Cyber-dependency will be one of the most important trends shaping global development over the next 10 years. Yet businesses are only just waking up to the technological risks involved, according to the Global Risks Report 2016 from the World Economic Forum (WEF), developed in collaboration with Zurich Insurance Group and other leading institutions. Mr Oliver Vale from Zurich Insurance explores.
At the WEF meeting in Davos, participants were concerned about cyber risks and many suggested that data liabilities should feature in corporate accounts.
Mr Michael Bodson, President and CEO, Depository Trust & Clearing Corporation, was quoted in the Financial Times saying that he was “truly paranoid” about cyber risk and if even a mid-size US bank lost its data through hacking it could cause a major panic in the banking system. While Mr Gavin Patterson, Chief Executive of telecoms company, BT, said its network is dealing with hundreds of thousands of cyber attacks a day and corporate boards are not keeping up with the rapidly changing and developing threat, according to Management Today.
At the meeting, the US Attorney General Loretta Lynch stressed the importance of developing a global approach to counter the threat of cyber crime and protect the safety of information networks and online systems.
Public-private partnerships vital
“It is vital that industry and government continue to collaborate on this issue – perhaps more so than in any other area in which we have enforcement priorities,” she said. “Because private industry is so deeply affected by cyber crime, and also the private industry has the cutting edge technology that’s useful to both government and industry in not only identifying the threats but also predicting and preventing them.” Ms Lynch also welcomed the WEF’s recommendations for using public-private partnerships to address cyber crime.
Executives in eight countries – the US, Japan, Germany, Netherlands, Switzerland, Malaysia, Singapore and Estonia – see cyber attack as the greatest global risk to doing business, according to the WEF’s Executive Opinion Survey 2015. Executives in the United Kingdom ranked it second. Zurich believes that executives in any country that has not ranked cyber within the top three risks to doing business, are underestimating the risk in these markets.
Mapping the risk
With increasing interconnectivity between organisations, and every industry now heavily reliant on the internet to source and supply goods and services, every company should expect to be affected by a cyber attack, whether directly or on one of their trading partners.
Mapping the risk of such an attack is no longer a task to be left to the IT department; any individual within any organisation should be ready to alert and limit the damage to the business and its customers.
Organisations are beginning to understand that a cyber incident will happen one day. So the question now is: “How will I be able to detect the attack?” and “Is my business prepared to emerge in the best shape?”
To manage this, you need to have the same approach as to any traditional risk: identify your most valuable assets and establish what you need to protect them from. And then have a process in place for how to mitigate damage as quickly and efficiently as possible.
Regulators stepping in
With the European Union recently agreeing on the network and information security directive requiring key infrastructure providers (including banks, healthcare providers and energy companies) to report details of cyber attacks to the authorities, organisations will increasingly have to be ready to show they have taken all possible steps to prevent and limit the damage from such attacks. Enforcement action and penalties for poor management are set to increase dramatically.
In Asia, regulators’ interest is on the rise. Many of Asia’s key countries have revised legislation and regulation in the last five years, but the changes in Europe are likely to precipitate further amendments and raise standards globally.
Some companies still in the dark
As the Global Risks Report 2016 identified, companies do not always realise immediately that they have been hacked. “Many attacks and intrusions are not immediately discovered – some are recognised only months and in some cases years later.”
Even when an attack comes to light, organisations can be reluctant to publicise it because of the reputational damage and the risk of being seen as weak and attracting further attacks. For example, when Google was hacked in 2010, another 34 Fortune 500 companies also lost intellectual property in the same incident – but only one of them reported the breach, according to research by the Center for Strategic and International Studies and McAfee published in 2014.
Cost of cyber crime
Cyber crime costs the global economy an estimated US$445 billion a year, according to the McAfee report from the Atlantic Council and we at Zurich Insurance Group note that if rising cyber risk continues unabated, the resulting missed opportunities could lead to more than $100 trillion in unrealised global growth. That is a fear shared by business leaders – some 61% of CEOs say they are concerned that cyber threats could negatively impact their corporate growth, according to PricewaterhouseCoopers’ Annual Global CEO Survey.
Risks vary by industry, ranging from the theft of private customer information, including banking or healthcare information and trade secrets, to attacks against critical infrastructure.
Organised criminals are looking for information they can sell on the dark web, and of course online retailers, healthcare and financial services companies hold valuable information. For utilities, energy, and manufacturing companies, the attacker is more likely to be a state or a competitor looking for trade secrets or military information.
The other main sources of cyber attacks are “hacktivists” who want to embarrass or halt an organisation’s activities, and company insiders, be it employees with a grievance or those looking to use their privileged access to commit fraud.
The threat is not always direct. Companies share sensitive information with third parties for everyday activities such as processing salaries and sending marketing material to customers. They also provide access to their IT system to external sub-contractors or partners. An attack on an outside system can quickly become a problem throughout the chain.
The Global Risks Report 2016 identifies the risk of cyber security breaches “cascading” through the broader economy. “Although organisations may recognise the benefit of cyber technologies for their bottom lines, they may not be fully internalising cyber security risks and making the appropriate level of investment to enhance operational risk management and strengthen organisational resilience,” the report said. “As the Internet of Things leads to more connections between people and machines, cyber dependency will increase, raising the odds of a cyber attack with potential cascading effects across the cyber ecosystem.”
Taking the right steps
Organisations must start with a root-and-branch risk assessment to stave off cyber attacks and mitigate the risk of a successful breach to their activities, clients and reputations.
Every actor in every organisation should be concerned about this and should work on the risk mapping scenarios. Once you have done that, there are many steps to take: using technology to detect attacks and protect your IT infrastructure, proper data protection measures including encryption. Employee awareness is also important; you can have great IT security in place but if your employees do not respect the procedures, then you will be in trouble.
On the interconnectivity issue, it is really important that the security procedures you have in place are respected and implemented by your subcontractors. It varies by industry, but it is better to select a limited number of subcontractors and partners who you trust and have verified.
Putting in place incident response procedures for damage limitation before a breach happens should be part and parcel of risk mapping. These steps should include a plan to notify customers directly and through the press, along with a list of external experts who can give immediate help, such as an IT forensics firm to help contain an incident, legal partners and public relations consultants. Understanding the insurance response prior to an incident is also vital.
The report also highlighted the importance of cooperation between organisations and law enforcement agencies in tackling cyber attacks.
“It is becoming clearer that cybercrime cannot be fought unilaterally,” the report said. “Although businesses can follow standard industry practices or adopt individually tailored ways to deal with cybercrimes, cooperation throughout the value chain (because attacks can be made through supplier systems) and with law enforcement is also helpful.”
The need for collaboration between the private and public sector to tackle cyber risks was also emphasised in the 2015 Atlantic Council/Zurich Insurance Group report. The report encouraged business leaders to engage with policymakers, and to take action on cyber security, while facing up to cyber risks within the business.
Mr Oliver Vale is Head of Professional Indemnity, Asia, Global Corporate in Asia Pacific, at Zurich Insurance.