News

Harnessing national defence skills for cyber insurance excellence, and how real-world experience enables a holistic approach – a Q&A with Cyber Analyst, Christopher Norwood

Understanding the cause and nature of cyber perils is critical to staying on top of the significant risk which fast-evolving technology presents in today’s world, according to Chaucer’s Cyber Analyst, Christopher Norwood.

This requires real-world experience and a deep knowledge of the risk landscape, plus the ability to translate these skills into practical advice and operations management.

Christopher has all three, having served as a Royal Engineer in the British Army, then moved into the private sector with cyber security consultants S-RM, as a crisis response and pro-active solutions specialist.

Having joined Chaucer in mid-2024, we spoke to Christopher about his first six months, and his role in developing Chaucer’s Cyber Centre of Excellence.

Tell us about how your background brought to you to insurance?

I’m fascinated by people. That might seem contradictory for someone working in cyber insurance, but a large part of understanding threats and risks is about understanding humans and what drives them.

My move into insurance has been driven by the desire to improve cyber security outcomes in a different industry. It’s the same kind of public service mentality which drove me to join the Army, but in business you can support progress at the price point of a premium.

How does this mentality translate into better outcomes for cyber clients?

In the Armed Forces, teamwork is critical to achieve the desired intent, nothing can be done on your own. This makes you an expert collaborator, and you become extremely good at spotting threats, training others and manage crises when they arise.

This need to educate, collaborate and improve resilience is highly transferable across nearly every industry you can think of, but is particularly relevant for industries such as Energy, Manufacturing, and Logistics which have an increasingly important role to play in national resilience.

In many industries, clients have a vast supply chain ecosystem and usually their products and services are used by huge numbers of the public, which significantly increases the potential impact of a cyber event.

The better data we have and the more focussed our underwriting is, the more we can help clients understand and transfer their risk, improving outcomes for everyone.

What is your role at Chaucer then and what part does it play in Chaucer's product offering?

Broadly, my role is twofold. Firstly, by leading the Cyber Centre of Excellence, I provide first line support to our cyber underwriters to ensure deep understanding of cyber risk. I’m also upskilling cybersecurity knowledge across the company.

This means supporting our underwriters as they focus on what counts in risk assessment, as well as developing tools and training to use automation effectively.

We are keen to ensure that our underwriters continue to think critically and treat each risk on its own merit, but equally we see opportunity in honing our data capture and analysis, including with the use of AI, to improve efficiencies in making good decisions faster. This includes crafting our proposal forms and training algorithms to better understand cyber risk profiles, which are complex.

Secondly, my role is also focussed on differentiation of our product offering.

For example, working with our claims team to build a first-in-class panel of incident response capabilities for our insureds. I also assess vendor’s technology capabilities to gauge whether their product can do something more effectively and/or efficiently than a solution we might develop in-house. In addition, I’m putting together broker events and material, including a Broker Breakfast in February with a third-party expert on AI.

What are the primary threats in the cyber space currently and what do you see coming down the pipeline?

The continued utilisation of machine learning by criminal groups will enhance their ability to target vulnerabilities more rapidly and across a broader spread of potential victims. Defenders must keep up with the capabilities of AI to understand the constantly evolving threat and risk landscape.

Quantum computing developments will also produce cyber risks. Quantum computers’ ability to process huge amounts of information simultaneously could allow them to solve complex mathematical problems that are onerously time-consuming for classical computers. Utilising this, cryptographic algorithms could feasibly be broken in minutes, allowing data that should be protected to be read and altered.

Back to basics then, what measures can businesses take to improve their cyber security and risk mitigation?

There is an apt proverb from military strategist Sun Tzu which summarises this: “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat”

If a company intimately understands its digital environment, where its weaknesses lie, and where resources can be focussed most effectively to reinforce them, then half the battle is won.

In our underwriting approach, we work to understand the extent to which clients are collecting security telemetry from firewalls, endpoint detection and response systems etc., but more importantly, how they protect and derive insights from this data. Positive action on this front can make a big difference to risk mitigation – and potentially insurance costs.

Read our Back to Basics for more tips:

View all

Published on 29.01.2025

          Speak to us