Jason Kelly, Head of Liabilities and Financial Lines for Greater China, Australasia and South Korea, AIG
The convenience of today’s increasingly connected world has brought with it a new form of risk: cyber. With news of large-scale cyber incidents appearing every few days, businesses around the globe are finally starting to sit up and take the subject seriously. If your organization faced an attack today, how prepared would you be?
Following the WannaCry ransomware attack in May 2017, AIG (where I serve as Head of Liabilities and Financial Lines for Greater China, Australasia, and South Korea) experienced an 87 percent increase in submissions for cyber insurance coverage. Businesses around the world are beginning to realize the full-scale enormity of cyber risk. This collective realization is spurring the urgent need for a larger discussion–one that takes place not in IT offices, but in the boardroom.
More than 143 million people had their sensitive personal data put at risk by the Equifax data breach in May 2017. That is 143 million personal financial histories potentially compromised. An investigation is ongoing, but the greatest critique lies in a major security flaw the company was first alerted to more than two months before any information was stolen.
Following what many considered a lackluster response to the breach, the Chief Information Officer and Chief Security Officer were forced to resign. Consumer and industry backlash also prompted the CEO, Richard F. Smith, to step down. Stakeholders are no longer satisfied with IT taking the brunt of the blame.
A Cross-border Risk
Geographical borders are irrelevant in cyberspace. In Asia, where 98 per cent of the business sector is composed of small and medium-sized organizations, cybersecurity has yet to become a priority. Many of these companies face greater vulnerability to financial, reputational, and client loyalty disasters from risks that may not even be on their radar.
Lawmakers are responding to this issue and are introducing requirements which, in practical effect, impose compliance requirements that apply beyond country borders. For example, the EU’s General Data Protection Regulation (GDPR) imposes obligations on any organization outside of the EU which offers goods and services to individuals in the EU. A boutique hotel in Hong Kong, therefore, which offers and provides services to guests who reside in the EU, may be caught within the GDPR’s ambit.
Cyber Attackers Don’t Discriminate
Although the majority of cyber breaches in the news involve large corporations, it would be foolish to pretend that smaller businesses– and even individuals–are safe. WannaCry, a worldwide ransomware attack in May 2017, impacted more than 230,000 computers.
The biggest change that companies can make is to shift their cyber strategies from post-breach repair to preemptive avoidance measures
Rather than just targeting only large corporate networks, data from personal computers was also held hostage, with ransom payable in bitcoin being demanded by the hackers to release the malicious block they had placed on the system. This kind of attack is just one of an ever-increasing number of cybersecurity incident reports–which have increased 300 per cent from 2013 to 2016, according to the Hong Kong Computer Emergency Response Team Coordination Centre.
Good Fences Make Good Neighbors
No matter how carefully you plan and implement your own security measures, the risk doesn’t end there.
The unfortunate truth is that your suppliers might be the weak link into your network. A hacker may find it easier to sneak past your cyber defenses by first breaking into a supplier’s weaker network, then posing as that supplier to gain access to your system.
What Can You Do?
The biggest change that companies can make is to shift their cyber strategies from post-breach repair to pre-emptive avoidance measures–preventing attacks before they happen. A good way to start is by assessing organizational risk from a cyber standpoint, and enlisting outside counsel from legal, accounting, and cyber security firms to develop mitigation plans.
It is also important to develop a data breach response plan, which includes assembling a team, checking network data segmentation and implementing a communication plan. A key element is to regularly test your response plan and ensure all key players stay informed of any updates or changes.
With cyber risks developing and evolving rapidly, cyber insurance coverage can improve the resilience of your organization in the event of a cyber breach or attack. Cyber insurance has evolved from providing coverage for settlements from customer litigation to addressing the financial costs related to cyber breach response. Coverage is now being expanded to include theft of company assets using electronic means.
New types of coverage have been created to address 21st century exposures, including coverage for payments related to extortion from ransomware such as WannaCry. These policies also offer legal services for determining the scope of the threat and negotiating a resolution.
Another risk now being covered is social engineering fraud, wherein a fraudster stakes out a company, gains detailed information of key personnel, then pretends to be either a trusted vendor or the CEO/CFO (or “fake president”) to induce company employees to send money to bank accounts controlled by the fraudster. Theft of cryptocurrencies such as bitcoin and ethereum is now also being included within the scope of modern crime insurance to cater to those companies beginning to use cryptocurrencies in their transactions and operations.
The Invisible Risk
Cyber risk stands as a new and evolving threat you probably haven’t fully appreciated. It can attack you from multiple directions and come from sources halfway around the world. No matter your level of preparedness, it’s nearly impossible to completely defend yourself–or your company–against a motivated and ever-evolving threat.
In 2016, AIG insured 22,000 commercial clients against cyber-related risks and 22 million individuals against identity theft globally. Cyber risk is here to stay, and although nobody is 100 percent safe from a cyberattack, the smart money is being channeled into the proactive steps needed to protect businesses and bottom lines.