Breakfast Briefing on Cyber Security: How to Mitigate the Growing Digital Risks & Hazards

January 22, 2024

The British Egyptian Business Association (BEBA) organised a panel discussion on “Cyber Security: How to Mitigate the Growing Digital Risks & Hazards” on January 22nd. The panel included the following speakers, Mohamed Moustafa Abdelrassoul, CEO and Managing Director, Orient Insurance, Ahmed Ali Abdel-Hafez, Vice President for Cyber Security Affairs, NTRA Egypt, Walid Auf, Vice Chairman, Medmark Insurance Brokerage, Thomas Cook, Regional Associate Director of Cyber Middle East & Africa, Howden Insurance Brokers Limited, Samah Khamis, Head of Cyber Security & Tech. Strategy, Vodafone Egypt, Omar Shawki, Partner, Mazars-Mostafa Shawki

The session was moderated by Karim Refaat, Chairman, N Gage Consulting, Maged Ezzeldeen, Country Senior Partner & Deals Leader PWC and member of the board of BEBA, warmly greeted the attendees and guests, which included H.E. Kim Yonghyon, the Ambassador of the Republic of Korea in Cairo, as well as senior diplomatic representatives from the embassies of Turkey and Greece in Cairo, and highlighted the significance of the chosen topic. And then he gave the floor to Refaat, who connected the cybersecurity discussion to the challenges faced during the COVID-19 pandemic, where the need for digitization exposed vulnerabilities. He cited alarming statistics, such as the World Economic Forum’s projection of cybercrime costing over 10 trillion U.S. dollars in the coming years and a 180% increase in cyberattacks in recent times.

Refaat emphasized the dual nature of cybersecurity as both a potential danger and a substantial opportunity for businesses. He urged a comprehensive exploration of the subject, including regulatory and policy aspects, technicalities, and potential benefits for companies seeking protection. Refaat’s speech set the stage for a thorough examination of cybersecurity challenges and opportunities, with the hope of delivering informative insights and solutions during the event.

Refaat turned the spotlight to Dr. Ahmed Abdel-hafez, Vice President of Cybersecurity Affairs at NTRA Egypt, urging him to shed light on the role of the Supreme Council and the efforts taken to secure the nation. Ahmed Abdel-hafez began by explaining the National Competition 100, emphasizing its various divisions that collaborate with the government sector to ensure proper protection. He highlighted the Council’s responsibility in critical incidents, particularly those impacting essential infrastructure. Abdel-hafez discussed the coordination with businesses, alerting Egyptian clients, and providing technical reports for individuals to navigate such incidents.

He shared insights into the national cybersecurity ranking, explaining a significant improvement from #87 to #30 out of 100 within two years. Abdel-hafez emphasized the global challenge, underscoring the importance of technical assistance and collaboration with cybersecurity experts. He pointed out that over 90% of incidents stem from people’s lack of awareness, stressing the need for capacity building to address this issue.

Abdel-hafez disclosed ongoing efforts, stating that the nation has implemented a comprehensive five-year cybersecurity strategy spanning from 2023 to 2027. The primary objective is to safeguard organizations from potential threats, illustrating a proactive approach to strengthening cybersecurity and protecting national assets.

Refaat expressed his gratitude for the enlightening information, noting that many in the room, including himself, were unaware of the extensive efforts at the Egyptian level in terms of cybersecurity. He then shifted the focus to Omar Shawki, Partner Mazars, acknowledging the company’s reputation in audit and tax services. Refaat commended Mazars for venturing into consulting and digital transformation, a move aligned with the global trend urging businesses to digitize. He sought to understand how Mazars adapt its consulting services with the need for digital security, especially when handling sensitive information such as financial statements, share prices, and business plans. Refaat was keen to explore Mazars’ approach in managing cybersecurity concerns for its clients in this evolving digital landscape.

Shawki responded by emphasizing the significance of digital transformation, particularly in the context of cybersecurity. He acknowledged the accelerated shift toward digitalization, fueled in part by the challenges presented during the COVID-19 pandemic. Shawki highlighted the government’s role in encouraging businesses to digitize their processes, which, while beneficial, also introduced additional costs and cybersecurity risks associated with the implementation of new software and hardware.

Shawki drew attention to the specific challenges posed by initiatives like the electronic invoice platform, which has now onboarded close to half a million companies. This rush of businesses onto the platform, some of which may not be well-versed in securing their processes on digital platforms, introduces significant cybersecurity risks. He emphasized the spread of smart devices and the potential vulnerabilities associated with any device having an IP address, making them susceptible to unauthorized access.

To assist clients in navigating these challenges, Shawki explained that Mazars focuses on assessing and implementing proper processes to mitigate cybersecurity risks throughout the entire risk cycle. He also touched upon the growing importance of cyber insurance in mitigating potential damages. Shawki mentioned that Mazars works with clients to help them understand and implement the necessary processes required by cyber insurance companies, ultimately aiming to minimize premiums by demonstrating effective data and client data protection measures.

Moreover, Refaat directed a question to Thomas Cook, the Regional Associate Director of Cyber for the Middle East & Africa at Howden Insurance Brokers Limited, inquiring about the awareness and acceptance of cyber insurance among people. He was keen to understand if there was resistance or if people recognized the necessity of cyber insurance. Thomas Cook responded by emphasizing that the initial concern often revolves around cost, with clients frequently asking about the financial implications.

Cook explained that cyber insurance is typically evaluated based on three metrics: revenue, personal identifiable information stored, and the company’s cybersecurity controls. Revenue is crucial for assessing business interruption costs associated with cyber insurance policies. He noted a shift in recent years, post-COVID, where more sectors beyond banks and financial institutions are recognizing the need for self-insurance against cyber threats. Industries such as retail, manufacturing, and aviation are increasingly seeking cyber insurance due to the heightened awareness of cyber-attacks, both globally and in specific regions.

One challenge Cook highlighted, especially in the Middle East and Africa, is the lack of information about claims compared to European countries with GDPR regulations. He emphasized the importance of understanding and mitigating potential exposures, not just focusing on defence but also considering offensive strategies.

Cook shared an illustrative example of a client’s experience with a cyber-attack and emphasized the significance of keeping it simple. He recounted a situation where a client, despite having cyber insurance, faced difficulties during a cyber-attack because they couldn’t access the necessary policy documents online. Cook advised clients to adopt both defensive and offensive measures, acknowledging that even companies with top-tier security controls globally can experience cyber-attacks. He stressed the importance of knowing how to navigate such situations to minimize costs and effectively respond to cyber threats.

Refaat turned to Walid Auf, Vice Chairman at Medmark Insurance Brokerage, a prominent player in the insurance industry, seeking insights into the recent increase in cyber attacks and its impact on the demand for cybersecurity insurance. Refaat specifically asked if the rise in attacks has led to a corresponding increase in the solicitation of cybersecurity insurance or if there is still hesitancy among people.

Walid Auf responded by delving into the psychology and dynamics of cybercrimes, emphasizing three key elements that influence criminal behavior: motivation, capacity, and vulnerability. He explained that criminals need a high motivation, perceiving themselves as smart, and assessing the vulnerability of their targets. Auf

identified money as a primary motivation, noting the shift from traditional branches to online platforms, where more money resides.

Auf highlighted the growing motivation in the digital world, citing the historic peak of the S&P 500 IT index as an indication of increasing financial incentives for cybercriminals. He pointed out that hackers possess similar skills to developers, emphasizing the constant struggle between good and evil in the digital realm.

The third element, vulnerability, is crucial, especially in developing regions like Egypt. Auf underscored that a lack of awareness, both among individuals and entities, increases vulnerability to cyber attacks. He acknowledged the frequent occurrence of attacks and mentioned that the success rates are evolving, leaving room for improvement in cybersecurity awareness.

Auf then addressed the state of awareness in the Egyptian market, noting that the country is still in the early stages of the cybersecurity journey. He stressed the importance of collective efforts from cybersecurity experts, the state, market players, and cybersecurity insurance experts in building awareness and mitigating the risks associated with cyber threats.

Refaat addressed Mohamed Abdelrassoul, CEO and Managing Director at Orient Insurance, focusing on the unique services and offerings his company provides in terms of cybersecurity insurance.

Abdelrassoul clarified that cyber insurance is, in fact, quite affordable for medium-sized and large corporations. He explained that premiums are based on the information provided, and the more comprehensive the information, the better the premium offered. However, he stressed the importance of ensuring that the information is satisfactory and aligned with security measures.

He highlighted the principle in insurance that clients need to take precautions and security measures as if they are not insured. Abdelrassoul then outlined the specific covers provided by cyber insurance, such as coverage for security and privacy breaches, multimedia activities, cyber extortion, reputational risks, and compliance penalties. He explained that the insurance also covers business and network interruption following a cyber attack, including the associated working expenses and profits during the closure period.

Abdelrassoul pointed out that cyber insurance is not only for large businesses but is also crucial for SMEs, noting that 50% of cyber attacks globally target small and medium-sized enterprises. He emphasized the role of insurance brokers in guiding clients on the appropriate coverage, providing risk management advice, and offering tips on employee training to mitigate risks like phishing.

Furthermore, Refaat directed the next question to Samah Khamis, Head of Cyber Security & Tech. Strategy at Vodafone Egypt, expressing the significance of the company’s role in people’s lives, from phones to homes to enterprises. He inquired about the capabilities of cybersecurity protectors in Egypt, especially in the context of the discussion around making people more cybersecurity aware and protected.

Samah Khamis began by highlighting that technology companies, especially those heavily reliant on technology and digital platforms, face daily cyber attacks. She emphasized that to effectively mitigate and prevent these attacks, organizations must recognize cybersecurity as a top organizational risk. She discussed Vodafone’s cybersecurity strategy, which was initiated in 2017-2018, with a framework to secure their technology and services.

The COVID-19 pandemic increased the frequency of cyber attacks as more services became digital. Samah Khamis emphasized that being online is synonymous with being on Vodafone’s network, placing a responsibility on the company to protect customer transactions. She stressed that cybersecurity is an ongoing journey, requiring continuous efforts to build processes, systems, and skills.

While acknowledging the global scarcity of cybersecurity experts, Samah Khamis noted a positive trend in Egypt. Many engineering schools are now introducing cybersecurity and AI as majors, creating a pool of skilled professionals for the future. Samah Khamis expressed hope that these new generations would contribute valuable skills to the market.

Samah Khamis highlighted the importance of organizations acknowledging cybersecurity as a real risk, implementing the right processes and strategies, and investing in cybersecurity. She advised customers to explore their service providers, ensuring they can secure transactions for future business growth and safeguarding financial and personal information.

Additionally, Samah Khamis underscored the critical role of employee training and awareness, stating that 50% of attacks come from internal sources. She emphasized the need for strong passwords, secure practices, and prioritizing cybersecurity when developing new products. Samah Khamis concluded by emphasizing that it’s not a matter of if an organization will be attacked but how effectively they can mitigate, protect, and prevent further damage.

Refaat addressed the panellists with a question about whether the approach to encouraging cybersecurity measures should be through imposition or incentive. Abdel-Hafez advocated for a combination of both approaches. He emphasized the need to change the culture around technology use, highlighting that people are constantly connected through digital devices. Instead of strict enforcement, Ahmed suggested convincing individuals of the benefits of following cybersecurity instructions. He stressed the importance of making cybersecurity practices a cultural norm and convincing people that protecting their information is in their best interest. Ahmed concluded that a balance of imposition and convincing people of the benefits would lead to more effective cybersecurity measures.

Refaat posed a question to Thomas Cook, inquiring about the approach to cybersecurity measures and whether market sizing, share studies, or investment cost assessments had been conducted. Thomas Cook emphasized the importance of clients believing in the policy and understanding its coverage. He mentioned that clients who implement improvements in their cybersecurity posture can be rewarded with potential decreases in premiums. Additionally, he highlighted that certain insurance providers offer free access to cybersecurity improvements, such as penetration testing and one-on-one training with risk engineers.

Regarding market trends, Thomas mentioned a growing reliance on third-party vendors for checking the response of companies to cybersecurity incidents. He noted the introduction of tools like BitSight and Network Security Scorecard, which run external tests on companies to identify vulnerabilities. Thomas emphasized the need for clients to accept that achieving 100% security is challenging and that there are always ways to improve cybersecurity measures. He also highlighted the unique nature of cyber insurance compared to traditional insurance lines, as cyber attacks are not limited by space, time, or geography.

Refaat inquired about the technical expertise within the insurance business to explain and sell cyber insurance effectively. Walid responded by highlighting the presence of organizations with indicators and exceptional expertise in certain sectors. He also mentioned the possibility of compulsory cyber insurance for specific entities in the future. Walid emphasized the need for increased awareness and education, citing the current low level of awareness across organizations, especially SMEs, which are often targeted by cyberattacks. He acknowledged the importance of certification and capacity building within the insurance industry to provide effective cyber insurance solutions. Walid also noted the challenges related to insurance capacity and the importance of effective marketing strategies.

Samah Khamis highlighted the importance of collaboration in the cybersecurity space, emphasizing that it is an area where organizations should work together rather than compete. She mentioned the significance of addressing vulnerabilities collectively, as cyber threats impact all interconnected organizations. From a business perspective, Samah Khamis expressed the desire for a balanced approach with both regulatory measures (the stick) and supportive measures to encourage cybersecurity implementation. She emphasized the need for an adaptive framework that considers the size and influence of each organization, helping them grow and implement effective cyber controls.

Additionally, Shawki underscored the multifaceted approach required for effective cybersecurity within organizations. He outlines four key perspectives: prioritizing education to raise awareness among employees about potential cybersecurity risks; ensuring comprehensive visibility into digital assets; implementing continuous safeguarding through testing and audits to identify vulnerabilities; and preparing for effective detection and response to cyber threats. Shawki emphasizes the inevitability of cyber incidents, urging businesses to focus on proactive measures to detect, mitigate, and respond to potential security breaches.

Along with Mohamed Abdelrassoul highlighted the low awareness of insurance in the Egyptian market and suggested to introduce a compulsory element

for cyber insurance, particularly for key industries like banking and fintech. He emphasized the importance of framing insurance as a protective measure for digital assets, considering data as a valuable treasure for the future. Mohammed advocates for the adoption of compulsory cyber insurance to drive penetration, especially in challenging economic conditions.

Also, Walid Auf emphasizes the need for Egypt to set a strategy to retain and export talents in the field of computer science and technology. He suggested a collaborative effort between the state and industry to develop skills locally and efficiently export services. Samah Khamis sees the challenge in Egypt’s highly regulated market as an opportunity to build local skills and establish a center of excellence. Mohamed Abdelrassoul, representing the insurance sector, stressed on the importance of teaching the younger generation not only technology but also discipline. Thomas Cook mentions the increasing need for cybersecurity experts and highlights the importance of motivation beyond monetary incentives to retain skilled professionals in the country.

Lastly, during the Q&A session, an attendee raised the question of whether cybersecurity and cyber insurance complement each other. Thomas explained that they do complement each other, especially in the context of compliance with standards, and highlighted the rise of managed security services for SMEs. Another attendee from Suez Canal Bank raised concerns about the future impact of quantum computers on cybersecurity and suggested exploring collaborative business-to-business-to-customer (B2B2C) insurance models. Abdel-Hafez addressed the several computer issue, emphasizing ongoing efforts to develop post-quantum encryption algorithms. Cook acknowledged the feasibility of B2B2C insurance models, citing an example of a policy covering customers against various types of fraud.