Xavier Marguinaud, Underwriting Manager - Cyber at Tokio Marine HCC, contributes on Strategies to minimise loss and damage in Corporate Livewire Cyber Security & Data Protection Expert Guide, published in December 2017
2. 20 21December 2017 December 2017
Expert guide: Cybersecurity & Data Protection 2018
Over the last decade there has been an increasing fo-
cus on cyber incidents. As the legal landscape evolves,
companies have started to realise that there is a need
to steer risk managers towards reviewing and adapt-
ing their strategies to bear in mind cyber risks.
Taking the classic risk management repertoire (risk
acceptance, avoidance, limitation and transfer) as a
base, strategies have evolved from a responsive ap-
proach to a more proactive one.
In addition, today’s aggressive polymorphic cyber
risks have forced risk managers to consider “cyber
resilience”; a concept that is rapidly gaining recogni-
tion within the community.
Cyber resilience is the ability to continuously con-
duct business despite adverse cyber incidents. Peo-
ple are still confusing security (which is a static but
nevertheless important risk mitigation element)
with resilience, “the ability to prepare for and adapt to
changing conditions and withstand and recover rap-
idly from disruptions.”1
After talking it over with many Executive Directors,
CISOs, Risk Managers and hackers, I am convinced
that the appropriate and relevant balance between
security (prevention, detection, correction) and re-
silience (anticipation, adaptation, readiness) must be
struck by companies when considering cyber threats.
In this article, I have included a mix of what I con-
Finally, a smart and flexible patch management pro-
cess is also a key preventative element as it allows
the company to secure its perimeter and as such, de-
creases the opportunities for malicious actors to gain
access to the company’s network.
In a nutshell, preventative solutions are useful as
they can reduce the likelihood of an event occur-
ring. Companies should invest appropriately in these
types of measures.
“Make the hacker’s life hell!”
But what if someone gets into your system?
In this case, to minimise potential loss and damage,
another complementary strategy would be to set up
relevant protective elements that limit the impact of
potential human errors or make any cyber intrusion
more difficult to carry out.
sider to be today’s relevant and complimentary strat-
egies for minimising loss and damages in relation to
any type of cyber incident.
“Prevention is better than cure!”
Like a boxer twisting to avoid his opponent’s jabs,
the best strategy to minimise loss and damage aris-
ing from cyber events is to avoid them!
The importance of this strategy is often underesti-
mated, yet it is one of the most relevant when want-
ing to reduce cyber security incidents related to hu-
man error. For Cyence2
“most cyber events are driv-
en by human and behavioural factors” so we easily
understand how dedicated trainings and awareness
campaigns (IT security, data management, social
engineering risks...) could have a positive impact on
such a dramatic trend.
Being consistent and involving all employees is also
vital, so having, sharing and regularly reviewing an
information security policy (and other behavioural
policies) makes sense.
Furthermore, and as we constantly remind our cli-
ents, training people is also a way of reinforcing your
first and maybe best line of defence against a cyber
incident; so, do not underestimate the power and
importance of your staff.
Companies should make sure that their networks are
segregated in order to stop any virus from spreading
and, making lateral movements slow and difficult.
If appropriate, access and password management
processes should be designed so as to limit a hacker’s
progress in a defined system. Encryption technology
could render sensitive data useless should it fall into
enemy hands.
Obviously, the intention is not to encrypt all data but
rather those that a company considers non-public
information and of vital importance. For this, com-
panies should regularly carry out risk mapping ex-
ercises that include the crucial step of identifying,
localising and classifying data.
Fortunately for companies there are many protective
measures that can be taken, the ones mentioned here
above are just a few examples of useful available tools.
Spain
Strategies to minimise loss & damage
By Xavier Marguinaud, Underwriting Manager - Cyber at Tokio Marine HCC
Xavier Marguinaud
xmarguinaud@tmhcc.com
+34 93 530 7439
www.tmhcc.com
3. 22 23December 2017 December 2017
Expert guide: Cybersecurity & Data Protection 2018
Spain
Protective measures need to be taken in order to make
a hacker’s job as difficult as possible.
“Enemy at the gates, prepare for battle!”
Concurrent to the protective strategy, companies
should work on efficient detection and event escala-
tion solutions and procedures.
Of course, detection is key in any comprehensive cy-
ber resilience strategy as it is what would naturally
link protective measures to the company’s response to
an attack. For this an active Intrusion Detection Sys-
tem (IDS), also known as Intrusion Preventive System
(IPS) is recommended. This kind of device or soft-
ware application monitors networks or systems for
malicious activity. It not only reports an intrusion to
an administrator or Security Information and Event
Management (SIEM) system but also takes automated
actions in order to contain the intrusion (blocks traf-
fic, drops malicious packets, resets connection etc.).
Obviously, a serious mistake would be to only moni-
tor traffic approaching the perimeter of the company’s
network (in a battle analogy this would be the forti-
fication), whilst overlooking internal traffic (perhaps
the enemy is already in the courtyard or dungeon?).
footprint should also consider having local relays in
addition to a centralised Computer Emergency Re-
sponse Team (CERT), as response is time critical. For
this very same reason, it is highly recommendable to
draw up an Emergency Response Plan (ERP) for im-
mediate decisions and actions as well as a Business
Continuity Plan (BCP) to manage more complex
situations and more impacting incidents (network
redundancy, Backups or other Business Interruption
counter-measures...).
Furthermore, companies should always keep in
mind that “the supreme art of war is to subdue the
enemy without fighting”4
. For this, anticipation is
key. Companies should have recourse to threat intel-
ligence (to understand trends and anticipate future
behaviour and modus operandi) and other risk ana-
lytical reports. In my opinion not enough companies
have this presently.
Last but not least, on the list of ways to be cyber
ready, another way to anticipate a potential intrusion
would be “empathy”. Companies should try to un-
derstand what an external hacker or an insider could
achieve, by performing white box or black box pen-
etration tests.
Detection of course is good, but knowing how to react
is better. Having a regularly tested and reviewed esca-
lation protocol along with clear incident management
guidelines is no longer a luxury but a necessity.
A recent study3
has highlighted a direct and very
often significant correlation between the ability to
quickly identify and contain a cyber event and the
cost of the incident. So whilst the need to detect an
incident is really important, the ability to contain the
incident is even more so.
A company’s readiness for potential cyber incidents
is of utmost importance and this demonstrates both
a reassuring level of humility and maturity. Investing
in this “being ready” strategy could take on different,
but nonetheless complementary, forms.
Companies should have an in-house or outsourced,
dedicated cyber incident response team. This would
definitely be a game changer in case of a cyber in-
cident, as knowledgeable, experienced and trained
people would be more efficient and straight-to-the-
point when analysing, taking decisions and imple-
menting solutions.
Those companies that have a large geographical
There are, of course, many strategies that can help
minimise loss and damage. In this article I have out-
lined some of the more proven measures that cur-
rently exist and should be implemented in order to
be a more cyber resilient company. However, the cy-
ber landscape is constantly evolving and risk manag-
ers should factor in cyber risks and stay abreast of
developments as well as count on an expert insurer
who can advise and offer complete coverage; one that
contemplates the before, during and after scenarios
of a cyber incident.
Xavier Marguinaud is Underwriting Manager – Cy-
ber, overseeing and coordinating Tokio Marine HCC’s
Cyber strategy for EMEA, APAC and LATAM. Previ-
ously, Xavier worked at Marsh as NZ Cyber Risk Spe-
cialty Head and as Financial Lines Senior Risk Advi-
sor as well as Cyber Product Champion in France. He
launched his career in the Risk and Insurance depart-
ment of Publicis Groupe.
1. US Department of Homeland Security, What is Security and Resilience, www.
dhs.gov
2. Cyence, Cyber threats: People, Process and Technology, www.cyence.net
3. Ponemon Institute Research report, 2017 Cost of Data Breach Study.
4. Sun Tzu, The Art of War.
Companies should always keep in mind that “the supreme
art of war is to subdue the enemy without fighting”4
.
For this, anticipation is key. Companies should have
recourse to threat intelligence (to understand trends and
anticipate future behaviour and modus operandi)