Organisations need to understand the various points in an organisation’s strategy which are susceptible to cyber risk and transfer the risk accordingly, explains Scott Davies.
From sensational headlines to instructive seminars, there have been dire warnings about the financial cost, operational risks and potential damage to reputation, posed by cyber risk. The threat is a challenge to organisations regardless of size or focus, with the potential for far-reaching consequences unless strategic steps are taken to mitigate exposures. In this hyper-connected world, no firm is safe, it is essential that companies identify, track and reduce their exposures, while considering risk transfer solutions that can complement their cyber defences.
Scope of Cyber threats
Cyber-related exposures are not simply limited to the geographic home of a company – companies can face attacks from hackers located anywhere. In fact, the biggest cyber attacks have tended to involve penetration from outside the country where the data or systems are situated. Recent attacks on banks in the Gulf Cooperation Council (GCC) affected outsourcing providers in India, while the perpetrators were based in countries outside the GCC.
Nevertheless, some clients continue to seek region-specific coverage. A recent example was a customer asking their insurance broker if they would cover his company for hacking. “Yes, no problem at all. Which part of the world would you like to be covered from? Is it Chinese hackers you're concerned about or Russian hackers?”1. Unfortunately, it is practically impossible to pinpoint the location of attackers. As such policy coverage needs to be global in scope, and supported by professional advice.
And attacks aren’t only limited to online connections. Cyber criminals can rely on the curiosity of others to carry out attacks. One such example is leaving a USB stick to be innocently picked up and then connected to a network. The use of Bring Your Own Device (BYOD) in the workplace significantly increases such exposures and the likelihood of such attacks achieving success.
In response to the growing threat, Aon has developed the Aon Cyber Risk Diagnostic Tool, , which helps clients to assess their exposures. According to findings from our diagnostic tool, 65 percent of companies allow BYOD, but only 28 percent ensure proper security and encryption of such devices – presenting potentially soft targets for cyber criminals.
The use of business processing outsourcers (BPO’s) and cloud computing is also a concern. What measures are in place to ensure these companies and their data are secure? What contractual conditions are in place for such liabilities? Do BPO’s or cloud providers have appropriate coverage, with sufficient indemnity limit and broad enough coverage? These are questions that need to be asked and your broker can provide advice regarding potential challenges.
Sectors at risk: All sectors that store data on a network are at risk from cyber attack. Ask any forensic IT expert and they will say it is not a matter of if, but when. Of course it may depend on the type or amount of data being stored, and the programmes and security in place, but every sector is exposed.
There are several sectors that are considered more at risk than others: healthcare; financial institutions, retail and manufacturing. What really needs to be considered is the significance of what a cyber breach would mean for your organization. Consider for example a breach of systems that completely wipes all of the data and programmes used to run your business. Money and time will be spent rectifying, recollecting and reconstituting lost data; but how long can the business manage without its data and programmes?
Aon’s Cyber Diagnostic Tool found that 12 percent of respondents believe that only one hour’s downtime would be critical, with almost half of respondents stating that a critical failure would be felt within six hours. The average time needed to resolve the impact of a cyber attack meanwhile, is rising, up from 32 days in 2013 to 45 days.2How many individuals or organisations have actually undertaken a business impact analysis that reflects these changing conditions? How many organisations have tried-and-tested business continuity and/or disaster recovery plans in place? These are all mechanisms that can reduce the impact of a cyber breach.
There has been a major increase in the number of financial institutions (FI’s) purchasing cyber insurance in the GCC in recent years. FI’s understand their exposures, and recognise that there is only so much that can be done from a risk mitigation perspective, even considering the FI industry is one of the more advanced in terms of risk control. With strong security measures, including the encryption of portable devices; sign-on security for differing employee levels; and the FI’s engagement in regular IT penetration tests, they are better positioned than most to cope with the threat. Many FI’s buy comprehensive insurance policies to cover claims arising from their professional activities; nevertheless many FI’s recognise the need for additional risk transfer when it comes to cyber insurance.
Retailers and hoteliers are also a target for cyber-breaches, particularly considering personal details and credit information is handed over during check-in or in store. Many of the biggest breaches worldwide have involved retail outlets, and the skimming of cards.
The implications of a cyber breach are far and wide. Costs include: forensics; understanding the cause of the breach; closing any open gateways, reconstituting data and programmes; third party claims; regulatory fines and penalties; business interruption; cyber extortion - not to mention the adverse impact on your reputation. Boards of directors have been questioned when actions weren’t taken to assess and mitigate cyber risk.
A recent ground-breaking ruling by the Court of Appeal of England and Wales, which opens companies up to cyber liabilities associated with “potential future harm” and “emotional pain and suffering” has the potential to open new avenues of exposure; creating the possibility for claims for compensation without a true economic loss. Additionally, browser-generated information will now constitute personal data and as such organisation’s worldwide will need to consider ever more closely how they use and store private information, and what risk management controls are in place to protect against costly litigation. How that affects the GCC, only time will tell, but if an organization has European operations, this is something that needs to be considered.
How does Cyber risk management work?It may not be possible to fully protect an organisation, but risk managers, information technology executives, as well as board and senior executives, need to undertake a number of strategies. Organisations should understand their cyber risks, as well as identifying the critical operational points that can be disrupted, together with knowledge of what controls are in place to manage these risks and determine the financial consequences of a cyber breach.
Aon recommends assistance before and after any cyber breach. Knowledge in advance of the potential financial consequences of cyber risks, including: security breaches; theft of confidential and proprietary data; systems disruptions - can differentiate critical and non-critical risk. Assistance prior to an event enables risk transfer and mitigation measures to be implemented. Obtaining expert assistance following an event helps ensure that investigations are conducted suitably, with losses accurately quantified, and full recovery is obtained from any available insurance coverage.
If you consider a vehicle – motor insurance is almost always purchased, but that doesn't mean the vehicle is not serviced or maintained. Aon would advise that even if cyber insurance is purchased, the organisation should continue to manage their cyber risk. Aon has built mechanisms into insurance policies that provide risk advice on how to improve systems and procedures.
How to implement a risk management programme?Privacy, security, and cyber crime are enterprise risk issues that require active oversight by boards and senior executives. Today, cyber breaches are increasingly sophisticated, and the wide scope of these risks can no longer be managed solely by IT. Organisations face a high risk of theft or misuse of corporate data, lawsuits, reputational damage, and increased fines and investigations.
Serious consideration should be given to managing the digital risks that threaten an organisation’s reputation as well as its operational and financial goals. Seeking external specialist analysis, reporting on complicated technical and IT data, and converting this information into decision-making intelligence is of great importance. Periodic board and executive briefings, trusted advisory incident management, and enterprise cyber risk assessments should all also be undertaken.
Closing remarks: While proactive measures to mitigate risk can be costly and time-consuming, they are far less demanding than the consequences of a serious cyber breach. Having a robust, well-documented programme to monitor cyber risks may provide favourable evidence of an organisation’s efforts to protect its systems, thus reducing liability should an incident occur. Organisations also need to conduct risk assessments for third-party provider and - depending on the type of data being shared - take additional steps to prevent security breaches.
Insurance specifically designed to cover the unique exposures of data privacy and security can act as a backstop to protect a business from the financial harm resulting from a breach. While some categories of loss might be covered under standard policies, gaps often exist. This is because cyber events have the ability to impact numerous lines of insurance. Risk managers should work with their insurance brokers to analyse such policies and determine exactly how their coverage will perform.
1.Warning: Cyber Insurance Policies Have Their Own Vulnerabilities, Publication Date 04/20/2015, Source: American Banker
2. http://www.aon.com/2015GlobalRisk/attachments/2015-Global-Risk-Management-Report-230415.pdf
Aon Cyber Risk Diagnostic Tool: www.aoncyberdiagnostic.com
|
