Cyber Risks 2019-2024: How Management Is Seeing The Challenge? - Dennis Galla and Marcus Stade

Thanks ah before we start let me share with you that we I will show you I will show you ten flights and after ten flights will have open discussion and proving you know the former US President Woodrow Wilson okay Sam okay I believe in you as a former u.s. posted in the hand he won't work out how many how much time do you need to prepare your speeches and that it depends ever have 10 minutes I need two weeks to have 50 minutes I need one week if I have 30 minutes I need three days and if I have an hour I'm ready to start now so that's why we have 50 minutes now I will show

you slides and after that we're moving to an open discussion it would be great even if the last session of the day your opinions your experiences based on cyber risk are highly appreciated you may be discussing so usually I'm talking to CML CEOs and so on and about the technical stuff so I give them a perspective on technical stuff today a complete new experience it's about giving you business perspective to IT grub who's not part of the IT Crowd here no okay perfect wonderful so so sorry I need to sort but sure how this works okay the first of all if you have a look at the agenda there will be two name's Dennis color and my name Marcus so dennis is a

also I will do this presentation or to say a session alone but why we were here we have founders of Venus and infinitive insurance broker and with consults risk management consulting and in the last year end of last year we looked at the numbers of our company and especially the offers is then to customers or to all the people we were talking to and we saw a lot of others for a professional indemnity a liability or for directors and officers insurances and zone but you didn't see any offers for fabulous mistress and we asked why and if you ask why what you gonna do you ask people to give you two answers and that's actually damage honest please

make a study why or how fabulous are seen on a sea off on or seen on a sea level and sea level executed so and we started and asked them so we reached out to 300 of them and they answered and we asked them so we didn't stop started and we asked them what do you think is the probability to be a victim of a cyber attack and that's said ok yeah something like that and we are Ken what do you think about the next five years I said yeah we'll think this massively really cool for us because we sell the suburbs considerable but it okay why you think you actually you children have the

right time risk are to be evicted of cyberhood of the company the victim of fabulous and why this massively included just one question good things company you have a working for you you found out something like this has no risk of being a victim of a cyber attack that who was already victim of acid attack no one is one not even damn indirectly so I'm a magnet customer you know this mary dated which they don't just wanted over - all right oh but not sure what I did ok now after that that ok cool they see do ask perhaps surely and they say they see also do it well massively increasing within the next year but we ask them what do you do

to prevent your or which technique do you use so it does maybe I should do is go for that so what do you use to minimize she's fabulous and of course is that antivirus software we use firewalls and so on who sinks antivirus software and firewalls are enough to prevent cyber risks they were sworn into him please put a camera not good it's not enough no okay the Cutie of - plays very very interesting first you should do that and back out cool IT security monitoring cool as well who does she only keep continuously monitoring No okay okay external compartment and so on okay little cool they all do this firewall and you virus they use it they have this trainings and

so on and it's in here others and also I'm always as he does others I would have accepting and okay what do they mean with others what do you believe is always what is gone onto another answer common sense cool what do I do it to prevents I do it common sense put it pretty cool can do it others then would be great answer Thanks huh yeah so but many of them do a more epic is scaring me like paying ransom like common sense we know which is water which not okay now we often have come on so how important is this topic for your business journaling be yeah it's a medium risk who thinks obelisk is a media most

you think this in this instructive on century you notice you know this quote in the center in the 21st century data is like all wars in the 18th century striving your business method okay yeah it will be a medium with in the next five years as well okay confused as well so we moved on and asked them what do you think and what's the challenges investments in technology in the investments in employees investment in trainings for your company to minimize the risk of cyber cyber attacks as that oh yeah we see high investment see anybody any room with another opinion high investment service is a fact perfect I was looking for their yeah yeah what

do you think about do we need a high investment cyber security or any other way do you think exactly exactly it's it's not a project it's a continuous involvement as you already know in the room it's not just starting one well Jack here and so on the next one do you also think how what do you what do you think about the investments here cyber with anyone in lumen said oh yeah we should we should decrease secure level of investments in cyber risk prevention anyone Mitchell like it's like this one this one this one okay

okay he's that he was he said companies will invest more in cyber insurance in the future that's what we see in this study as well here 41 percent but investing in cyber secure knows it's not prevention it yeah but if you see here for mine from my perspective it's ten percent of companies we asked and they have a sub insurance they understood that a cyberattack is not about order there are things we have to do talk to a cyber attack was successful is not just using the last backup and clean all your computers and start over then is third a terrorism let's say crisis communication monitoring of personal data monitoring of credit card data and so on

so we if they invest in seven shows from my perspective they invest in safety after desire but hex happens and it's about it's part of the risk management but it's not not prevention here and of course I really have if they invest more in cyber insurance on a low level yeah on a low level more questions regarding this line so I'm going to declare okay

people living there getting microphone no move on you move on so just regarding use cyber risk or cyber risk insurance you see here in the next twelve month only 14% of the company we asked have even thought about sunny a suburb risk-insurance and the other one it's 77% they haven't even thought about doing it in the next 12 month so yes maybe they do it and we have a massively increase in 2024 but since 2024 let's say 2022 or something like this they haven't even thought about there is a risk management after cyberattacks and that's the point where I wish Dennis would be here because he is insurance expert but I try to explain risk insurance it covers the

costs for your computer system and also if you have any NDA's and will be violated by your data breach ends on crisis communication all the costs for lawyers regulatory affairs and so on but the question was about the revenue loss based on the data right no the answer is really easy no because that's that's why you need prevention as well I really love this okay as I said there were just a slide and I want to start a discussion here so maybe can share your experience and new opinions based on these numbers you sir based on your daily work will be very very helpful for us as well to understand I would say I said 10 minutes

sorry I'm Elias I told you we do it in 20 min we do 20 minutes is casual but maybe we can start with the tenets of Kozma buzzes yes please yeah so younger companies especially if they are working with customization if they're working with personalization and so on yeah okay they often use cyber risk insurance intervention as well or more sophisticated more intelligent for service prevention so so I guess based on that I guess if data is more structured is used on a daily base in your company you more are you investing more money in securing your data no there's some question you know yeah so but just can you throw to him after your

question that will be great Thanks can you move the microphone Joseph

[Music]

yeah exactly that's one of our findings as well because often after cybertek oddly the otega expectations after cyber taggers we use the last beggar we clean our computer system we go back to the status before this as soon as possible at a cyber attack but before of course and everything is fine they didn't realize they need to do cyber they need to do crisis communication they do not realize you need to you they need to pay for lawyers because this regulatory affairs and so on and all these other are the stuff like NDA like you have parties you have data of a third party or something like this they don't think about it so we talk to them

and we were very confused about the answers to be honest because that's what I said and some of them that yeah it's another problem we're using the last backup we don't need any of that yeah right it's like it's like common sense right what we do to prevent servos yeah common sense please I'll go to your microphone when you understand it or we asked ok there's a second second part of the question sorry ok start with question number one because there's a wanna concert

so we are both so we asked them about prevention our service comes from outside or also about social engineering something like this so and that's why we asked about a security awareness training so we do both but we didn't split the serve it based on inside out or outside in attacks the second question as I said then is histy insurance mastermind so but I guess there will be no prevention based on cyber risk insurance maybe some kind of discount but actually I'm not sure if you want to have a answer on this question you want to be sure it's hundred percent correct please give me your business card I will give them to Dennis and he will answer all your or

we'll follow up on them so to be honest I can't answer them okay that was a the kuipers forum somewhere there yeah but my last slide hello okay yeah you know for the the last slide you showed I think while you explained it you work on kind of contradicting what the slide set because this one yes because I mean if I reach for hang on 77 percent have an insurance in place already right that's what the slices or no no no no no no there's that nine percent they already have one yes then no with the planned war and so we sort about to do it in the next next month forty percent and the other one no

we don't have insurance and we haven't even thought about okay hopefully it's right because hopefully with this one - okay question - that then would be what sort of sectors have you interviewed to do that and how big were the businesses just one one man so so so we are SEC here 253 companies so actually not companies CEOs or CEOs the company so c-level executives and it was as if his share was between it was mostly smv companies the small medium business with more than one shareholder so let's say it's not like a tax company or something like this it's a traditional German company between 5 million and 500 million revenue year thanks and how do you I

mean when you follow news reports about cyber insurances and latest cybertek's yeah you probably also observe the trend that they are trying to call certain of those an act of war which would basically release them from their payments so if you take all the latest ransomware thing is like my petty and stuff they are actively pushing for act of war to not hey I believe they do that yes the end of war okay yes so I don't know but my question would more be I mean yeah what's your opinion to that so sorry cyber attacks as act of war those ones which one from my point of view a company if it's a private company and

the private company to do prevention did city also to make Chrisman a-feng add as a business or illegal business that it's business and it's not an act of war but that's my personal opinion here sorry can I quickly comment on that so I work for quite a large insurance company that also offers service security services and regarding the comment that some of the insurers are pulling this war or terrorism card it's quite of a misconception in the industry so when we talk about cases like not petia and Merck and whatever it's the property business interruption police's that don't want to pay out the business interruption caused by the cyber tech but all standalone cyber policies that

these companies had fully paid the limits so cyber insurance actually pays also in these cases those are just the disputes regarding the property policies that these companies have so it's business just the business that eruptive was not just it was a business interruption insurance okay good to know sir okay thank you you also want to finish today after a long long session and a long day of presentations