Marta Schuh

Cyber Security Leaders - Marta Schuh, Director of Cyber Risk at Marsh Brasil

Marta Schuh is the Director of Cyber Risk at Marsh Brasil.

She holds a Bachelor of Business Degree from the University of the Arts London, a Degree in Finance from the Chartered Institute for Securities & Investments UK and is Certified in Economics of Cybersecurity by the Delft University of Technology.

In addition, Marta has specialized in Digital Law from Insper, Cybersecurity for Insurance from UCLA, Cyber Attacks from NYU Tandon School of Engineering, and Digital Disruption: Digital Transformation Strategies from Cambridge University.

How do you articulate the three-pronged approach of ‘people, processes and technology’?

For me, Cyber resilience is the union of four strategic pillars that involve Processes, Practices, Technology and Insurance. Therefore, we carry out a detailed analysis of our clients to understand the maturity of these pillars before we go into the underwriting process. It is important to note that technology is evolving and processes and tools need to be continuously evaluated or else they become obsolete.

Technology has changed the way business is done and, with increasingly sophisticated cyber attacks, cyber risks are a reality for companies. Therefore, companies need to have tools that are consistent with the evolution of cyber risks and also to have continuous training of people, awareness and adherence to best practices of organizations because Phishing is still one of the main vulnerabilities explored by hackers.

But even with all these apparatuses of Processes, Practices and Technology, companies can be victims of cyber attacks. Therefore, Insurance is a strategic pillar because it covers different needs in the face of a data leakage incident. It covers financial losses incurred to third parties, costs with legal fees, advertising agencies to minimize image damage, amounts in relation to fines and penalties, and also Business Interruption, among other covers.

Top management and CISOs should perceive Cyber Insurance as part of an integrated cyber security approach, as an additional and complementary strategy to adopted processes and technology tools. It is important to remember that most cybersecurity tools are preventative measures and companies need to consider what incident response measures and financial grounds they have in place in the unfortunate event of a security breach. This is where cyber insurance becomes a strategic option.

How do you convey to the board that – with regards to cyber security – you can minimize the risk but you are never going to be 100 percent secure?

As companies are increasingly dependent on technology in their operations, cyber risk has become a central pillar in C-level discussions. Whether for companies with large amounts of data such as retailers, technology companies, educational and healthcare institutions or industries that depend on automation to carry out their activities.

Given the incidents that have occurred recently around the world, in which companies from all segments were affected by cyber attacks, which resulted in significant losses, some companies have already appointed members of professional councils with the mission of bringing to the board an understanding of this growing concern, which should only increase.

Another important factor is that cyber risk is not restricted to the leakage of information and responsibilities linked to organs competent bodies. Risk is already seen as an operational risk that generates direct losses for organizations.

The entry of the LGPD in Brazil, as GDPR in EU did, among other regulatory actions, is another factor that has made this risk relevant to the executive agenda, and no longer restricted to IT managers.

How can security executives help the C-suite better understand cyber security?

At Marsh we have taken the time to educate our customers, who are unaware of the implications cyber risk has on their operations. We emphasize that the CISO must always be aligned with the business strategy and have the ability to translate cybersecurity jargon to the board. Barriers between business and security leadership are a common challenge to overcome, because security leaders often focus on the technical meaning of risk metrics, while business leaders focus on business impacts.

We realize that executives are often unaware of their cyber risk strategies. A recent survey by Marsh in partnership with Microsoft showed that 33% of the leaders have evaluated their financial impact in relation cyber risks, and 22% didn’t know if the company holds a cyber-policy.

It is a point of concern, given the growth of the incidents and discussions towards this type of risk, and is an almost permanent part of a global agenda as per our Global Risk Report 2021 (GRR 2021) produced in partnership with the World Economic Forum. Cyber risk management must be a priority for companies’ CISOs and CEOs.

What are the biggest challenges you face in the year ahead?

The Covid-19 pandemic and all its effects on intense technology adoption have added a great deal of complexity to an already complicated risk scenario. Companies will increasingly fall prey to cybercrime and ransomware attacks are likely to intensify. The frequency and severity of ransomware attacks is an important factor behind a substantial increase in the cost of obtaining cybersecurity insurance.

As a result of the higher frequency of cybercrime and the high accident rate, there is a global movement of insurers that have been more cautious in accepting risks, requesting more information, taking a longer time in relation to the subscription period and, consequently, the market has applied grievances compared to 2020 prices.

The cyber insurance market is currently driven by an imbalance of supply and demand that shows no signs of giving in any time soon. With that, the prices of insurance have already had readjustments of 20% to 50% this year, when compared to the values practiced last year. The values vary according to the contracted limit, industry and risk profile and the controls implemented to reduce severity as well particular client needs.

Faced with this scenario, it is even more essential that companies have tools that allow them to create access barriers to their systems, far beyond antivirus and firewalls. The use of MFA (Multi-Factor Authentication) tools to mitigate these threats, being in compliance with the LGPD regulation, and having other internal controls in place, including an incident response plan, are essential to achieving good negotiations with insurers at the time of policy negotiation of cyber insurance.

Digitalization is a double-edged sword, offering incredible benefits but also entailing serious risks. What are your thoughts on this inevitable development?

Digitization is essential and is a survival strategy for any company. Companies must appropriate all the benefits of technology to gain scale, gain new markets, develop products and conquer new consumers. But as digitization expands, it becomes more subject to cyber incidents. Therefore, it is necessary to highlight the importance of cybersecurity as a central pillar of cultural strategy.

With the increase in activity in the virtual environment, new regulations, there has also been an interest from cyber criminals to find new ways to explore different aspect of incidents not restricted to data leakage and liability but promoting loses in all economic segments. It is important to remember that this is a risk which is not possible to eliminate, but it is possible to manage by adopting risk management processes and cyber insurance policies.

How important is information sharing within the sector in order to keep abreast of new threats and cyber security best practices?

I believe companies need to work more closely together in sharing best practices of what is working in reducing cyber risk. This can help create a community in combating cybercrime and to strengthen against the growing risk.

In addition, this exchange of information supports decision making, minimizes the repetition of errors and can also reduce pressure on the companies’ time and financial resources and can even help regulators to help enterprises to be better prepared.

We know that cyber criminals exchange best practices between them on darkweb forums, so why not promote something similar throughout risk management perspectives?