Cyber: Facing a new frontier of risk

Businesses around the world are beginning to realise the full-scale enormity of cyber risk. This collective realisation is spurring the urgent need for a larger discussion – one that takes place not in IT offices, but in the boardroom.

Data breaches are no longer simply an issue for IT staff. Take, for example, the Equifax data breach in May 2017, in which more than 143 million people had their sensitive personal data put at risk. That is 143 million personal financial histories potentially compromised. An investigation is ongoing, but the greatest critique lies in a major security flaw the company was first alerted to more than two months before any information was stolen.

Following what many considered a lacklustre response to the breach, the chief information officer and chief security officer were forced to resign. Consumer and industry backlash also prompted the CEO, Richard Smith, to step down. Stakeholders are no longer satisfied with IT taking the brunt of the blame. It is now very much a boardroom issue.

A global issue
Geographical borders are irrelevant in cyberspace. In Asia, where 98% of the business sector is composed of small and medium-sized organisations, cybersecurity has yet to become a priority. Many of these companies face greater vulnerability to financial, reputational and client loyalty disasters from risks that may not even be on their radar.

Lawmakers are responding to this issue and are introducing requirements which, in practical effect, impose compliance requirements that apply beyond country borders. For example, the EU’s General Data Protection Regulation (GDPR), due to come into effect on 25 May 2018, imposes obligations on any organisation outside of the EU that offers goods and services to individuals in the EU. A boutique hotel in Hong Kong, therefore, which offers and provides services to guests who reside in the EU, may be caught within the GDPR’s ambit.

Cyberattack prevention
The biggest change that companies can make is to shift their cyber strategies from post-breach repair to pre-emptive avoidance measures – preventing attacks before they happen. A good way to start is by assessing organisational risk from a cyber standpoint, and enlisting outside counsel from legal, accounting and cybersecurity firms to develop mitigation plans.

It is also important to develop a data breach response plan, which includes assembling a team, checking network data segmentation and implementing a communications plan. A key element is to regularly test your response plan and ensure all key players stay informed of any updates or changes.

No matter how carefully you plan and implement your own security measures, the risk does not end there. The unfortunate truth is that your suppliers might be the weak link into your network. A hacker may find it easier to sneak past your cyber defences by first breaking into a supplier’s weaker network, then posing as that supplier to gain access to your system.

Cyber risk stands as a new and evolving threat you probably have not fully appreciated. It can attack you from multiple directions and come from sources halfway around the world. No matter your level of preparedness, it is nearly impossible to completely defend yourself – or your company – against a motivated and ever-evolving threat.

The role of cyber insurance
With cyber risks developing and evolving rapidly, cyber insurance coverage can improve the resilience of your organisation in the event of a cyber breach or attack. Following WannaCry, a worldwide ransomware attack in May 2017 which impacted more than 230,000 computers, AIG experienced an 87% increase in submissions for cyber insurance coverage. Cyber insurance has evolved from providing coverage for settlements from customer litigation to addressing the financial costs related to cyber breach response. Coverage is now being expanded to include theft of company assets using electronic means.

New types of coverage have been created to address 21st century exposures, including coverage for payments related to extortion from malware viruses such as WannaCry. These policies also offer legal services for determining the scope of the threat and negotiating a resolution. Another risk now being covered is social engineering fraud, wherein a fraudster stakes out a company, gains detailed information of key personnel, then pretends to be either a trusted vendor or the CEO/CFO (or ‘fake president’) to induce company employees to send money to bank accounts controlled by the fraudster. Theft of cryptocurrencies such as Bitcoin and Ethereum is now also being included within the scope of modern crime insurance, to cater to those companies beginning to use cryptocurrencies in their transactions and operations.

Cyber risk is here to stay, and although nobody is 100% safe from a cyberattack, the smart money is being channelled into the proactive steps needed to protect businesses and bottom lines.

This is an edited version of an article that first appeared in Forbes magazine

Contributed by Jason Kelly, head of liabilities and financial lines for Greater China, Australasia and South Korea, AIG

Back to top button