). The DPAs have
seen a huge increase in the number of personal
data breaches being reported, with over 89,000
personal data breaches being notified in less than
12 months. Only 63 percent of cases investigated
by DPAs have been closed. Over 144,000 queries
and complaints are reported to have been made
by individuals who believe their rights under
GDPR have been violated.
4. REPRINT • FINANCIER WORLDWIDE • JULY 2019 www.financierworldwide.com
A N N UA L R E V I E W
C Y B E R S E C U R I T Y &
R I S K M A N AG E M E N T
■ Q. In your experience, what steps
should companies take to avoid potential
cyber breaches – either from external
sources such as hackers or internal
sources such as rogue employees?
CAVALLERO: Cyber attacks are rapidly
evolving and are becoming increasingly
sophisticated. Therefore, it is no longer enough
to simply protect a company’s perimeter alone.
Today, both technology which helps detect and
contain malicious activities and the inclusion of
cyber security as part of a company’s corporate
culture are essential. The latter is important and
necessary when assessing today’s workplace.
Simple factors, such as the extensive usage of
cloud services, the usage of external Wi-Fi for
accessing internal documents, the increasing
popularity of bring your own device (BYOD)
and the increasingly popular work from home
policies must be considered. On a basic level,
there are certain threats that can be effectively
eradicated if security becomes part of workforce
culture, thus helping to avoid or reduce the
success of future social engineering and phishing
attacks.
■ Q. How should firms respond
immediately after falling victim to cyber
crime, to demonstrate that they have done
the right thing in the event of a cyber
breach or data loss?
CAVALLERO: The ‘golden hour’ refers to the
fact that once a system hack is confirmed, action
needs to be taken immediately. Every minute
is important. The first step for a hacked firm
should be to call the incident response unit
or emergency response team (ERT), which is
composed of specific individuals who have been
trained in what to do after a cyber attack. This
can be an in-house group or an external company
on retainer. Having an incident team further
minimises the damage a company may endure
and helps reduce the cost of a cyber attack. The
GDPR requires companies to notify users of a
data breach within 72 hours. With significant
financial penalties, it is even more critical to
develop and test a company’s cyber security
incident response plan (CSIRP) before a breach
occurs. A comprehensive CSIRP, regularly tested
and updated, can help incident response teams
save valuable time and resources. In the event
of an incident, it is critical to answer three key
questions: What has happened? What data have
the attackers accessed? How can the damage
be quickly contained and remediated? A robust
response plan will answer these questions.
■ Q. In what ways can risk transfer
and insurance help companies and their
D&Os to deal with cyber risk, potential
losses and related liabilities?
CAVALLERO: Evolving cyber attacks and
tightening regulatory requirements are increasing
the need for organisations to transfer those risks,
as cyber security management alone is no longer
enough. By arranging a cyber security insurance
policy, the risk is transferred effectively. This
recent need for a holistic approach in terms
of cyber security has created a path where
insurance companies have seen a surge of
business, especially following the implementation
of tougher regulations like the GDPR. A more
mature cyber insurance market in Europe is
now leading some carriers to develop additional
services beyond basic risk transfer, like, for
example, post-incident services in order to
5. JULY 2019 • FINANCIER WORLDWIDE • REPRINTwww.financierworldwide.com
A N N UA L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N AG E M E N T
support customers that suffer a breach or
tools to help monitor risks as part of a trusted
partnership between insurer and insured.
■ Q. What are your predictions for cyber
crime and data security in Italy over the
coming years?
CAVALLERO: Technology is always evolving,
which means that cyber crime itself must adapt
if it wants to survive. This is why hackers are
constantly devising new lines of attack and
adapting in order to avoid detection. Cyber
security by itself will not be enough to secure our
most sensitive data or our privacy. Security will
also have to focus on enabling organisations to
leverage and monetise the data they hold without
being exposed to data breaches or IP theft,
particularly in the era of artificial intelligence
(AI) and Big Data. ■
“ Today, both technology which helps detect and
contain malicious activities and the inclusion of cyber
security as part of a company’s corporate culture are
essential.”
ITALY • EMANUELE CAVALLERO • TOKIO MARINE HCC
www.tmhcc.com
Tokio Marine HCC is a leading specialty insurance group with offices in the
United States, the United Kingdom, Spain and Ireland, transacting business in
approximately 180 countries and underwriting more than 100 classes of specialty
insurance.
EMANUELE CAVALLERO
Senior Underwriter
+34 93 530 7322
ecavallero@tmhcc.com
GÜLSAH DAGDELEN
Senior Underwriter – Cyber
+34 93 530 7358
gdagdelen@tmhcc.com
SIMON CALDERBANK
Senior Underwriter – Cyber
+44 (0)20 7680 2910
scalderbank@tmhcc.com
6. REPRINT • FINANCIER WORLDWIDE • JULY 2019 www.financierworldwide.com
A N N UA L R E V I E W
C Y B E R S E C U R I T Y &
R I S K M A N AG E M E N T
PAULINA RADGOWSKA
Tokio Marine HCC
Senior Underwriter
+34 93 530 7422
pradgowska@tmhcc.com
Paulina Radgowska is as senior
underwriter for Switzerland and
Central & Eastern Europe for
financial lines insurance, focusing
on cyber risks. Prior to joining Tokio
Marine HCC she worked as a broker
for Marsh in its Finpro practice and
spent some time in its cyber centre
of excellence in New York. She has
a BA in Spatial Economics from
Warsaw University and a masters
degree from Warsaw School of
Economics where she specialised
in business management and real
estate management. She speaks
Polish, English, Portuguese and
Spanish.
Poland■
■ Q. In your opinion, what are the major
cyber threats to which today’s companies
are vulnerable? Could you comment on any
recent, high profile cyber attacks in Poland?
RADGOWSKA: According to a recent KPMG
survey of 100 Polish companies, cyber criminals are
still the biggest threat companies face. Attackers
include both individual hackers and organised
groups using ransomware and social engineering
techniques to steal confidential data and funds. The
recent attacks on the biggest financial institutions in
Poland were performed using spyware and phishing
techniques. However, it is always difficult to obtain
detailed information on losses made as companies
do not like to publicise the fact that they have been
hacked. Data theft by employees is also a concern.
Employees, contractors and temporary workers who
have direct access to critical resources, introduce
risks that need to be understood and countered.
Human error is also a great challenge for all
businesses.
■ Q. Given the risks, do you believe
companies are placing enough importance
on cyber security? Are board members
taking a proactive, hands-on approach to
improving policies and processes?
7. A N N UA L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N AG E M E N T
JULY 2019 • FINANCIER WORLDWIDE • REPRINT 8www.financierworldwide.com
POLAND • PAULINA RADGOWSKA • TOKIO MARINE HCC
RADGOWSKA: Many companies are improving
their approaches to cyber security; however,
there is still a lot of work to be done. Security
policies, procedures and guidelines are written,
to a large extent, based on auditor instructions
but are then never shared, explained or used with
employees. To be useful, the procedures need
to be put into action and appropriately adapted.
No one is going to follow the rules if people do
not know they exist. The consequences of non-
compliance are expensive liability issues for the
company, which makes it crucial that employees
are aware of what is expected of them in terms
of preventing cyber incidents. An increasing
number of organisations are developing business
continuity plans or at least crisis management
procedures. However, many of these documents
go untested.
■ Q. To what extent have cyber security
and data privacy regulations changed
in Poland? How is this affecting the
way companies manage and maintain
compliance?
RADGOWSKA: Unfortunately, many
organisations do not understand all relevant
legislation. In addition, technology changes
at such a fast pace that all new laws and
regulations, if too detailed, would never
represent reality. For this reason, the European
Union’s (EU’s) General Data Protection
Regulation (GDPR), is a good example of a
high-level requirement that still puzzles many
companies. It is now, when fines for non-
compliance start to crop up in Poland and
regulators place privacy issues under more
scrutiny, that companies not taking cyber
security seriously may get a wake-up call.
However, while some organisations are still
getting to grips with the GDPR, another EU
regulation requires their attention: the new EU
ePrivacy Regulation (ePR). The scope of the ePR
applies to any business that provides any form
of online communication services, uses online
tracking technologies or engages in electronic
direct marketing. Regulation on the protection of
undisclosed know-how and business information
against their unlawful acquisition, use and
disclosure, as well as the Directive on security
of network and information systems (NIS
Directive), which is the first piece of EU-wide
legislation on cyber security, are worth studying
thoroughly.
8. REPRINT • FINANCIER WORLDWIDE • JULY 2019 www.financierworldwide.com
A N N UA L R E V I E W
C Y B E R S E C U R I T Y &
R I S K M A N AG E M E N T
■ Q. In your experience, what steps
should companies take to avoid potential
cyber breaches – either from external
sources such as hackers or internal
sources such as rogue employees?
RADGOWSKA: Compiling an inventory and
categorising companies’ information systems
should be the first step in assessing any potential
data breach. Without knowing the quantity
and type of data existing in the company, it is
extremely difficult to choose and implement
proper security mechanisms. When this is
done, it is crucial that companies monitor the
effectiveness of any controls which have been
put in place alongside employees’ compliance
with internal rules. The latter should be linked
to frequent cyber awareness training for all
employees and should be supported and directed
by senior management. Companies should limit
employees’ access to their more critical data and
make sure that third-party vendors comply with
their privacy requirements.
■ Q. How should firms respond
immediately after falling victim to cyber
crime, to demonstrate that they have done
the right thing in the event of a cyber
breach or data loss?
RADGOWSKA: Organisations should have
a clear response protocol in place to help
employees focus in high-pressure situations.
Moreover, having the right team on the job is
critical. There should be one leader from the
C-suite, or reporting directly to the C-suite,
with overall responsibility for responding to the
breach. This way, decisions can be made quickly.
It is also very important to hire a public relations
expert who will take care of the company’s
external communication. It takes years to build a
reputation and gain client trust, but only seconds
to lose it. This applies even more in today’s
increasingly interconnected world. Finally, if
it is not possible to tell exactly what data has
been compromised, it may be wise to take a
conservative approach and, in more serious
cases, proactive notification is generally the right
strategy.
■ Q. In what ways can risk transfer
and insurance help companies and their
D&Os to deal with cyber risk, potential
losses and related liabilities?
RADGOWSKA: Risk quantification, which
details the sensitivity and critical importance of
assets, and defines risk appetite, should be the
first step for companies to determine the level of
insurance coverage. Cyber insurance is designed
to help organisations mitigate risk exposure by
offsetting the costs involved with recovery after
a cyber-related security breach or similar event.
In Poland, the biggest driver for purchasing this
insurance is liability, as companies fear costs
related to handling data breaches. Nevertheless,
more entities are now focusing on responding
to business interruption, ensuring that they are
not losing money when their systems are down.
Cyber insurance provides organisations with
a panel of specialists, including an incident
coordinator and response teams for any legal,
information technology (IT) and public relation
issues that may arise in relation to a cyber event.
Moreover, preventive consulting services are
becoming a great added value for companies.
9. JULY 2019 • FINANCIER WORLDWIDE • REPRINTwww.financierworldwide.com
A N N UA L R E V I E W • C Y B E R S E C U R I T Y & R I S K M A N AG E M E N T
■ Q. What are your predictions for cyber
crime and data security in Poland over the
coming years?
RADGOWSKA: Criminals simply shift their
focus and adapt their tactics to locate and steal
the data they consider most valuable. Organised
criminals will continue to conduct attacks,
damaging companies and individuals alike.
The landscape globally, not just in Poland, is
transitioning from ‘smash and grab’ attacks to
slower and more determined ones, like Advanced
Persistent Threat. According to the Certified
Information Systems Security Professional
(CISSP) All-in-one guide, there has been a
decrease in the number of viruses created just
for populating as many systems as possible, and
it is predicted that more dangerous malware will
increase its range. What is even scarier is that
the next generation of AI-powered attacks will
likely be sophisticated enough to emulate the
behaviours of specific users to fool even skilled
and experienced security personnel. ■
“ It takes years to build a reputation and gain client
trust, but only seconds to lose it. This applies even
more in today’s increasingly interconnected world. ”
POLAND • PAULINA RADGOWSKA • TOKIO MARINE HCC
www.tmhcc.com
Tokio Marine HCC is a leading specialty insurance group with offices in the
United States, the United Kingdom, Spain and Ireland, transacting business in
approximately 180 countries and underwriting more than 100 classes of specialty
insurance.
PAULINA RADGOWSKA
Senior Underwriter
+34 93 530 7422
pradgowska@tmhcc.com
GÜLSAH DAGDELEN
Senior Underwriter – Cyber
+34 93 530 7358
gdagdelen@tmhcc.com
SIMON CALDERBANK
Senior Underwriter – Cyber
+44 (0)20 7680 2910
scalderbank@tmhcc.com