Key Takeaways

S-RM: The 20-Second Download

“Fifteen years ago, there were two of us sitting across the dining room table, which was our desk in Mayfair,” said Heyrick Bond Gunning, CEO of S-RM, a global intelligence and cybersecurity consultancy. Established in 2005 and headquartered in London, the company now has approximately 250 employees across six international offices. S-RM’s clients include several of the world’s top investment banks, large corporate organisations across a range of sectors including Oil & Gas, fast moving consumer goods companies (FMCGs), healthcare and education, as well as global law firms and private equity firms. “The focus really is providing due diligence, intelligence, disputes and investigation support alongside our cybersecurity advisory and cyber response services, which are really focused on breach response and ransomware negotiation.”

The Evolving Threat Landscape

In recent months, S-RM has seen the most activity in the utilities, critical national infrastructure, financial services, construction, education and healthcare sectors. Companies of all sizes are increasingly facing challenges around cyber ransom and cyber insurance, said Bond Gunning. “What we’ve got is the hackers just really exploiting the new normal of remote work," said Bond Gunning, who also called out the steep increase in phishing attacks and ransom payments. The cyber insurance industry has been “absolutely hammered by ransomware attacks” and likely cannot sustain its current coverage:

“When you combine that with the fact that cyber insurance is probably not going to be available for a lot of this going forward… it’s going to result in a real shift in what companies need to be thinking about in terms of their cyber resilience.”

Going forward, companies may not be able to transfer this risk to insurance and thus will need to actively negotiate on ransoms. Additionally, GDPR remains a significant regulatory challenge for many companies. While relatively quiet in recent months, it is poised to resurge in wake of recent, significant GDPR fines being rendered against companies including Amazon.

Mitigating Exposure

“I think a healthy way to look at it is… the three legs of the stool – the people, the processes and the technology, and not trying to rely on just one of those things because all three are super important in terms of trying to support the company and prevent them from having some form of cyber-attack,” said Bond Gunning.

He also highlighted the importance of understanding a board’s risk appetite and the risk of under-resourcing cyber security. “Too often, we see lots of money being spent on technology, but then there’s a really small IT team, and so they can’t respond to the threats because they haven’t got the resource.”

“There’s got to be an assumption that you’re going to have some form of breach at some point.”

Preparedness is key, he said, though many companies struggle to plan ahead for a future cyber-attack. “There’s a load of questions that can be thought about in advance but are really difficult to grapple with in the heat of the battle,” including an action plan for a ransomware attack, plans for ransomware payment, and even considering a Bitcoin facility – an increasingly likely need in a ransom situation.

Pressure on Insurers

Bond Gunning reiterated that the transfer of cyber risk to insurance will likely fade, and there are implications for all players in the cybersecurity space.

“There’s this constant arms race between those that are trying to defend companies and those who are trying to hack or attack them.”

This trend could also have regulatory implications. “There’s probably going to be some form of governmental regulation around paying ransom – i.e., you’re not allowed to or… you’re not allowed to insure against it, and so we’re going to end up with companies having to really focus on their cyber resilience.” As for GDPR, Bond Gunning expects it to re-emerge as a major topic for companies and in courts. “There’s been a false pause because of Covid, and I don’t think the regulators have had the appetite to put out some big fights.”

What’s Next for S-RM?

The company sees opportunities around the skills gap in the cybersecurity space. “What we’ve done is built our own internal academy to train people who are coming into the sector and that’s working really well as a way of developing talent and building resource," said Bond Gunning.

Companies’ increased focused on cybersecurity and ransomware also presents a major business opportunity for S-RM. “One other area, I think, that we’ve just seen recently – even over the last month or so, is the appetite from the boards of companies to start really thinking about this seriously.” S-RM has conducted sessions for boards of listed companies and other established brands to help them start thinking about the key questions they need to consider relating to cybersecurity.


Questions? Connect with the Baird team at