Juniper research has predicted that the rapid digitisation of consumers’ lives and enterprise records will increase the cost of data breaches to $2,1-trillion globally by 2019, almost four times the estimated cost of global breaches in 2015.
Some 4,2-billion people will be online by 2020, or 54% of the global population, exchanging and sharing goods and information. The research also points out that the majority of cyber breaches will come from existing IT and network infrastructure, and also highlights the increasing professionalism of cybercrime, with the emergence of cybercrime products for sale such as malware.
According to Aon Risk Solutions, new technology means new risks. The internet asks a lot of questions of its users. How should the internet interact with nation states? What opportunities can it offer criminals? How should legislation and regulation apply to the seas of data that constitute the heart of the new digital economy? What are the implications of outsourcing data processing to cloud providers and the growing use of personal devices to conduct business? We are still coming to terms with many of these issues.
“Mitigating the risks that come with being a custodian of data while embracing the opportunities that technology presents is key to building resilient businesses. Silo approaches to risk management and recovery efforts are increasingly out-of-place in such a digitised world. Becoming more resilient in an age of digital disruption increasingly means understanding the full scope of cyber governance responsibilities,” explains Kerry Curtin, manager: financial institutions and professional risks at Aon South Africa.
“This means starting with a top-down approach in managing cyber risk at the board and executive level, identifying and protecting the organisation’s most critical assets and understanding the impact to the enterprise should it be compromised by a data breach. It means complying with international and local regulations and understanding organisational blind spots. And it means adapting to the latest techniques and trends in security and being prepared to respond should there be a failure in any of these areas. Cyber security cannot be approached piecemeal, but should be considered holistically, as a challenge facing the entire organisation,” explains Kerry Curtin of Aon South Africa.
In making the most of the opportunities that new technology provides for development and progress, business leaders cannot only think about the technology. They need to take into account the business context in which that technology operates and the impact and risk exposure that it can potentially cause to the organisation. There are two key areas to consider: the regulatory environment and organisational culture.
A crucial aspect is the impact of different regulatory environments. Today’s globalised and digitally integrated world means that most organisations are to some extent international. Whether it’s a business which serves a global market or a manufacturer hooked into global supply chains, awareness and adherence to local rules and regulations in all areas of operation are crucial.
Aon points to the EU General Data Protection Regulation (GDPR), due to come into effect in 2018, which requires every organisation operating in Europe to abide by several regulatory provisions – and this doesn’t just mean companies based in Europe, but also those offering goods or services to EU markets in a way that involves processing any European-owned data. Cyber challenges are global, and regions everywhere will need to come up with appropriate regulatory responses.
Bridging the gap between awareness and insurance
While more and more organisations claim they take their cyber risks very seriously, it is not being echoed in insurance uptake and risk readiness.
“This may have to do with the fact that many organisations are still lagging in performing the type of risk assessments that insurers require,” says Curtin. “Even technology companies, those heavily reliant on the web to conduct their businesses and those that hold extensive and sensitive personal data still have no cyber insurance, despite the fact that class action lawsuits and regulatory fines have become synonymous with data breaches.
“There is still a great deal of complacency in local markets, and this has to do with the fact that incidents in South Africa are grossly under-reported and kept under wraps. According to the 2015 Security Summit held in Johannesburg, South Africa is the third worst in the world when it comes to cybercrime attacks.
“We’ve seen a significant evolution of the cyber insurance market, with more policies that are more inclusive and when scenarios are tested, far more effective. Aon’s new Cyber Enterprise Solution which has been developed in collaboration between Aon cyber practitioners and professionals in risk, technology, actuarial modelling and other areas, demonstrates the evolution of this type of policy. It provides effective cover for emerging risks such as products liability coverage to address the ‘Internet of Things’ exposures and a comprehensive approach to limits,” adds Curtin.
Companies in the midst of a cyber crisis with cyber insurance in place also soon discover there are significant advantages to having this cover in place:
* Offsets the expenses of what is essentially an unknown cost. Data breaches are difficult to budget for as they are so unpredictable. The size, scope, and complexity of each data breach vary widely, so insurance is a practical way to manage high price tag exposures such as data breach notifications, forensic investigations, legal fees, data analysis, crisis communications, monitoring, remediation, restoration and legal settlements.
* Specialist – and expensive – resources are typically provided by insurers or carriers within hours of notification of a breach. These resources include specialised tech teams and forensics whose first role is to identify and contain the damage as quickly as possible, along with legal counsel, communication specialists and response teams whose role is to limit the organisation’s legal exposures – typically all resources that few organisations would have in-house and on-call due to their price tags.
Four steps to reducing your cyber vulnerability
Even with the most comprehensive cyber risk insurance in place, it’s not a replacement for strict internal privacy and security measures. Given the massive reputational and financial risks of a data breach, prevention is still the best form of insurance against a data breach. There are a number of strategies that can help organisations ensure smooth operations.
Stroz Friedberg, an Aon-owned company, provides cyber security tips for leaders to keep in mind as they operate in today’s digital, connected, and regulated world:
* Identify your critical assets. Organisations need to identify their most critical assets and have alignment with the board and executive team down to the individuals who are responsible for protecting them. Organisations must assess what data is critical, where it is stored, how it flows across the organisation, and who really needs access to it. This could include customer data and intellectual property which could be stolen, or operating and manufacturing technology which could be sabotaged.
* Conduct a comprehensive risk assessment. Once alignment on critical assets has been established it will be easier to pinpoint vulnerabilities and assess cyber preparedness. Review cyber security deficiencies and vulnerabilities across all key enterprise areas including business practices, information technology, IT users, security governance, and the physical security of information assets. Risk could also manifest itself as losses due to business interruption and especially reputational damage.
* Take a holistic approach to cyber governance. Mitigating cyber risk is not just an issue for tech teams. The scope of risk means that guarding against attacks should involve key players across all enterprise functions and entities. Educating employees and leaders at all levels on the scale of risk, and getting in place provisional crisis plans will help build a truly cyber-resilient organisation.
* Keep your defenses sharp. A secure environment requires ongoing validation and can become vulnerable in an instant. Deploy techniques such as pen testing or red teaming exercises to ensure your applications, networks and endpoints are not left vulnerable.
“The Aon Cyber Risk team works with clients to improve their proactive posture to cyber risk threats, and respond more effectively in the event of an attack. Aon’s recent acquisition of Stroz Friedberg, a leading global risk management firm based in New York City, allows us to combine standards-based cyber assessments and industry-leading risk transfer solutions, to provide our clients with the benefits of an integrated approach to managing and mitigating the systemic risk of cyber threats,” concludes Curtin.