Market leaders recognise the immediate impact cyber breaches can have on a company’s standing and stock prices, their executives are ahead of the game.
The question is, as a leader, do you know what you are dealing with and what to do about it?
Eric Lowenstein is a leading expert in identifying and assessing cyber risk exposures including evaluating existing and potential exposures, policy coverage and developing a cyber risks insurance solution to cover identified gaps. His specialised role at Aon has developed as cyber risk has increased.
Eric has this advice to help you get across potential cyber risk pitfalls…
A Growing Concern
‘The exposure that boards have to cyber risks has grown enormously in terms of our engagements of interest, for example 12 months ago our gross written premium was around $230,000, but we finished 2014 with over $2.5 million in written premium.”
“The Australian cyber risk insurance market at the end of 2013 was sitting at that $3-5 million mark, it jumped $9-12 million in 2014 and by the end of 2015 it’ll probably be double that.”
“As we see more of these high profile breaches – J.P. Morgan, Target, Sony - it elevates awareness across a diverse range of industry sectors. A recent survey in ‘The Financial Review’ showed that 74% of CEOs cited cyber threats as the second most serious threat to their organisation’s growth.”
“Cyber crime has now outweighed drug trafficking as the most lucrative form of crime. I regularly speak with a number of cyber crime experts and they have described to me how these criminal networks have hierarchies, employees, health-plans, they even have employee performance reviews. These are well established and sophisticated operations.”
“We’re talking about hacking, identity theft, cyber-extortion, crypto-locking viruses, even forms of cyber-terrorism where countries or terrorist consortiums sponsor forms of cyber attack, as may be the case in the U.S. with Sony and North Korea. ‘Hacktivism’ as a form of political protest, targeting companies and causing cyber incidents to draw attention to a cause, is also an increasing concern.”
“CEOs in global firms have received emails from legitimate addresses requesting a transfer of funds to an offshore bank account. Cyber criminals have monitored networks and, when large price tag purchases are made, substituted different bank details on the invoice taking money outside of Australia to a foreign bank account. Once funds are offshore they become unrecoverable.’
‘We’ve seen clients who think they are responding to a legitimate email and find themselves locked out of all their systems and ransomed to gain access again.”
“One top 20 corporate with good security was infiltrated when a cyber criminal set up a fake LinkedIn profile and applied for a job, then set up a phone interview in which they gleaned basic information about networks and operating systems that allowed them to gain access.”
“Other companies have had physical engineering tampered with via hacked computer networks, causing havoc and major environmental incidents.”
“Some industries have become very concerned about competitors gaining commercial advantage, accessing information through vulnerable systems.”
“Cyber criminals continuously innovate, and they only have to find one weak point to infiltrate, whether that’s in the I.T. systems or a person in the workforce.”
What Leadership Needs To Put In Place
“Directors need to set the culture, putting cyber risk on board level agendas regularly and with adequate time. Boards need to be highly aware of legislation and legal responsibilities. Ensure you and your people have adequate access to cyber risk experts so security is tight, and prioritise adequate staffing and budget.”
“One of the approaches we find imperative is a thorough risk mapping in consultation with all stakeholders. We then make recommendations about risk control, processes and mitigation techniques, do a gap analysis in regards to current insurance, and tailor a risk transfer policy, looking at current portfolios to see where we can offset.”
“You need to make sure that you both thoroughly profile your organisation and have balance-sheet transfer in place for the following:
- Direct ramifications of a breach both fiscally and for brand reputation.
- Notification costs (P.R. budget, call-centre costs and credit monitoring services)
- Investigations response and compliance
- Compensation to affected individuals
- Engagement of forensic experts
- Defence of claims for misleading conduct, negligence, breach of contract, breach of confidence and interference of privacy.”
“Adequate board management of cyber risk now needs to include risk transfer, to make sure you cover the hidden costs of the worst happening.”