Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Cyber Attack

Internal Audit is having an ever increasing role in Cyber Security

According to a report by the Institute of Internal Auditors Research Foundation, cyber preparation at most organizations follows a classic bell curve.

Asked, for instance, how prepared their organizations would be to respond to a cyber-attack;

  • 29% of respondents said “extremely” or “very”
  • 44 % said “moderately”
  • 23% said “slightly” or an ominous “not at all”

As organizations increase spending on tech tools to address cyber risks, internal auditors are advocating a holistic approach that includes policies, response planning and board involvement to develop a broader view of an organization’s cyber risks and defences.

Helped by their understanding of organization controls and risk management, internal audit can bring various functions together and help them address cyber threats more effectively, the study says.

“Boards and audit committees also must … be kept up-to-date on technologies that not only can help meet business objectives, but also may make an organization more vulnerable to attack. When properly resourced and supported, internal audit will develop the skills and perspective to provide review and assurance services in this area,” the study says.

Key Components

The report identifies five key components to cyber risk management and says internal audit can play a key role in supporting each element:

  1. Protection: Internal audit can help organizations test security controls related to bring-your-own-device (BYOD) policies, review third-party contracts for compliance with security protocols, and perform IT governance assurance services.
  2. Detection: IIA’s 2015 Global Internal Audit Common Body of Knowledge (CBOK) study found that five in 10 respondents use data mining and data analytics for risk and control monitoring, as well as fraud identification. The cyber preparedness study says audit executives should partner with IT and information security pros to develop and monitor key risk indicators and validate security-related controls.
  3. Business Continuity: Just as they plan for natural disasters or other corporate crises, organizations have to develop plans to serve customers and other stakeholders during cyber-attacks. Internal audit can help provide enterprise-wide perspective and provide assurance about the expected effectiveness of response plans.
  4. Crisis Communications: Similar to response plans, it’s important to keep customers, shareholders, regulators and other interested parties informed during (and immediately after) a cyber breach.
  5. Continuous Improvement: If an organization experiences a cyber-attack, internal audit can play a valuable role in helping the organization assess the effects and outline strategies and protocols to defend against the next attack.

The study also suggests corporate boards increase their ability to assess and defend against cyber risks. This may involve recruiting board and committee members with cyber-related experience or expertise, or bringing in third-party security experts to educate board members about evolving cyber threats and governance practices.

The full article can be downloaded here.

Advertisements

The insurance implications of a cyber attack on the US power grid

The threat of cyber attack reaches every part of modern society, and insurance could have an important role to play in helping organisations to manage their cyber risk exposure.

However, there is a significant level of uncertainty attached to the impact of severe events. Lloyd’s of London has published a research report that aims to contribute to the knowledge base required to develop the next generation of insurance solutions for the digital age.

The research estimates the economic and insurance impacts of a severe, yet plausible, cyber attack against the US power grid. While the analysis focuses on the USA, we believe that it provides a framework for thinking about severe cyber attacks anywhere in the world. The key findings of the report are:

  • The attackers are able to inflict physical damage on 50 generators which supply power to the electrical grid in the Northeastern USA, including New York City and Washington DC.
  • While the attack is relatively limited in scope (nearly 700 generators supply electricity across the region) it triggers a wider blackout which leaves 93 million people without power.
  • The total impact to the US economy is estimated at $243bn, rising to more than $1trn in the most extreme version of the scenario.
  • Insurance claims arise in over 30 lines of insurance. The total insured losses are estimated at $21.4bn, rising to $71.1bn in the most extreme version of the scenario.
  • A key requirement for an insurance response to cyber risks will be to enhance the quality of data available and to continue the development of probabilistic modelling.
  • The sharing of cyber attack data is a complex issue, but it could be an important element for enabling the insurance solutions required for this key emerging risk.

The report can be found here.

Risk managers identify the “big three” risks causing them their greatest concern

Risk managers identify technology, supply chain and regulatory as the “big three” risks currently causing their organisations the greatest concern, according to a survey of 500 companies in Europe, the Middle East and Africa conducted for global insurer ACE’s Emerging Risks Barometer 2015. People risk sits just outside the top-three, while geopolitical risk completes the top-five emerging risk categories.

Technology risk

Technology plays a role in almost every business’s strategic planning, whether in the development of new services or products or as an enabler of operational effectiveness. When it comes to technology risk management, however, our research suggests that companies may not be focusing on the right areas, due to a lack of knowledge about the most likely sources of threat.

Which of the following risk categories are currently causing you greatest concern as a business?
  • 43% Technology risk (including cyber security)
  • 31% Supply chain, finance and logistics risk
  • 27% Regulatory and compliance risk
  • 26% People risk (including risks to people such as personal accidents and disease, risks caused by people such as fraud and labour disputes, and talent risks)
  • 25% Geopolitical risk (including regime change, asset confiscation, trade credit risk, currency restrictions, protectionism)
  • 21% Reputational risk
  • 18% Management liability risk (including directors & officers liability)
  • 15% Environmental liability risk (such as pollution or failure to understand/comply with local regulation)
  • 15% Natural catastrophe risk
  • 14% Terrorism and political violence risk

Supply chain risk

As in our 2013 Barometer, supply chain risk remains a major concern. As companies expand into new markets using ever more complex networks of suppliers and partners the supply chain is at once an enabler of growth and a key source of risk.

In recent years, we have seen major disruptions to supply chains, caused by events such as Hurricane Sandy which prompted the most extreme fuel shortages since the 1970s and 2014’s widespread flooding in India and Pakistan, which caused US$12 billion in losses. After responding admirably to these and other catastrophes, risk managers say they have achieved a better handle on business interruption risk.

Today, businesses are better prepared and therefore less concerned about interruption caused by natural disasters. Instead, they are focusing more on issues that can harm their corporate reputations. Our respondents rank unethical labour practices as their biggest supply chain worry. Yet  61%  admit they cannot always vouch for the ethical and trading standards of every company in their supply chain.

EMERGING RISKS BAROMETER 2015 

Which of the following risks currently consume the most time and resources in your organisation? 
Technology risk 47%
Supply chain, finance and logistics risk 32%
Regulatory and compliance risk 29%
People risk 28%
Geopolitical risk 25%
Reputational risk 23%
Management liability risk (including directors & officers liability) 14%
Environmental liability risk 12%
Terrorism and political violence risk 12%
Natural catastrophe risk 11%
(Don’t know / Not applicable: 2%)

Regulatory and compliance risk

27% of respondents say regulatory and compliance risk is among their greatest concerns. The category also comes third in the list of risks with the potential to cause significant financial impact over the next two years, cited by 27% of respondents, and third in the list of risks consuming the most time and resources (29%).

Which of these risk categories do you expect will have the most significant financial impact on your business in the next two years? 
Technology risk 47%
Supply chain, finance and logistics risk 31%
Regulatory and compliance risk 27%
Geopolitical risk 26%
People risk 25%
Reputational risk 22%%
Management liability risk 17%
Natural catastrophe risk 11%
Terrorism and political violence risk 11%
Environmental liability risk 10%
(Don’t know / Not applicable: 2%)

While highly regulated sectors such as financial services and energy face the most extreme regulatory challenges, no company is immune. As businesses pursue growth on a global scale, they face a patchwork of regulatory regimes, across markets and jurisdictions.

Other risk to watch

The rise of people risk

People risk only narrowly missed out on a place in our Big Three Risks. over a quarter (26%) say this risk, including risks to people, risks caused by people and talent risks is among their greatest concerns.

34% say their greatest concern in relation to people risk is time lost to labour disputes. In recent years, we have seen substantial labour action in the UK and Germany as well as in supplier nations such as China. At the same time 75% of respondents say recent global events, such as political unrest in Ukraine and the Middle East are causing them to review their travel and security policies.

Geopolitical risk to grow in importance?

Regime change, asset confiscation, protectionism and other geopolitical risks also pose a real threat for business. Respondents today are largely confident in their ability to manage this risk, but only 30% say they are very confident. As a quarter (26%) also believe geopolitical risk will have a significant financial impact over the next two years, we could expect the risk to appear higher in the future, especially as companies continue to expand overseas.

Respondents are primarily concerned about foreign governments cancelling operating licences, concessions or contracts. The majority (68%) believe foreign governments are already making it more difficult for them to plan ahead.

TAKE UP OF CYBER INSURANCE REMAINS LOW

Marsh has undertaken an in-depth study into organisations’ attitudes towards the cyber threat, the management control processes they have in place, and their understanding and use of cyber insurance as a means of risk transfer. The benchmarking data in this report was collected from risk professionals and CFOs from large and medium-sized corporations from across the UK.

Spotlight on cyber risk to UK companies:

  • 18% of organisations have a “complete understanding” of cyber risk, down on last year
  • 4% of UK businesses have board-level oversight of cyber risk
  • 4% of companies do not assess their suppliers and/or customers for cyber risk

Firms across the UK continue to place cyber among their leading risks in terms of the likelihood and severity of impact; however, suggest there is still a lot of work to do to improve understanding and management.

Interestingly, there has been a substantial drop in the percentage of respondents who feel they have a “complete understanding” compared to last year (down from 34% to 18%).

This comes at a time when cyber risk is being elevated as a board agenda item, suggesting that executive-level interrogation has exposed a pre-existing overconfidence in the level of knowledge and understanding within certain organisations.

If this is the case, then it is clear those tasked with creating and delivering critical management information relating to cyber risk need more help and guidance to get them to a position where the level of management information is adequate.

Cyber risk is ranked as a tier one threat according to the UK National Security Strategy, and it is therefore surprising that 26.4% of UK companies surveyed do not consider it to be material enough to even get on the risk register. Just 16.6% of companies place cyber as a Top five risk on the risk register, while the remainder place it outside of the Top 10.

73% of respondents from the manufacturing industry say that cyber risk does not appear in the Top 10 risks on their corporate risk registers, the highest proportion of industry segments we surveyed.

This is perhaps understandable due to a low level of high-profile cyber incidents within the industry; however, as a key target for industrial espionage, and with instances of industrial control technology being compromised recently reported, one could argue that the threat is being underestimated.

The fact that fewer than 31.9% of respondents have identified one or more cyber scenarios that could most affect their organisations suggests that the lack of a complete understanding and absence/low positioning of cyber on the risk register is, for many companies, filtering through to a lack of definition around specific scenarios that might impact their businesses.

Board-level ownership of cyber risk exists in 19.4% of UK organisations. While this figure is broadly in line with last year’s findings (20%), it remains very low. Meanwhile, IT departments continue to take primary responsibility for cyber risk in 55.5% of organisations. Cyber risk is increasingly recognised as a business risk rather than simply a technical control, and, within this context, it is disappointing to note that there is no material upwards movement in risk management and board functions seizing responsibility from IT (the percentage has risen incrementally to 15.3% from 14% in 2014). IT departments might know how to implement cybersecurity; however, the inability of IT to drive value for the organisation or the potential for significant damage to be caused as a result of a security breach, most certainly is a business risk, the consequences of which will be felt at the highest levels of the organisation should it occur.

Boards therefore need to take ownership of cyber risk before a cyber event forces it on to the board agenda, and communicate the identified security priorities to IT departments so that they can align their activity and resources against the business’s risk management agenda.

Lack of data continues to prevent companies from adequately assessing cyber risk

The percentage of firms that have experienced a cyber-attack in the past 12 months has risen to 40.3%, albeit marginally (from 31% in 2014).

However, compared with other statistics (HM Government’s 2015 Information Security Breaches Survey states that 90% of large organisations and 74% of small organisations have suffered a security breach), this figure is still low, indicating that many of the respondents to this year’s survey are either particularly fortunate or (more likely) unaware of breach events within their firms.

Interestingly, 100% of respondents in two industries, communications, media, and technology and energy reported that they had been subject to a cyber-attack in the past 12 months. This most likely reveals a more enlightened position of those organisations rather than any high level of vulnerability.

In terms of organisations that have conducted or estimated the financial impact of a cyber-attack, this year’s survey results are somewhat contradictory to earlier findings. As such, it would be reasonable to question the rigorousness of the financial analysis around those numbers and how many are in fact high-level estimates rather than worst loss values calculated from detailed information and knowledge of cyber risk and individual exposures.

61.1% of organisations have not yet made any attempt to estimate/calculate loss estimates, however, suggesting that they are operating in the dark when it comes to the financial impact upon their businesses.

This puts them in a poor position to transfer the risk or even to appreciate whether a cyber event might threaten the viability of the company. Event modelling, combined with financial stress testing, is required to evaluate both the total financial loss attaching to an event and the shorter-term availability of cash to maintain trading.

The majority of organisations have not planned for sources of funding; however, the 48.9% that have is an encouraging number. Since just 11.1% of companies are buying insurance, it must be the case that companies are bypassing the insurance market and finding alternative methods to fund the risk (from available cash lines or lines of credit or assets that can be disposed of rapidly, for example).

Possessing and rehearsing an incident response plan is recognised as having a very positive effect on the operational, financial, and reputational impact of a cyber- attack upon an organisation.

The effect for breaches of personal data was quantified in the Ponemon Institute’s 2015 Cost of Data Breach Study, which reveals that those companies with an incident response team in place typically make a GBP £9.50 saving on the per capita cost of a data breach, compared with the mean per capita cost.

Lack of control over suppliers/third parties a major concern

It is both a surprise and a huge concern that 69.4% of respondents to this year’s survey do not assess the suppliers and/or customers they trade with for cyber risk.

Suppliers and external organisations with whom system links are shared present one of the key vulnerabilities to UK companies. Businesses have done a lot to improve cybersecurity in the past 12 months; however, their exposure to third parties, whether service providers, product suppliers, customers, or, in the case of banks, borrowers, presents significant risks to companies’ networks. In addition to this, 51.4% are not asked to demonstrate a competent standard of IT security practices to their own bank and/or customers in order to do business with them.

While organisations can control their own networks, they have much less control over those of the suppliers/third parties that they might be linked to. Without the appropriate checks, this leaves them exposed and lacking control over standards of IT security in systems where hackers might find a “back door” into their organisation.

There therefore needs to be an improvement in supply-chain resilience to cyber-attack if organisations are going to reduce the threat arising from this key vulnerability. This is especially true for large organisations with a profile that attracts highly motivated and sophisticated hackers who might identify smaller business partners that are typically less well protected. For example, a recent report published by Marsh and the UK Government highlighted that 22% of small businesses admit they “don’t know where to start” with cybersecurity.

One of the most well-publicised cyber breaches in recent years occurred at a large US retail company after hackers stole network credentials from a third-party heating, ventilating, and air conditioning (HVAC) contractor that had an IT link with the victim’s corporate systems. Incidents like these are likely to rise in frequency until organisations place greater focus on setting out the basic technical controls that all suppliers/ contractors should have in place.

More than half of respondents are not asked to demonstrate a competent standard of IT security practices to their own banks and/or customers.

Take up of cyber insurance remains low

52.8% of respondents’ organisations are engaged with the insurance market in one way or another. 

Marsh’s experience and earlier findings in this survey suggest that the remainder are not yet ready to approach the market as they have an incomplete understanding of the risk, as opposed to them making a conscious decision not to purchase insurance following a value-based judgment.

This latter explanation would tie in with the earlier finding that 68.1% of organisations have not identified one or more cyber scenarios that could most affect their organisations. Organisations such as these, because they have not carried out the financial assessment required are in a poor position to approach the insurance market and place a value on transferring the risk. The survey data therefore suggests that more work needs to be done by organisations and their professional advisers, including their insurance brokers, to help improve their understanding of cyber risk and their cyber exposures and demonstrate what value insurance can bring.

The insurance market continues to address the issues that represent organisations’ greatest concerns a standard cyber insurance policy can deliver cover against breach of customer information (31.9%) and business interruption (22.2%), while computer crime/fraud (12.5%) can be insured against via a comprehensive crime insurance policy. The insurance market is also making inroads to deliver meaningful cover for reputational loss (8.4%).

Of particular interest is that none of the respondents from the industrial sectors identified physical property damage as a priority risk, despite a lot of recent attention being given to the threat that exists to critical infrastructure and the potential for tampering with industrial control technology.

The findings suggest that companies recognise that cyber insurance is not a holistic solution in dealing with cyber exposure and that, in fact, it covers only certain specific events and outcomes.

Cyber exposure might attach itself to a number of different insurance policies that need to maintain an effective response when the loss or liability outcomes are created by cyber events. 48.6% of respondents admit to having “insufficient knowledge” in order to assess the insurances available, which may suggest a lack of insight into what can be insured by a cyber insurance policy. However, in view of the earlier findings, this figure might also indicate that a lack of understanding of their firm’s own risk profile places many respondents in a position where they are unable to make an informed judgment as to whether the cover is appropriate.

Cyber insurance is not a holistic solution in dealing with cyber exposure and covers only certain specific events and outcomes.

Marsh’s conclusion

Clearly, there is still a lot of work that needs to be done by UK organisations in order to improve their understanding and management of cyber risk. Achieving a high level of understanding is essential as it serves as the foundation stone upon which all other cyber risk transfer and mitigation decisions need to be made.

The solution to this lies in the boardroom, and it is still a great concern that the board takes primary responsibility for cyber risk in 19.4% of organisations surveyed. Only with board-level buy-in can companies take the big strides needed to advance their knowledge and perform the financial modelling required. Proper assessment and quantification of the risk will lead to better targeted mitigation, practical improvements in risk management, and the ability to judge the value of the risk transfer options available on the market.

One particularly interesting, and somewhat remarkable, finding to emerge from this year’s survey is 69.4% of respondents’ organisations do not assess the suppliers they trade with for cyber risk. Supply chains are proven to be a critical vulnerability in corporate IT networks, yet there appears to be too little work being done to ensure that the entities with which companies share system links are following basic good security practices.

This has to improve as, for all the proactive steps taken and money invested to harden corporate networks against cyber-attacks, a security breach at a contractor or service provider, for example, could potentially allow hackers to circumnavigate all of that.

The insurance industry can play and is already playing a role in that assurance process; however, more work needs to be done in order to move the security focus away from the edge of the corporate network and to the heart of strategic decision making.

The full report with the references can be found here.

infograph-path-cyberattacker

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: