Cyber: Facing a new Frontier of Risk
By Jason Kelly, Head of Liabilities and Financial Lines for Greater China, Australasia and S.Korea, AIG
The convenience of today’s increasingly connected world has brought with it a new form of risk: cyber. With news of large-scale cyber incidents appearing every few days, businesses around the globe are finally starting to sit up and take the subject seriously. If your organization faced an attack today, how prepared would you be?
Following the WannaCry ransom ware attack in May 2017, AIG (where I serve as Head of Liabilities and Financial Lines for Greater China, Australasia, and South Korea) experienced an 87 percent increase in submissions for cyber insurance coverage. Businesses around the world are beginning to realize the full-scale enormity of cyber risk. This collective realization is spurring the urgent need for a larger discussion–one that takes place not in IT offices, but in the boardroom.
More than 143 million people had their sensitive personal data put at risk by the Equifax data breach in May 2017. That’s 143 million personal financial histories potentially compromised. An investigation is ongoing, but the greatest critique lies in a major security flaw the company was first alerted to more than two months before any information was stolen.
Following what many considered a lackluster response to the breach, the Chief Information Officer and Chief Security Officer were forced to resign. Consumer and industry backlash also prompted the CEO, Richard F. Smith, to step down. Stakeholders are no longer satisfied with IT taking the brunt of the blame.
A cross-border risk
Geographical borders are irrelevant in cyber space. In Asia, where 98 percent of the business sector is composed of small and medium-sized organizations, cybersecurity has yet to become a priority. Many of these companies face greater vulnerability to financial, reputational, and client loyalty disasters from risks that may not even be on their radar.
Lawmakers are responding to this issue and are introducing requirements, which, in practical effect, impose compliance requirements that apply beyond country borders. For example, the EU’s General Data Protection Regulation (GDPR), due to come into effect on 25th of May, 2018, imposes obligations on any organization outside of the EU which offers goods and services to individuals in the EU. A boutique hotel in Hong Kong, therefore, which offers and provides services to guests who reside in the EU, may be caught within the GDPR’s ambit.
Cyber attackers don’t discriminate
Although the majority of cyber breaches in the news involve large corporations, it would be foolish to pretend that smaller businesses–and even individuals–are safe.
The biggest change that companies can make is to shift their cyber strategies from post-breach repair to pre-emptive avoidance measures
Good fences make good neighbors
No matter how carefully you plan and implement your own security measures, the risk doesn’t end there.
The unfortunate truth is that your suppliers might be the weak link into your network. A hacker may find it easier to sneak past your cyber defenses by first breaking into a supplier’s weaker network, then posing as that supplier to gain access to your system.
What can you do?
The biggest change that companies can make is to shift their cyber strategies from post-breach repair to pre-emptive avoidance measures–preventing attacks before they happen. A good way to start is by assessing organizational risk from a cyber standpoint, and enlisting outside counsel from legal, accounting, and cyber security firms to develop mitigation plans.
It’s also important to develop a data breach response plan, which includes assembling a team, checking network data segmentation and implementing a communications plan. A key element is to regularly test your response plan and ensure all key players stay informed of any updates or changes.
With cyber risks developing and evolving rapidly, cyber insurance coverage can improve the resilience of your organization in the event of a cyber breach or attack. Cyber insurance has evolved from providing coverage for settlements from customer litigation to addressing the financial costs related to cyber breach response. Coverage is now being expanded to include theft of company assets using electronic means.
New types of coverage have been created to address 21st century exposures, including coverage for payments related to extortion from malware viruses such as WannaCry. These policies also offer legal services for determining the scope of the threat and negotiating a resolution.
Another risk now being covered is social engineering fraud, wherein a fraudster stakes out a company, gains detailed information of key personnel, then pretends to be either a trusted vendor or the CEO/CFO (or “fake president”) to induce company employees to send money to bank accounts controlled by the fraudster. Theft of crypto currencies such as Bitcoin and Ethereum is now also being included within the scope of modern crime insurance to cater to those companies beginning to use cryptocurrencies in their transactions and operations.
The invisible risk
Cyber risk stands as a new and evolving threat you probably haven’t fully appreciated. It can attack you from multiple directions and come from sources halfway around the world. No matter your level of preparedness, it’s nearly impossible to completely defend yourself–or your company–against a motivated and ever-evolving threat.
In 2016, AIG insured 22,000 commercial clients against cyber-related risks and 22 million individuals against identity theft globally. Cyber risk is here to stay, and although nobody is 100 percent safe from a cyber attack, the smart money is being channeled into the proactive steps needed to protect businesses and bottom lines.