An interview with Dhiba Daniel
D
hiba Daniel is the Divisional Manager, Risk – Public Sector JLT Australia. She works as a cyber security risk profiling specialist and thought leader and has 20 years’ experience in risk management, risk culture, governance, business continuity, workplace health and safety, systems auditing, anti-money laundering and regulatory compliance. Dhiba also has several years of direct experience working with Boards and Executive management in areas such as strategic risk profiling and risk culture. This interview looks at Dhiba’s career and examines some of the issues Australian business are facing in relation to cyber insurance. ACSM: Hi Dhiba, let’s start by telling our readers a little about yourself. When I started in risk management, as a Research Officer to the Risk Management department, it was exciting to have a mobile phone, with a handset in the car and email was just being introduced into the workplace. Now, as Jardine Lloyd Thompson’s (JLT’s) Divisional Manager – Risk (VIC & TAS) as part of JLT’s national (Risk) Consulting practice, I marvel, as the ever-changing technology environment brings many new challenges and opportunities, one of them being cyber risk management. With 20 years' experience in risk management, what was it about cyber security that attracted you into this relatively emergent field? With the increasing interconnectivity and Internet of Things, as Risk Managers we need to practice what we preach and delve into emerging risks. What attracted me to the Cyber field is that it is an emerging risk. We know it will have significant impacts, however, what those impacts will be and how they will shape our lives in the future, is uncertain. I am keen to explore the opportunities and help others, such as our clients and our own organisation, to capitalise on those opportunities, whilst being aware of and managing the risks along the way. In what is predominantly a male dominated industry, what do you think can be done to attract more diversity into the future workforce? To attract more diversity into the future workforce I believe the following will assist:
44 | Australian Cyber Security Magazine
•
• •
Providing flexibility for everyone through flexible and practical work arrangements, which is significantly assisted by technology; Offering intelligent and interesting work; Creating a supportive and collaborative environment.
I believe this will enable us to take on the challenges together, which we will experience in this developing technology age and enjoy the rewards that it will also bring. I must say I am looking forward to driverless cars as I’ll be able to catch up on some sleep every now and again. In your opinion, what are the biggest challenges enterprises have when evaluating cyber insurance cover? The biggest challenge, in my view, that enterprises have is their understanding of emerging cyber risk exposures and the role of insurance. Some enterprises now have the view that: • A cyber-attack won’t happen to us, as we don’t have anything of value that others may want; • If we don’t hold credit card information or trade online we really have no exposure; • Cyber is an IT issue for the IT department to manage; • We have a high level of protection with secure IT networks, which are regularly tested and built to ‘best practice’ standards, thus we don’t need cyber insurance. There is also a poor level of understanding of what can be covered under a cyber insurance policy, and many clients still believe coverage only responds to breach of privacy and third party claims. Many don’t realise that consequential business interruption loss can be covered, or that policy triggers now extend beyond a malicious hack, to include human error and system failure. Perhaps the greatest benefit of a cyber insurance policy is the incident response service that most policies will provide, and many clients also don’t turn their minds to the practical elements and costs involved in dealing with the immediate effects of a cyber incident. Because of the above view, the broader business often does not wish to be involved in engaging in the cyber risk conversation with their Insurance broker and the Risk Advisory team. Thus, it is left to the IT department to quantify the business interruption loss or other reputational or business impacts. This offers a one-dimensional view of the cyber risk