Subscribe
Share
Share
Embed
Welcome to the Guernsey Finance podcast page.
Our podcasts bring you all the latest news and insight from Guernsey, the global finance specialist, as well as audio from some of our online events.
brandon 0:05
Hello and welcome to the We Are Guernsey podcast where we bring you interviews with leaders from the global finance industry, as well as news and developments from Guernsey's financial services sector. My name is Brandon Ashplant and I am Strategy and Technical Executive here at We Are Guernsey, for those not familiar with Guernsey, the island is a leading global finance centre. The success of the industry here is underpinned by economic substance, political stability and asset security and we are committed to the cause of sustainable finance. To find more about Guernsey success in sustainable finance tune into our sister podcast, the Guernsey Green Finance Podcast. Today we are discussing the strengthening of cybersecurity in an uncertain world, a world that sees global security increasingly under threat we touching on the current crisis in Ukraine, the dangers it could bring to cyberspace and how firms should not only be contingency planning for such an eventuality, but are taking steps to prevent one. To discuss this I am delighted to be joined by Rob Dorey, Chief Executive Officer of Astaara, a global marine insurance services provider and a specialist in cyber insurance based here in Guernsey. So firstly, welcome Robert.
Robert 1:28
Thank you Brandon, an absolute pleasure to to share some of our experience with you today.
brandon 1:34
Brilliant. So Rob, firstly, just to introduce you to our listeners, just tell us a bit about yourself, your career and why you chose Guernsey to establish Astaara.
Robert 1:48
So I started like I read law at university I focused particularly on maritime and international law, and I was called to the bar of England and Wales. I didn't particularly enjoy that I found that I was too far removed from the subject matter that most interests me and that was shipping and how to solve problems once they arose, for example, or pollution or recommendable such events. So I joined the Standard P&I Club as a claims executive to begin with, I then was moved into underwriting dealing with the club's Italian and Greek membership before then moving to be the offshore director dealing with upstream oil and gas mobile units, so drillers, offshore producers, offshore construction vessels, and the type that then led me into developing a Lloyd's plan for the stamp club diversifying to Lloyds. I was then appointed as an underwriter for Lloyd's syndicate handling, or was a portfolio managing 14 classes of business. By the time we decided to close the business. on closing the business, I decided that I had had enough commuting on the Northern line in London. And I thought, actually, this would be a good opportunity, actually, to come back home to Guernsey and to contributes thing to a vibrant community within the financial services market. So that led to Astaara being conceived in and around August 2019, and initiating our first inspection of our first client in July of last year. And so the question is, why Guernsey? Well, I'm born and bred in Guernsey. And actually, I think that I can contribute to the strength of guns is offering in the financial services markets. And I'm very pleased to be able to have the opportunity to do that.
brandon 3:46
And what is astaara? Could you tell us a bit about the work you do?
Robert 3:51
Of course, so Astaara actually, as the Persian that name for the Greek word astrolabe, which was the first navigation instrument used by navigators in around about two 300 BC, to establish a location on the Earth's surface by reference to celestial bodies and unlike so it predates the sextant. Interestingly, the mathematics that were invented or discovered by the Greeks is still the mathematics that put satellites into orbits and we thought there was a nice circularity with the old or the new in the worlds of old fashioned navigation and new GPS and geolocation techniques. So, star is in fact, an answer to three questions that I put to sample in the maritime community a number of years ago. Those questions Where do you buy cyber insurance? If you do, do you understand what it covers? And do you also understand what cyber risks and standards you need to meet as part of your regulatory obligations out of the 20 Nine of the sample that I interviewed and 15 bolts cyber 14 did not. But none of the respondents could understand what cyber cover offered. And none of the sample were able to describe what cyber standards they were required to undertake. And that might even lead them to be insurable as a risk in the future. So actually, what we do is we have three strands to our business, we risk manage our target clients, I we take them from a position of cyber immaturity and take them to a position of cyber maturity. If they are sufficiently robust as a cyber risk management proposition, then we have the opportunity to underwrite them and with an mga that's currently based in London, all the activities that we undertake generate significant amounts of data. So we do have a data analytics division, again, which is based in Guernsey, which we are seeking to expand and monetise later on this year.
brandon 6:03
So getting straight into it. It's been said a lot over the last two years that we are living in uncertain times. But in geopolitical terms, we really are now, I think it's it's fair to say, we have heard from political analysts and the like that the post cold war, World Order that has prevailed since the collapse of the Soviet Union in 1991, is now being challenged more than ever. Can you explain how this impacts the work you're doing?
Robert 6:35
Yes, I think if I just step back, just one point from that, I wish, there are essentially three key drivers affecting the cyber world at the moment. I think one of them is increased digitisation at, the more connected we become, the higher the risks exist in terms of the cyber domain and its reach. And that's been fast forwarded by COVID. As we know, remote working and more reliance on digital platforms creates a larger footprint. And in this particular context, the domain between home and the work environment. And particularly for us, as a sort of second point, the interface between operational technology and information technology is making, particularly shipping but other industrial processes, particularly risky in terms of exposure to physical damage arising from cyber instant. So that's digitization is a major driver to cyber risk profile. I think the second point I'd say is regulations, regulations, have been applied by obviously, the Guernsey Financial Services Commission for financial services companies within Guernsey, those requirements regulations mean that all firms have to undertake to identify risks to be able to protect their digital network, they're able to detect when there is a claim the cyber incident, rather than they need to be able to respond to that and restore their systems basically, to normal operation as soon as practicable. So the position of regulations is really a very significant driver, for people taking risk seriously. And all of these regulations are really in response to point number three, in terms of drivers affecting cyber world, and that is the, say, the global impact of cyber incidents over the last 10 years, which according to some American researchers cost trillions of economic loss to the global economy economy over that period of time. And these cyber attacks range from teenagers that are good with a laptop to those that are looking to fund crime through cyber extortion. And then sort of more seriously those cyber incidents that are designed to generate funding for terrorist groups. And then the most severe probably then being the state sponsored attacks, which generally focus on disrupting supply chains, but more often or not, are actually focused on theft of intelligence or intellectual property. So there's a there's a broad range of factors really, which affect the cyber world in particular, I think the thing that the post cold war poster soviet union environment hasn't really been a factor in its own right, other than a significant amount of cyber incidents over the years have emanated from the Russian Federation. I think the only sort of comment that I would then add to that the supplement is that everybody does need to know listen to this, that all these risks are capable of management, actually, and that is a fundamental element. Have each company's ability to be able to survive a cyber incident, and to be able to continue to continue to trade after they've been hit. So I think the, I think in summary, regulatory standards, they're very much that support to target the targeted industries, to make them a little bit more resilience and to make them to be able to withstand a cyber event, and thus improve the reputation and standing actually of the sectors in the, in the world environment.
brandon 10:32
And I suppose on the back of that, given the many, you know, factors at play here, some may struggle to see the relevancy of the current crisis and its impact on the corporate world more specifically, how has your work changed in the recent weeks or even days as a result of this unfolding crisis?
Robert 10:56
I think the linkage between so Ukraine and businesses in the United Kingdom and more specifically, say the Bailiwick of Guernsey, it's really what is known as the drive by shooting events, ie it's the proliferation of the cyber instant, beyond the borders of the theater of where that attack match took place. And there is some precedents for this, in 2017, the Russian government and this is as attributed by the National Cybersecurity Center in United Kingdom, secreted malware into the Ukrainian revenue ministry, such that a person loading cargo into the back of a truck trailer combination just outside of Kiev, and she went to a local customs station and paid the duties downloaded a PDF and send that PDF to Copenhagen to the head office of AP Mel AP Moller Maersk shipping operation, within 14 minutes of opening the PDF 22,000 computers globally shut down. And that led to a very significant delay to the supply chain ships were trading slower ports were not able to identify the cargo that was to be loaded onto ships or discharged from ships. But more importantly, it didn't only hit AP Moeller it hits some very, very large companies Mondelez who make Toblerone Merck, who was formed pharmaceutical company in North America. And it was estimated that non pecha claim in 2017 caused up to 10 billion of economic damage globally. And actually, none of those companies were the actual intended target of the Russian intrusion into the Ukrainian revenue ministry. But it just goes to demonstrate that actually is the digital connections that we all make through email or through services that we buy all become vectors for vulnerabilities in any cyber instant. And we don't always know where those boundaries start and stop. So that is, is undoubtedly the significant risk, I think, really for the global commercial community at the moment.
brandon 13:16
So clearly, you are concerned that this escalation could transform into a global confrontation in cyberspace by the sounds of things and possibly directly between, I don't know the world's major powers in a worst case scenario. Cyber warfare is not new. And we have heard much in the news media in the last few years of attacks against critical infrastructure and the spread of misinformation. Can you tell us how this crisis could look if it spread into cyberspace in sort of worst case scenario?
Robert 13:48
I've discussed this with my cyber professional colleagues within star think they feel that there's unlikely to be a global cyber war, as, as I think we might imagine that to be in practice, war, as an act is about the confiscation, expropriation, nationalisation, deprivation, deprivation of property or territory belonging to another state, typically. And that does tend to require, you know, physical force to achieve that. Cyber is very much a tool that can help degrade infrastructure to enhance the physical effects of a, a war. And I think what we would be concerned about is that if the Ukrainian resistance remains a strong, Russia will need to deploy greater and more significant resources, which will almost certainly require more cyber attack. It's full ground operations. And as a result, I think we could see that there is a proliferation of cyber consequences to an increase in activity in Ukraine. I mean, I had mentioned non pecha. Another example recently was the Colonial Pipeline events on the east coast of the United States. Essentially, a pipeline was rendered inoperable, causing fuel stock shortages up and down the East Coast, and very nearly some civil unrest. And I think the point around that is that it's very easy for local events to go global very quickly. And really, that is the issue that we all face.
brandon 15:33
I mean, cyberattacks and hacks have taken place between nation states and state actors, as you alluded to earlier, but much more, as you say, for as a tool to as a means to an end, if you like. But there is a genuine, genuine business risk involved to from nation states, as well as individual attackers against organisations, as you mentioned, could you tell us a bit more about the risks posed to businesses more specifically?
Robert 16:01
Yes, so these events have demonstrated that pour patching. So in the case of non pecha, if people were operating, for example, Windows 10, rather than Windows seven, if you're operating windows 10, you would not have been vulnerable to the non pecha event, if you were operating under seven or earlier, you were vulnerable to the non-patriotic. So the patching and the use of up to date security technology is is fundamental to that. I think there is a significant risk of ransomware that arises to this. So if you business systems or your IT systems are seized either not longer operable, you may get a demand for money to read as a cost of reinstating your system, when that has a cost in of itself and is capable of insurance. But there are very, very, very strict conditions about the circumstances in which ransomware can be paid. But actually the real costs for a company are how much does it cost to reinstate systems that have been compromised. In 2017, the average cost of re configuring a computer that had been contaminated and they use that expression was around about four and a half $1,000 per computer, it'd be fair to say there's been some inflation since then, how long does it take to restore your system from an off site backup May, is this leading to your losing customers or being unable to generate income because the platform by which you operate is no longer working, that gives you revenue. So there are very, very practical consequences to these events, not least of all, on the more sophisticated state sponsored events, if they are looking to take intellectual property and or client information, the consequences of GDPR breaches are very, very significant, up to 4% of global turnover. On top of all the additional costs that a company may be faced with in responding to a cyber incident. So it is it is an expensive activity. And the average global cost of a transport related cyber claim is estimated to be around about $3.9 million per event. And that's not including a ransomware cost is a little bit more for financial services. And a little bit more than is even more for health care and defense industries. So there is a sort of sliding scale of exposure in that space.
brandon 18:50
And I imagine that much of this is not mutually exclusive in the sense that much critical infrastructure is often in the hands of private sector firms, in many cases, to give an example you gave some earlier but just to give another just before the military invasion, we've seen several Ukrainian ministries and state banks reported cyber attacks against them and also private firms that they contract with, which is particularly concerning when more than 100 fortune 500 companies use Ukrainian ITV sorry, IT service providers. Turning to the crisis we see today. Could you explain what you are seeing? And have you seen a similar situation unfold?
Robert 19:34
And we are certainly aware immediate reports of cyber events underway in Ukraine, although they appear to be of a lower scale event than say the non pecha in 2017 at the current time in cybersecurity professionals regard the non pecha events. And you might have heard of SolarWinds, which was when malware was created into a sub contract For have SolarWinds, which was an IT service provider, particularly to security companies. They, they the attackers actually went in to the supplier of services to these IT companies on these IT services. And actually, the Colonial Pipeline as well are all viewed as dry runs for more targeted, more damaging events, ie, the Russian Federation is using those events to test the technology and vulnerability of their potential victims. And it's fair to say, if they can disable you crazy in tech, and you are, you are a company that uses Ukrainian tech, you would need to take very significant attention to what are the consequences of that service or provision of services not being available, or actually potentially being a victim of a cyber incident in your own company. And actually, it's not limited to Ukrainian tech firms, far from it, is anybody with whom you have particular dependencies for the operation of your business? I think actually, it's fundamental to reflect actually that this reinforces the need for all firms to spend as much time and effort on restoration planning, running drills, desktop exercises, training, segregating systems, segregating backups, so that you can put your own yourself in a position where you can come back and restore your business after it's fallen down to an event that may be not, has, or has not been anticipated before. Something that is referred to within cyber industry is a zero day attack is the first time that a particular vulnerability has been exploited using particular techniques that have been unknown to the cyber world before. So you can't prevent all attacks. But you certainly can respond to all of them with the right kind of management response.
brandon 22:09
Now, of course, we definitely don't want to compromise any of your clients, or prospective clients security. But what have you seen in the last few days, and what have your clients seen in the last few days?
Robert 22:26
I think, is a very broad range of questions. I would say probably more common question is, how can we evidence the level of maturity that we are currently operating in our own cyber journey? The evidence, of course, is fundamental demonstrating to company stakeholders, innovative clients, employees, the board shareholders that that the executive management is discharging his duties as required by law. I think alongside that, we certainly would see that there has been an uptake in related cyber services, for example, increase in pentesting. People trying to find out where the soft spots are, within the cyber defenses, and also probably an uptick in the number of inquiries about testing people's business continuity planning. I think that's those are probably the biggest thematic questions we received.
brandon 23:28
Sure, and, and again, not to compromise client security. But what measures have you been taking yourselves but also, what have you been advising your clients do to do more specifically, themselves?
Robert 23:45
Well, we've received around 100 firms around the world, some guidance that we feel is prudent for all companies to undertake. So doesn't matter whether you're a shipping company or ports, or an offshore contract, or a trust company or a bank, or even in private individual, actually, the key is to make sure that patching is up to date, patch more frequently than perhaps your company policy words. Otherwise, mandate. Test your backups, implement multi factor authentication, all these things are just making it a little bit more difficult for somebody to break through your internet. So you'll your internet perimeter. I think we will also advise larger, more complex companies that have a digital trading platforms, there might be prudent to downgrade those platforms in favor of enhanced security. Now that's not for everybody. But that might be for a couple of particularly large companies that actually, online trading might, might be safer if the usability of those services is, is locked down a fracture. So again, all of this is about making sure that it's more difficult to be hit in the event of a cyber incident. And they should, in all cases, test off Site Backups test, how well you can restore your system, from your cloud, or from an off site server. Because actually, it's only when you test these things that you understand whether or not they actually work. The whole point of demonstrating to your key stakeholders that you're on top of the situation is that you can evidence that you have tested these things. So although it's very is very much common sense. A lot of it is what we will call the easier cyber activities, it's probably worth observing that nearly 90% of all cyber incidents derive are derived through human error. So it's people not doing things that they were meant to be doing, or people pressing on attachments, which they know to be suspicious, but do it anyway. Those attachments, which are suspicious, almost certainly have some kind of malware embedded in them, which is triggered when they are opens. And this is essentially allowing a silence or cyber silence into your business in a very easy way. So actually, the easiest, and most significant improvements that you can derive are all around leadership, culture, and training. Remember that people are the most important in your business. And they're also your first line of defense as well. Interesting.
brandon 26:49
Something we often talk about on this podcast is the stability and security that Guernsey offers. Just as the islands continued operating business as usual, during the COVID pandemic, we see this continuing throughout this crisis, I think, how do you think local finance firms sort of irrespective of the sector that they operate in, should be reacting to this situation that we are seeing unfold?
Robert 27:16
And take the advice that is offered? I would simply say in response to that. I mean, the cheapest thing you can do is a desktop exercise. And that really is the kind of thing that would give leaders or businesses assurance that the culture is at the right level and that everybody's really Prime's to operate in a defensive posture when it comes to IT security and at the current time. Again, it's the people that are the most important thing.
brandon 27:55
And it might be the similar sort of answer. But what advice would you give to managing directors and chief executives who are concerned about this situation or similar situations to this one?
Robert 28:11
I would say, make sure you have got your business continuity plan really well embedded within your company. So know what to do and who to call when things go wrong. Have that network of support primes on the basis that at some point, you will fall over. And you need to know what you're going to do when it happens.
brandon 28:36
And what happens if a cyber attack has occurred or a firm thinks that a breach has has taken place?
Robert 28:43
I think it is identify with your managed service provider or your IT team where this incident has occurred. And as soon as possible, isolate it and prevent it from proliferating within your digital domain. Call your instant responders as identified in your insurance policy if you buy insurance, otherwise, identify a cyber professional and their services and bring them in. And alongside all of that implement your business continuity plan because in the end, if you have sort of pre planned all these playbooks around cybers risk scenarios, you should be well positioned actually to respond well. It's probably worth saying that the stronger your incident response within the first three hours, the greater the saving of costs, and the less likelihood of delayed to your business operations. So timely involvement and implementation of your BCP I think is, is key. If money is exfiltrated or thought to have been exfiltrated. From your business, get in touch with your bank as soon as possible. Every second does count the banking system does have the ability to add identify suspicious payments. However, you can't rely on the banking system to do that job for you, it's very much critical that they know that there is a suspicious payment out there. And then they can take more focused steps to make sure that that money doesn't get into the wrong hands.
brandon 30:25
And turning back to sort of a star and the work that you do, how important is cyber insurance as part of your business risk assessment? And and what should people be looking for in a cyber insurance policy?
Robert 30:38
We'll quickly deal with your first question. I mean, cyber insurance is only possible, if there is a risk management discipline within a company, ie the identify, protect, detect respond, recover framework is living and breathing and culturally embedded within a company. So cyber insurance is a consequence of good cyber risk management or cyber or actually enterprise risk management. This is one of the things that all firms have to engage in. In terms of what people should be looking for in a cyber insurance policy, with a very high likelihood that a claim of cyber instant in the next days or potentially months is likely to be collateral damage from what's going on in Ukraine. You should be asking your broker are war risks or terror risks included in my insurance policy, my cyber insurance policy. There is a big difference between cyber insurance policies that cover terror in particularly ie the acts of state sponsored activities. And and those that do not. And a lot of people don't trust cyber insurance, because actually, a lot of cyber insurance policies don't cover the terror elements, which is state sponsored cyber incidents. It is notoriously difficult to attribute causation to cyber incident I attribution is the where did it come from? And what was the motive? You normally need State Security Service capability to identify where cyber incidents originated, we certainly have experience of shipping companies that have been subject of a state sponsored attack, and actually have received. And essentially they were actually the the claim was attributed to the Chinese military intelligence building in Shanghai to two particular terminals. And interestingly, in that particular case, that meant the claim under their insurance policy was not payable, because they didn't have the right kind of insurance cover. So it really is important that the if you're going to buy cyber insurance, you buy the right policy, and you test with your broker, that it is adequate for the purposes that you require.
brandon 33:19
Your company also looks specifically at cyber risk for the marine industry. You have touched on some examples, shipping and the marine industry more more broadly. This is pretty niche and unexplored in many ways, I think, what are some of the key cyber risks for the marine industry?
Robert 33:36
In in essence, it's a regulatory requirement of shipping to engage in cyber risk management standards, not wholly dissimilar to those that apply to financial firms in Guernsey. And what that means is that if a ship goes into the United States, for example, and it's a state inspector goes on board, and they find that passwords taped to laptop screens, then that will initiate a deep dive into the cybersecurity profile of that owner. And in a worst case scenario that could lead to the expulsion of a ship from the United States jurisdiction. It is certainly the case that the maritime coastguard agency in the UK and the European Coast Guard are taking a similar approach to two cyber onboard ships, you nobody is prepared to accept ship coming into their jurisdiction and being the originator of a cyber incident across the maritime infrastructure of, of that particular country. So I think that's one issue. It's, I think, second thing is cyber is now woven into the definition of seaworthiness. So what that means is that it's part of a ship's ticket to trade around the world. It can have implications on the operation of insurance. So shippers on see where they may find that the traditional ship owners insurances may not respond because it's a warranty under those policies. I think thirdly, practically, a cyber incident is likely to cause delay to a ship trading, there are 18 crew, by and large on ships, there's big commercial ships. And they're not likely to give up the operation of their ship just because a cyber incident is going on, I know, they lose confidence that the rudder angle monitor is giving the right answer equally, that perhaps the GPS may not be giving the right location. But then all ship owners should be using alternative methods of navigation, probably charts, using clocks, which are not vulnerable to digital interference. And they should be in a position where they can manage the safe navigation of a ship without relying on on digital systems. So resilience is a very key part of all of that. But delay, think ships would slow down if they felt that they had to over they felt that their position was uncertain, or that the engine reps were say running too high. And it just makes each ship a little bit vulnerable to degraded resilience. Because if they go to deploy two or three crew members to look at other systems manually when they will normally run them digitally, then that means there's a little less resilience to do deal with other things that go wrong onboard a ship. So I think those are the principal risks. Nobody seriously believes that it's possible to take over a ship remotely. It is spectacularly difficult to do that and statistically nearly impossible.
brandon 36:51
Okay, well, thanks for your time today. It's been really interesting, really interesting chat. Just before we finish, we understand that you've been doing some research into the current crisis. What are some of the key findings that have stood out for you?
Robert 37:06
Yeah, over a period of a year we've been undertaking vulnerability assessments on a sample of for financial firms in Guernsey, the Cayman Islands and Malta. Of course, Guernsey implemented cyber regulations on the I think it was the ninth of November last year. And pleasingly Gansey seems to be doing quite well in reducing the number of critical vulnerabilities that these firms have, and is quite clear that people have been taking those cyber rules and regulations quite seriously. It compares favorably to Cayman which have been implementing cyber laws, at least a year earlier than Guernsey did. He seems to be a little bit further behind. And both those jurisdictions were some way in advance of Malta, actually, which has yet to legislate for these things. So I think is a good news story for Gansey. And, and well done to the Gezi financial services sector for taking these things seriously. Clearly, there's always more work to be done. Nobody's perfect. And the the ongoing needs to have continuous improvement is no less important in cyber as it is for any other elements of an operation of a financial services business.
brandon 38:28
Okay, well, thanks Rob for your time today.
Robert 38:33
And absolute pleasure, randon, and thank you. We are Guernsey for the opportunity to share some of our experience.
brandon 38:39
Yeah, it was a really fascinating and timely I think discussion. Thanks for sharing your advice to businesses looking to bolster their cybersecurity. And thanks also to you for listening. If you enjoyed this discussion, we have a backlog of interviews and panel discussions on the we are Guernsey podcast channel, you can check them out by searching for we are Guernsey on your preferred podcast platform. To find out more about Guernsey and its specialist financial services sector. Head over to our website at www.areguernsey.com. We also have links to rob and Astaara's social media in our show notes, so check these out to hear more from them. I would also like to end this podcast by stating our heartfelt sympathy goes to those courts in the conflict in Ukraine. Guernsey finance is fully engaged and aligned with the states of Guernsey and the Guernsey Financial Services Commission on on its stance in relation to the current situation. Guernsey also continues to be a major proponent in the fight against money laundering, and is an international leader in the provision of material substance. The island is working closely with the UK and other international authorities to ensure we remain at the forefront of global study. Hundreds and a force for global good thank you for listening and for now it's goodbye from Guernsey
Transcribed by https://otter.ai