Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Cyber Risk

Technological Change and Cyber Risk Overtake Regulation as Top Risks for Insurers

The global insurance industry’s ability to confront structural and technological changes is now the greatest risk it faces, according to a new survey of insurers and close observers of the sector.

The CSFI’s latest Insurance Banana Skins 2017 survey, conducted with support from PwC, surveyed 836 insurance practitioners and industry observers in 52 countries, to find out where they saw the greatest risks over the next 2-3 years.

Insurance Banana Skins 2017 
(2015 ranking in brackets)
1 Change management (6)
2 Cyber risk (4)
3 Technology (-)
4 Interest rates (3)
5 Investment performance (5)
6 Regulation (1)
7 Macro-economy (2)
8 Competition (-)
9 Human talent (15)
10 Guaranteed products (7)
11 Political interference (16)
12 Business practices (11)
13 Cost reduction (-)
14 Quality of management (12)
15 Quality of risk management (10)
16 Social change (20)
17 Reputation (18)
18 Product development (17)
19 Corporate governance (21)
20 Capital availability (22)
21 Complex instruments (25)
22 Brexit (-)

Change management is at the head of a cluster of operating risks which have jumped to the top of the rankings. The report raises concerns about the industry’s ability to address the formidable agenda of digitisation, new competition, consolidation and cost reduction it faces, especially because of rapidly emerging technologies which could transform insurance markets, such as driverless cars, the ‘internet of things’ and artificial intelligence.

Cyber risk follows close behind, with anxiety rising about attacks on insurers themselves as well as the costs of underwriting cyber-crime. Other major concerns include the adequacy of insurer’s internal technology systems and new competition, particularly from the ‘InsurTech’ sector.

The next cluster of high-ranking risks, interest rates, investment performance and macro-economic risk, shows that concern about economic instability remains high. Although respondents acknowledged signs of growth, confidence in the recovery is not strong for reasons as widely dispersed as the slowdown in China, the risk of Trump-era protectionism, and populism in Europe. The risk of political interference was seen to have risen sharply. However, Britain’s exit from the EU was seen to be a minimal source of risk for insurers, particularly those without operations in the UK.

Regulatory risk, which has topped the last three editions of this survey, has fallen out of the top five this year. This is largely because recent regulatory changes are settling in to business as usual (e.g. Solvency 2), though the cost and complication of regulation continue to be a concern.

The report shows that the industry’s ability to attract and retain human talent is a fast-rising concern, particularly to handle the digital challenge.  Conversely, an area of declining risk is the governance and management of insurance companies. These were seen as high-level risks during the financial crisis but have fallen sharply since, because of both initiatives from the industry itself and regulatory pressure.

Overall, the climate for insurers is becoming more challenging, according to respondents. The 2017 Banana Skins Index, which measures the level of anxiety in the industry, is at a record high, while the industry’s preparedness to handle these risks has fallen from 2015.

David Lascelles, survey editor, said: “For the first time in six editions of this survey, operating risks pose the greatest threat to insurers. Structural and technological changes to the industry could upend traditional business models. At the same time, insurers are grappling with a very difficult economic climate, which helps explain why anxiety is at an all-time high.”

Mark Train, PwC Global Insurance Risk Leader, comments: “Both the challenges and opportunities presented by change underline the vital importance of being clear about where you’re best able to add value, and then being ruthless in targeting investment and management time at these priorities. A key part of this ‘fit for growth’ strategy is differentiating the capabilities needed to fuel growth, ‘good costs’ targeted for investment, from low-performing business and inefficient operations, ‘bad costs’ targeted for overhaul or elimination.”

Cyber insurance: trying to quantify risks

Bloomberg Intelligence August 24, 2015

This analysis is by Bloomberg Intelligence analysts Charles Graham and Edmond Christou.  It originally appeared on the Bloomberg Professional Service.

Personal data theft, cyber-attacks whet appetite for insurers

The value of personal data stored on corporate databases is rapidly increasing. For EU citizens it is set to reach 1 trillion euros ($1.4 trillion) by 2020, according to Boston Consulting Group. This is raising the need for greater protection. The increased incidence of data breaches and misuses as hackers become more sophisticated has also imposed greater regulatory requirements on businesses. Companies are seeking new products from insurers to limit the cost of interruption, reputational damage and penalties.

Companies Impacted: While cyber risk potentially affects many classes of business, there are a number of providers including AIG, Allianz, Munich Re, Swiss Re and Zurich Insurance Group, as well as specialist insurers like Beazley and Hiscox, which have developed specific cyber products.

Photographer: Craig Warga/Bloomberg

Insurers view industry as ill-prepared for risk of cyber theft

Cyber theft is top of the list of risks for which businesses are least prepared, according to Allianz’s 2015 Risk Barometer Survey. Companies need to understand the potential effect of a cyber-attack on their supply chain, the liability they could face if they can’t deliver products on time and the legal penalties if they lose customer data. While computer systems can be improved, it is impossible to make them entirely secure. This is creating opportunities for insurers.

Companies Impacted: Allianz’s 4th Risk Barometer Survey was conducted among global businesses and risk consultants, underwriters, senior managers and claims experts within Allianz in October and November 2014. Insurers offering cyber-risk cover include AIG, Allianz, Zurich, Beazley and Hiscox.

Swelling cyber-attack costs are driving wider insurance coverage

The average cost of a data breach has increased to $3.79 million, according to a study by the Ponemon Institute based on a survey of 350 companies in 11 countries. This cost has increased by 23% since 2013. The average cost for each lost or stolen record containing sensitive information rose to $154 this year from $145 in 2014. Concerns about data breaches and privacy have led to legal reforms in the U.S. and Europe, which may help drive demand for cyber-insurance.

Companies Impacted: Increasing cyber-attacks have driven insurers such as AIG, Allianz, Beazley, Hiscox and Zurich Insurance, to expand their product offerings to include first- and third-party coverage for cyber-risk.

Retailers face biggest threat from cyber theft, data breaches

Retailers face the biggest threat from data breaches, according to figures compiled by Zurich Insurance. The food and beverage industry is second in line for hackers followed by hospitality, finance and professional services. Carphone Warehouse discovered on Aug. 5 that personal data of 2.4 million of its customers and encrypted credit card details for 90,000 clients may have been accessed in a data breach. Insurers are tailoring products to meet different industries cyber risks.

Companies Impacted: Insurers work with companies to identify best practices in data privacy and security to help to minimize the financial cost should a breach occur. AIG, Allianz, Beazley, Hiscox, Zurich Insurance are among the companies to have developed cyber-insurance coverage.

Die hard 4.0 cyber scenario could cost more than $1 trillion

A cyber-attack on the U.S. power grid could cost $243 billion rising to more than $1 trillion in the most extreme scenario, according to a study by Lloyd’s of London and the University of Cambridge. The report examines the insurance implications of a major cyber-attack. It depicts a scenario where hackers shut parts of the grid, plunging 15 U.S. states and Washington DC into darkness, leaving 93 million people without power. Insurers are just starting to wake up to the scale of potential losses.

Companies Impacted: Cyber-insurance risks are widely underwritten at Lloyd’s with 47 managing agents offering cover, including quoted groups Beazley, Hiscox and Novae. Lloyd’s introduced new risk codes for data and privacy breaches and cyber-related property damage in 2015.

Swiss re joins forces with IBM to fight cyber threat

Munich Re has partnered with Hewlett-Packard and Swiss Re with IBM to develop solutions that offer clients cyber protection and provide support in the event of a security breach. IBM will assess clients’ external and internal vulnerability to cyber-attacks and offer options for mitigating these risks. IBM’s security platform provides intelligence to help organizations protect their clients’ data, applications and infrastructure.

Peer Comparison: Swiss Re’s Corporate Solutions business is one of a number of insurers offering cyber coverage. Other companies include AIG, Allianz and Zurich Insurance.

Cybersecurity: The Looming And Growing Threat

Corporate legal spending on cybersecurity issues hit $1 billion last year, according to the BTI Legal Spending Outlook. It’s easy to see where this money is going: By 2018, more than 50% of organizations will use outsourced providers for security, Gartner predicts.

Here are seven trends expected to impact CIOs, law firms, and their clients in the year ahead:

1. Banking on IT and law firms vulnerability

In the wake of last year’s cyberattack that affected 80 million J.P. Morgan Chase customers, several banks asked their law firms to implement stronger security measures. Today, several banks and major U.S. law firms are collaborating to create a formal group by year end where they can share best practices with each other and government agencies.

“Law firms increasingly are seen as potential weak links,” the Wall Street Journal reported. “Clients often entrust them with everything from valuable trade secrets to market-moving details on mergers and acquisitions.”

2. Data breaches growing more common

More than one-quarter (27%) of chief legal officers reported a data breach within the past 24 months, according to the Association of Corporate Counsel‘s recently released 2015 CLO Survey. Healthcare CLOs were most vulnerable: almost half reported a breach in the last two years, compared with approximately one-fourth among CLOs in other lines of business, the report found.

4. Changing Regulatory Landscape

This year, the European Union is expected to unroll more stringent disclosure and liability requirements that it will start enforcing in 2016. This could lead to a business boom for law firms, will likely also necessitate educational outreach: 77% of European companies surveyed by security developer Sophos did not know whether or not they were compliant with current standards.

Across the pond, President Barack Obama also has called for changes to the Computer Fraud and Abuse Act, the federal anti-hacking statute.

5. Crashing Mobile

Today, 96% of lawyers at firms with 100 or more attorneys use a smartphone, according to the American Bar Association’s annual Legal Technology Survey. And 49% of all lawyers surveyed use a tablet, the report found.

This makes attorneys vulnerable to a growing number of viruses, spam, and attacks specifically targeting mobile devices. If unprotected by even a basic password or biometric safeguard, lost devices leave a firm vulnerable to stolen data. Across industries, only 54% of respondents implemented a mobile security strategy in 2014 compared with 42% the prior year, a PricewaterhouseCoopers study reported. In addition, 47% now use mobile device management (MDM) or mobile application management (MAM), versus 39% in 2014, PwC said.

Across all industries, 46% of IT decision makers plan to increase security spending for mobile this year, Ernst & Young determined.

Advances in wearables and future decisions in how and whether healthcare can incorporate data from devices such as fitness monitors will further complicate mobile security for firms involved in these areas and the CIOs who support them.

5. Insurance at a Premium

Organizations increasingly invest in cybersecurity insurance, to lessen the potential impact of a breach, network damage, or business interruption. Once offered by only a handful of specialized firms, these plans now are available from a wide array of insurers.

To attain cybersecurity insurance, organizations typically must undergo audits and other processes to assure the insurer of the firm’s viability. CIOs, in partnership with governance, risk-mitigation, or the COO, are then assured both of the caliber of the firm’s existing security set-up and of financial coverage should the unwanted occur. Cybersecurity insurers include: AIG; Chubb Group of Insurance Companies; Marsh USA; Philadelphia Insurance Companies, and Travelers Indemnity Co., among many.

6. Ignore Social Niceties

Many law firms hire outside experts to conduct vulnerability assessments and craft strategies to combat Many experts advise staff to frequently reset passwords that contain symbols, capital letters, and numbers. And best practices must address common phishing scams, especially those targeting corporate or client contact information or employee data. Fake apps, fraudulent social media contacts, and hackers masquerading as maintenance staff are all favorite guises for social engineers.

7. All for One, One for All

Security is not exclusively the CIO or CSO’s responsibility. Rather, security must be weaved throughout a law firm so every employee, partner, and attorney cares and acts with security in mind. Communication between departments to ensure security procedures are effective but not onerous help develop a security conscious environment.

Frequent reminders, via screensavers, automated systems, brief self-paced videos, or occasional webinars – remind everyone about security measures. Quickly responding to users’ needs to avoid rogue setups further eliminates vulnerable areas.

Author:

The insurance implications of a cyber attack on the US power grid

The threat of cyber attack reaches every part of modern society, and insurance could have an important role to play in helping organisations to manage their cyber risk exposure.

However, there is a significant level of uncertainty attached to the impact of severe events. Lloyd’s of London has published a research report that aims to contribute to the knowledge base required to develop the next generation of insurance solutions for the digital age.

The research estimates the economic and insurance impacts of a severe, yet plausible, cyber attack against the US power grid. While the analysis focuses on the USA, we believe that it provides a framework for thinking about severe cyber attacks anywhere in the world. The key findings of the report are:

  • The attackers are able to inflict physical damage on 50 generators which supply power to the electrical grid in the Northeastern USA, including New York City and Washington DC.
  • While the attack is relatively limited in scope (nearly 700 generators supply electricity across the region) it triggers a wider blackout which leaves 93 million people without power.
  • The total impact to the US economy is estimated at $243bn, rising to more than $1trn in the most extreme version of the scenario.
  • Insurance claims arise in over 30 lines of insurance. The total insured losses are estimated at $21.4bn, rising to $71.1bn in the most extreme version of the scenario.
  • A key requirement for an insurance response to cyber risks will be to enhance the quality of data available and to continue the development of probabilistic modelling.
  • The sharing of cyber attack data is a complex issue, but it could be an important element for enabling the insurance solutions required for this key emerging risk.

The report can be found here.

Risk managers identify the “big three” risks causing them their greatest concern

Risk managers identify technology, supply chain and regulatory as the “big three” risks currently causing their organisations the greatest concern, according to a survey of 500 companies in Europe, the Middle East and Africa conducted for global insurer ACE’s Emerging Risks Barometer 2015. People risk sits just outside the top-three, while geopolitical risk completes the top-five emerging risk categories.

Technology risk

Technology plays a role in almost every business’s strategic planning, whether in the development of new services or products or as an enabler of operational effectiveness. When it comes to technology risk management, however, our research suggests that companies may not be focusing on the right areas, due to a lack of knowledge about the most likely sources of threat.

Which of the following risk categories are currently causing you greatest concern as a business?
  • 43% Technology risk (including cyber security)
  • 31% Supply chain, finance and logistics risk
  • 27% Regulatory and compliance risk
  • 26% People risk (including risks to people such as personal accidents and disease, risks caused by people such as fraud and labour disputes, and talent risks)
  • 25% Geopolitical risk (including regime change, asset confiscation, trade credit risk, currency restrictions, protectionism)
  • 21% Reputational risk
  • 18% Management liability risk (including directors & officers liability)
  • 15% Environmental liability risk (such as pollution or failure to understand/comply with local regulation)
  • 15% Natural catastrophe risk
  • 14% Terrorism and political violence risk

Supply chain risk

As in our 2013 Barometer, supply chain risk remains a major concern. As companies expand into new markets using ever more complex networks of suppliers and partners the supply chain is at once an enabler of growth and a key source of risk.

In recent years, we have seen major disruptions to supply chains, caused by events such as Hurricane Sandy which prompted the most extreme fuel shortages since the 1970s and 2014’s widespread flooding in India and Pakistan, which caused US$12 billion in losses. After responding admirably to these and other catastrophes, risk managers say they have achieved a better handle on business interruption risk.

Today, businesses are better prepared and therefore less concerned about interruption caused by natural disasters. Instead, they are focusing more on issues that can harm their corporate reputations. Our respondents rank unethical labour practices as their biggest supply chain worry. Yet  61%  admit they cannot always vouch for the ethical and trading standards of every company in their supply chain.

EMERGING RISKS BAROMETER 2015 

Which of the following risks currently consume the most time and resources in your organisation? 
Technology risk 47%
Supply chain, finance and logistics risk 32%
Regulatory and compliance risk 29%
People risk 28%
Geopolitical risk 25%
Reputational risk 23%
Management liability risk (including directors & officers liability) 14%
Environmental liability risk 12%
Terrorism and political violence risk 12%
Natural catastrophe risk 11%
(Don’t know / Not applicable: 2%)

Regulatory and compliance risk

27% of respondents say regulatory and compliance risk is among their greatest concerns. The category also comes third in the list of risks with the potential to cause significant financial impact over the next two years, cited by 27% of respondents, and third in the list of risks consuming the most time and resources (29%).

Which of these risk categories do you expect will have the most significant financial impact on your business in the next two years? 
Technology risk 47%
Supply chain, finance and logistics risk 31%
Regulatory and compliance risk 27%
Geopolitical risk 26%
People risk 25%
Reputational risk 22%%
Management liability risk 17%
Natural catastrophe risk 11%
Terrorism and political violence risk 11%
Environmental liability risk 10%
(Don’t know / Not applicable: 2%)

While highly regulated sectors such as financial services and energy face the most extreme regulatory challenges, no company is immune. As businesses pursue growth on a global scale, they face a patchwork of regulatory regimes, across markets and jurisdictions.

Other risk to watch

The rise of people risk

People risk only narrowly missed out on a place in our Big Three Risks. over a quarter (26%) say this risk, including risks to people, risks caused by people and talent risks is among their greatest concerns.

34% say their greatest concern in relation to people risk is time lost to labour disputes. In recent years, we have seen substantial labour action in the UK and Germany as well as in supplier nations such as China. At the same time 75% of respondents say recent global events, such as political unrest in Ukraine and the Middle East are causing them to review their travel and security policies.

Geopolitical risk to grow in importance?

Regime change, asset confiscation, protectionism and other geopolitical risks also pose a real threat for business. Respondents today are largely confident in their ability to manage this risk, but only 30% say they are very confident. As a quarter (26%) also believe geopolitical risk will have a significant financial impact over the next two years, we could expect the risk to appear higher in the future, especially as companies continue to expand overseas.

Respondents are primarily concerned about foreign governments cancelling operating licences, concessions or contracts. The majority (68%) believe foreign governments are already making it more difficult for them to plan ahead.

The majority Of Risk Professionals Without Coverage Are Considering Purchasing Cyber Insurance

RIMS, the risk management society ™ has conducted its first Cyber Survey 2015 to explore strategies implemented by risk professionals including insurance investments, exposures, cyber security ownership, government involvement, as well as identification methods and response procedures.

Responses came in from 284 of RIMS U.S. professional members in various industries, with 58% of respondents coming from organizations that produce more than $1 billion in annual revenue.

RIMS said it conducted the survey, in part, to identify methods and response procedures used by its members. As well, the organization wanted uncover strategies in place addressing areas such as insurance investments, exposures, cyber security in order to uncover strategies used by its members against cyber threats, including insurance investments, exposures, cyber security ownership and government involvement.

RIMS President Rick Roberts said that the new information is intended to give “the global risk management community valuable insight, showing how organizations are trying to stay ahead of this top concern”

Key survey findings:

  • 77% of risk management professionals credit enterprise risk management with helping them spot cyber risks at their companies.
  • The top three first party exposures reported are:
    1. 79% reputational harm
    2. 78% business interruption
    3. 73% data breach response and notification
  • 51% said their companies or organizations purchase standalone cyber insurance policies.
  • 58 percent of those with cyber insurance policies carry under $20 million in cyber coverage, and just under half of those said they pay more than $100,000 in premium.
  • 74% of respondents who said their companies lack cyber coverage are considering getting it within the next 12-24 months.

The Evolution of Cyber Risk – and ACE Infographic

Evolution of Cyberrisk 1evolution of cyberrisk 2

Non-Executive Directors have a responsibility to understand cyber security risks and resilience

Non-Executive Directors have a responsibility to understand cyber security risks and resilience in order to best protect the interests of their business, according to AXELOS Global Best Practice.

A new discussion paper from AXELOS calls for more training on cyber security risks and resilience for non-executive directors on company boards. ‘Mind the Information Gap: Non-Executive Directors and Professional Development’ identifies that non-executive directors on audit and risk committees are in a unique position to improve the resilience of their companies – but that many may not currently have access to the training and skills necessary to do so.

Nick Wilding, Head of Cyber Resilience Best Practice at AXELOS, said:

Some organizations can be complacent about the cyber risk, believing that ‘we’re not a target; we’re too small and don’t have anything of value to a hacker.’ The reality is that everyone in a business needs to be aware of cyber security risks and resilience strategies, but particularly those in senior roles. Companies need to ensure that their board members are able to learn about these issues. This is the best way to ensure that a company is as prepared as possible for any incident or attack

The discussion paper recommends that companies introduce a professional development strategy for senior executives designed to address this lack of understanding of cyber security issues at board level. This will help board members build cyber security risks into their broader understanding of their organization’s ‘risk appetite’. It will also ensure that they have the capacity to understand and question audit, risk and compliance reports that are provided by the organization.

It also argues that as a consequence of this better understanding strong relationships between specific board members and key figures from the business – such as the CIO, CISO and Risk Director – will be formed ensuring that cyber security issues have a ‘champion’ at board level.

Find the full white paper here.

Cyber insurance is a major growth area for commercial insurers

The Insurance Information Institute (I.I.I.) conducted it’s 19th annual Property/Casualty Insurance survey and found Cyber-Crime is exposing businesses, both in the U.S. and abroad to greater levels of liability than ever before, which is why the market is far from saturated.

The survey’s key findings are below:-

  • 80% of executives said they see Cyber insurance as a major growth area for commercial insurers
  • 78% expect industry capacity (as measured by policyholder surplus) to increase in 2015
  • 72% believe the federal government is interested in further expanding its regulatory oversight of insurers
  • 56% believe the economy will accelerate; 6% believe it will decelerate and 38% believe it will remain about the same
  • 92% believe that M&A activity among insurers/reinsurers increase in 2015? For example the XL Group’s acquisition of Catlin for $4.2billion

The U.S. economy appears to be picking up steam, which translates into more economic activity and the addition of capacity. This means more businesses and people will need more insurance, implying further increases in insurance premium volume,” said Dr. Steven Weisbart, senior vice president and chief economist with the I.I.I. “Moreover, business bankruptcies in 2014 dropped below their lowest level in the last two decades, so the erosion of commercial accounts will continue to ease. As the economy inches closer to full employment, we may begin to see wage increases that outpace inflation for the first time in nearly a decade, primarily affecting the workers compensation line. Further, the low-interest rate climate, which has lasted longer than virtually everyone thought likely, is expected to begin a return to normality sometime in the second half of 2015. Absent devastating natural catastrophes, 2015 could be another profitable year for insurers

The sponsoring organizations of the Forum represent a broad range of insurance interests and audiences and include: ACORD, American Insurance Association, the Association of Bermuda Insurers and Reinsurers, The Geneva Association, Insurance Institute for Business & Home Safety, Insurance Information Institute, Insurance Institute for Highway Safety, International Insurance Society, National Association of Mutual Insurance Companies, National Council on Compensation Insurance, National Insurance Crime Bureau, Property Casualty Insurers Association of America, Property & Liability Resource Bureau, Reinsurance Association of America, The Institutes and Verisk Analytics.

Find the original article here.

Reducing Cyber Risk; Marine transportation system Cybersecurity standards, liability protection and Cyber Insurance

An article in the Coast Guard Journal of Safety & Security at Sea written by David Dickman, Diz Locaria and Jason Wool Container shipcontains a very interesting article “Reducing Cyber Risk; Marine transportation system cybersecurity standards, liability protection, and cyber insurance”.

An excerpt:

Within our nation’s marine transportation system (MTS), computers, information networks, and telecommunications systems support fundamental port and maritime operations.

While this technology provides great benefits, it also introduces vulnerabilities.

In several recent incidents, bad actors exploited cyber weaknesses within MTS elements with significant repercussions.

Some examples include:

  • Somali pirates have exploited online navigational data to choose which vessel to target for hijack
  • hackers incapacitated a floating oil rig by tilting it and forcing it to shut down
  • malware caused another drilling rig to shut down for 19 days, after bringing systems to a standstill
  • hackers infiltrated computers connected to the Port of Antwerp, located specific containers, made off with
    smuggled drugs, and deleted the records.

The full article can be found in the journal by clicking here.

Top 10 Cybersecurity Predictions for 2015 – an Infographic

Fuelled by cybercrime, cyber warfare, and cyber terrorism, the cost of cybersecurity and risk management will double in 2015.  That’s the bad news.  The good news is there will be a shift to cyber offense that will begin to stem the tide of cyber threats.

Coalfire_CybersecurityPredictions_72-01

In 2015 the Cost of Cybersecurity and Risk Management Will Remain on Track to Double

Coalfire, the leading independent information technology governance, risk and compliance (IT GRC) firm, today released its top ten cybersecurity predictions for 2015.

“As 2014 ends, it is clear this was the year everything changed in the world of information security,” said Rick Dakin, Coalfire’s CEO and chief security strategist. “As high-profile data breaches were announced one after another, consumers stopped believing companies took protecting their information seriously. It’s time for companies to start looking ahead at the next generation of threats and to step up their game to better protect consumer data. The threat landscape is continuously evolving. If you don’t already have threat intelligence and response plans ready for implementation in 2015, now is the time.”

Coalfire conducts more than 1,000 audit and assessments of systems containing sensitive data each year. Based on the trends in those investigations, Dakin predicts the following for 2015:

  1. Motivated Threat Actors. The number and sophistication of cyber threats will continue to increase exponentially. Fueled by both geopolitics and economic incentives, international (and often state sponsored) criminal organizations will escalate their development of offensive cyber capabilities.
  2. Redefining the Defense. The demands of cybersecurity are fundamentally changing IT.  Cyber risk management and security compliance will take an equal weight to other design criteria like functionality, capacity and performance.  Financial ROIs will be balanced by a new understanding of risk exposure for sub-par solutions.
  3. Three Heads vs. One. In large organizations, there are technical roles that require the knowledge and experience of CIOs, CTOs and CISOs. While some have predicted the death of the CIO role, we see instead a balancing of responsibility between three peers.
  4. Investments Will Increase. In the face of pernicious new threats, the cost of cybersecurity and risk management will remain on track to double over the next three years.
  5. New Fronts. The expansion of mobility, cloud computing, bring-your -own – device (BYOD) policies, and the Internet of Things will provide new (and previously unforeseen) opportunities for cyber-crime, cyber-warfare, and cyber-terrorism.
  6. Universal Monitoring. As a result of cyber-incidents, every organization (or person) will be using some form of continuous monitoring service (threat, scanning, identity or credit). These will be legislated, mandated by financials institutions or insurers, or acquired on their own behalf.
  7. Business Leadership on Policy Development. Executive leadership will lead to further development and maturation of standards across private sector and governmental organizations. This approach to security and cyber risk management will reduce the potential for “unforeseen” damage from cyber-attacks, cyber warfare and cyberterrorism.
  8. New Threat Detection and Response Technologies. There will be an increased use of crowdsourcing, machine intelligence, and cognitive/advanced analytics to detect and stay ahead of threats. Bounties for catching bad actors and advanced algorithmics will help the “good guys” identify and stay ahead of the hordes of malicious players.
  9. Improved Security. New and better applications of authentication, EMV, encryption and tokenized solutions will increase the security of payments and other personal and confidential information. Apple Pay and other next-generation solutions will overcome anti-NFC inertia and lead to increasing adoption of mobile-based security technologies for both retail payment and other applications, such as healthcare, where critical and confidential information is exchanged.
  10. Back to Offense. We will see the beginnings of a shift from cyber-defense to cyber-offense.  From attempting to build impenetrable systems, to building systems that make it possible to identify attackers and provide the means to prosecute, frustrate or delay them.

Information Security and Cyber Liability Risk Management – a 2014 survey

Advisen Ltd and Zurich have partnered for a fourth consecutive year on a survey designed to gain insight into the current state and on going trends in information security and cyber liability risk management. Invitations to participate were distributed via email to risk managers, insurance buyers and other risk professionals. The survey was completed at least in part by 507 respondents.

The majority of respondents classified themselves as either

  • Member of Risk Management Department (not head) (38%)
  • Chief Risk Manager/Head of Risk Management Department (33%)

Respondents with more than 20 years of risk management and insurance experience represented the largest group at 39% of the total, followed by 25% with between 11 – 20 years, 18% with 5 years or less, and 17% with between 6 – 10 years.

A summary of the survey is below.

Perception of Cyber Risks

Respondents’ perception of cyber risk is largely unchanged from last year with 88% considering cyber and information security risks to be at least a moderate threat to their organization. Respondents do however believe that board members and executive management are viewing cyber risks more seriously.

“In your experience, are cyber risks viewed as a significant threat to your organization by:”

  • 64% said “yes” for Board of Directors (54% in 2013)
  • 72% said “yes” for C-Suite Executives (6% in 2013)

Perception of risk varies based on size of business. Although studies have suggested that small companies are targeted as frequently, if not more so, than larger companies, as a group they continue to view cyber risks less seriously. In response to the question

How would you rate the potential dangers posed to your organization by cyber and information security risks?”

  • 81% of the smallest companies (revenues less than $250 million) consider cyber risks to be at least a moderate danger
  • 93% of the largest companies (revenue greater than $10 billion) consider them to be so.

Consistent with last year’s study, on a scale of one to five, with 5 as very high risk and 1 as very low risk, “damage to your organization’s reputation resulting from a data breach” is the biggest concern of respondents with 64% rating it a 4 or 5. This was closely followed by “incurring costs and expenses from a cyberattack” with 62%, and “privacy violation/data breach of customer records” with 61%.

In contrast, the exposure perceived as the least risky was “theft or loss of customer intellectual property” with 43% rating it a 1 or 2. This was followed by “business interruption due to customer cyber disruptions” with 33%, and “employment practice risk due to use of social media” with 32%.

Data Breach Response

Over the past year, huge and highly recognizable U.S. businesses have fallen victim to some of the largest data breaches in history. These breaches are proof that even those with the most sophisticated information security practices and infrastructures are vulnerable to a cyber-attack. Some suggest that corporate data breaches are no longer an “if” or even a “when” proposition, but rather “how bad” will the inevitable breach be. When a breach does occur, research suggests that organizations that have data breach response plans in place prior to a breach, fare much better than those who do not.

“Does your organization have a data breach response plan in the event of a data breach?”

  • 62% said yes
  • 14% said no
  • 24% did not know

“In the event of a data breach, which department in your organization is PRIMARILY responsible for assuring compliance with all applicable federal, state, or local privacy laws including state breach notification laws?”

  • IT – 38%
  • General Counsel – 21% received the highest percentage of the responses.

Information Security and Cyber Risk Management Focus

Consistent with the 2013 survey, 80% claim that information security risks are a specific risk management focus within their organization. Larger companies are slightly more likely to make it a focus with 83% of companies with revenues in excess of $1billion doing so, compared with 77% with revenues under $1billion. However, the 6% point difference between small and large companies is significantly less the 17% difference from a year ago.

The difference is even more significant when comparing the largest companies (revenues of $10 billion or greater) and the smallest companies (revenues of $250 million or less), with 92 % of the largest companies making information security a risk management focus compared with only 72% of the smallest companies.

For a second consecutive year, the percentage of respondents with a multi-departmental information security risk management team or committee has declined, 52% have an information security risk management team or committee which is down from 56% in 2013, and 61% in 2012. Although statistically still within the margin of error, this is a potential trend worth following. As in previous years, however, this varies materially based on the size of company with 58% of larger companies ($1billion in revenue or greater) claiming to have this team or committee compared to 42% of smaller companies (under $1billion in revenue).

The departments most likely to have representation on the information security risk management team are:

  • IT – 90%
  • Risk Management/Insurance – 73%
  • General Counsel – 63%
  • Compliance – 55%
  • Internal Audit – 47%
  • Treasury or CFO’s Office – 40%
  • Chief Privacy Officer – 36%
  • Marketing – 10%
  • Investor Relations – 6%
  • Sales – 5%
  • 9% Didn’t Know
  • 15% said Other
  • The most common write-in responses under “Other” were Operations and Security

The IT department is still acknowledged as the front line defense against information losses and other cyber liability risks. In response to the question “Which department is PRIMARILY responsible for spearheading the information security risk management effort?”

  • 69% responded IT
  • 11% Risk Management/Insurance
  • 5% responded Other. The most common other being Information Security

Social Media

Social media provides businesses with an array of benefits such as increasing brand awareness, promoting products, and providing timely support. It also exposes organizations to a degree of risk, such as the potential for reputational damage, privacy issues, infringing other intellectual property, and data breaches.

“Does your organization have a written social media policy?”

  • 74% responded yes
  • 17% no

Cloud Services

For a third consecutive year respondents were asked questions on cloud services. Thanks to its cost effectiveness and increased storage capacity, cloud services have become a popular alternative to storing data in-house. Warehousing proprietary business information on a third-party server, however, makes some organizations uncomfortable due to the lack of control in securing the information. Nonetheless, security concerns continue to be outweighed by the benefits.

“Does your company use cloud services?

  • 66% responded yes, up from 55% last year, and 45% in 2012.

“Is the assessment of vulnerabilities from cloud services part of your data security risk management program?”

51% responded yes – consistent with last year

Mobile Devices

“Does your organization have a mobile device security policy?”

  • 74 % said yes
  • 15 % said no
  • 13 % did not know

Larger companies continue to be more likely to have such a policy with

  • 82 % of large companies ($1 billion or greater) responding yes
  • 62 % of smaller companies ($1 billion or less).

The use of personal handheld devices for business purposes is increasingly preferred by employees and allowed by employers. These non-company controlled devices, however, are accessing proprietary corporate information and frequently exposing organizations to a higher degree of risk.

“Does your organization have a bring your own device (BYOD) policy?”

  • 47% responded yes which is consistent with last year’s response.

The Role of Insurance in Information Security and Cyber Risk Management

The upward trend in the percentage of companies purchasing cyber liability insurance plateaued in 2014.

“Does your organization purchase cyber liability insurance?”

  • 52% responded yes
  • 35% said no
  • 13% did not know

Of the respondents who purchase coverage

  • 32% have purchased it for less than two years
  • 47% between three and five years
  • 22% for more than five years
  • The percentage of companies who buy coverage for loss of income due to a data breach dropped slightly from 54 % in 2013 to 48 % this year.

Finally, respondents that do not currently purchase cyber insurance were asked “Are you considering buying this coverage in the next year?” 54% said yes. This was only a one percentage point increase from 2013.

The full survey can be found here.

Cyber Data Breach – Is Your Business Ready?

NewAgencyPartners 2NewAgencyPartners

Role of the Board of Directors in Information Security and Compliance

Guest Blogger Barry Schrager.

I recently read a posting “Where’s the Compliance Experience on Corporate Boards?” [i] which showed some disturbing results describing the backgrounds of the Fortune 500 Board Members in terms of Compliance.  Here are the results: 

Background No. of Board Members No. of Companies
     
Finance 1,583 473
     
Legal 391 225
     
Accounting 201 165
     
Compliance 9 9

Add to this, in the recent speech given by Security and Exchange Commissioner Luis Aguilar at the New York Stock Exchange Conference “Cyber Risks and the Boardroom”,[ii] he emphasized the importance of cybersecurity and how fast the need for cybersecurity has grown in such a short time period, pointing out that U.S. companies experienced a 42% increase between 2011 and 2012 in the number of successful cyber-attacks they incurred per week.  He cautioned,

Boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril 

Mr. Aguilar recommends that Boards institute structural changes to focus on appropriate Cyber-Risk Management. 

Companies must have someone on the board that is able to adequately understand and implement cybersecurity procedures.  Many boards lack the necessary technical expertise to be able to evaluate whether management is taking appropriate steps to address cybersecurity issues.  This responsibility often falls to the audit committee, but they may not have the expertise or skills to add cyber-risk oversight to their long list of duties.  Commissioner Aguilar recommends that boards create a separate enterprise risk committee that can provide improved risk reporting and monitoring, as well as push necessary resources and overall support to company executives responsible for risk management

Navy Admiral Michael S. Rogers, director of the National Security Agency and head of U.S. Cyber Command stated

Military commanders must ‘own’ cyber.  Networks and cyber [should be] the commanders’ business.”  Commanders operate under the “flawed” notion that they can turn over network responsibilities to the unit’s information technology experts, said Rogers. “Commanders have to own this mission and integrate it into operations.” Senior officers ought to be as knowledgeable about a unit’s network capabilities and potential vulnerabilities as they would be about its fuel and ammunition supplies, he added. “The challenge to that is as much cultural as it is technical [iii]

There is a definite pattern here.   It is clear from the survey results and statements presented above that the proper disciplines and backgrounds are not present on the Boards nor the military leadership.  This lack of knowledge and background represents a risk for these companies and investors that should not exist and can be addressed.   Additionally, these organizations have an obligation to protect the information gathered from their customers, partners and those individuals who interact with them.

If someone on the Board was knowledgeable and asked questions of the senior executives on cybersecurity and compliance then the senior management would be sure to have someone in their group who was capable of seriously addressing these issues.  This would cascade down the organization and the employees would be more focused on security and, more importantly, feel free to raise their perceived security issues up the management chain and receive appreciation for their input, and more importantly, the organization would obtain more effective cyber controls and compliance controls.

This is not just an IT problem and executives cannot just assume that this will be handled by the IT people because it usually involves budget, procedural changes that affect other departments, etc.  If the executives do not listen and understand what the IT Security and Compliance people are asking for, they will not fund the requested programs and projects until there is a data breach and then they will finally provide whatever funding is requested.  This is not the way to operate.  Organizations and people will be hurt.  

Barry Schrager 

Barry Schrager is credited as one of the people who started the concept of data security when he founded and was the first Manager of the SHARE Security Project in 1972.  The project delivered a series of requirements to IBM in 1974 including data protection by default and algorithmic grouping of users and resources.  When IBM delivered its security product, RACF, in 1976, it did not meet the requirements and IBM told him they were not achievable.  So, Barry developed his own security product, ACF2, which met the requirements and was used by customers such as General Motors, the Central Intelligence Agency, the National Security Agency, Britain’s MI-5, the Federal Reserve System and the Executive Office of the President of the United States.  When Barry sold the company, SKK, Inc., it had a 60 percent market share against IBM’s RACF and CA’s Top Secret.  Under Barry’s leadership, SKK developed the first VM operating system security product, ACF2-VM, and the first automated Operating System auditing product, Examine-MVS, now known as CA-Auditor. 

In addition to that, Barry has a variety of experiences in mainframe software development, including the Neon Systems Shadow (now Rocket Software’s Shadow z/Direct), the EKC E-SRF Access Analysis product, JME Software’s Deadbolt product, the Vanguard Integrity Professionals line of RACF security products and Xbridge Systems’ DataSniff product. Additionally, Barry has done security reviews at institutions such as the FDIC and Morgan Stanley. 

Barry’s experience covers everything from software designer/developer to executive management to consulting services. 

Barry is honored to be selected as a member of the Enterprise Executive Magazine’s Mainframe Hall of Fame. 

Barry’s contact information is: BarrySchrager@cs.com / (970) 479-9377 

[i] http://www.corpcounsel.com/home/id=1202661904663?kw=Where%27s%20the%20Compliance%20Experience%20on%20Corporate%20Boards%3F&et=editorial&bu=Corporate%20Counsel&cn=20140709&src=EMC-Email&pt=Afternoon%20Update&slreturn=20140609150928

[ii] http://www.natlawreview.com/print/article/calling-all-boards-directors-four-recommendations-sec-securities-and-exchange-commis

[iii] http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=1529

How retail companies describe their Cyber Liability exposures

In a recent Willis Report: “Some Fortune 1000 Retailers Remain Silent on Cyber Threats”, Willis explain how the Retail industry compares to the Fortune 1,000 companies in their approach to Cyber Liability.

When describing the extent of cyber risk

  • 57% of retail firms disclosed their cyber exposures as significant, serious, material or critical, according to the study
  • 9% of the firms did not disclose any risks related to cyber exposures

Willis describe the results as

surprising” given that the retail industry has been the target of many of the highest profile system breaches to date, resulting in some of the largest losses, the report said

Other key findings of the report include:-

The top three cyber risks identified by the retail sector of the Fortune 1000 include:

  1. 74% privacy/loss of confidential data
  2. 66% reputation risk
  3. 61% cyber liability

9% cyber risk at the hands of “outsource vendors” which Willis described as “surprising” given the level of outsourcing across the sector and the reliance on third-party technology partners

In detailing cyber risk remedies

  • 49% of the retail companies cited the use of technical safeguards — more than the Fortune 1000 as a whole (43%)
  • 17% of retail companies reported inadequate resources to limit cyber losses, a potential “cause for concern,” as technical protections may not be sufficient to contain the effects of some cyber or technology events, Willis said.

9% of the sector indicated they purchased insurance for cyber exposures.

In Willis’s view the actual rate of cyber insurance may be substantially higher based on additional Willis data obtained in collaboration with insurance underwriters. This places them below

  • The funds sector (33%)
  • Utilities (15%)
  • Banking and conglomerates tied at 14% each)
  • Tech/telco and insurance (11%)
  • The media industry (10%)

The increasing frequency of “point-of-sale” breaches and “do-not- class-action law suits are described as an evolving cyber exposure.

The full report can be found here.

More organisations opting to take out Cyber Insurance

In 2013 70% of organisations in a Marsh Insurance survey said they would buy Cyber Insurance compared to 78% in the 2014 survey.

Zurich Insurance identifies the “Seven cyber risks that threaten systemic shock”

A recent Zurich Cyber Risk Report argues that cyber-risk management professionals need to look beyond their internal information technology safeguards to interconnected risks which can build up relating to:-

  • Counterparties
  • Outsourced suppliers
  • Supply chains
  • Disruptive technologies
  • Upstream infrastructure
  • External shocks

Zurich warns that a build-up in these risks could create a failure on a similar scale to the 2008 financial crisis. Such interconnected risks are compounded when a company outsources the management of its servers, information technology and cyber security to focus on its core activities.

Little information may be known about the third party’s information security or business continuity safeguards and it may also in turn outsource activities to other companies.

The report calls for organisations to incorporate the best ideas from financial governance such as creating a G20+20 Cyber Stability Board to enhance cyber risk management and identifying and improving the governance of G-SIIOs (Global Significantly Important Internet Organisations).

Axel Lehmann, Group Chief Risk Officer and Regional Chairman Europe at Zurich Insurance Group, said: “The internet is the most complex system humanity has ever devised. Although it has been incredibly resilient for the past few decades, the risk is that the complexity which has made cyberspace relatively risk-free can and likely will backfire.

“Organizations are unknowingly exposed to risks outside their organization, having outsourced, interconnected or exposed themselves to an increasingly complex and unknowable web of networks.

“Few people truly understand their own computers or the internet, or the cloud to which they connect, just as few truly understood the financial system as a whole or the parts to which they are most directly exposed

Zurich’s Seven Cyber Risks are:-

Description Examples
Internal IT enterprise Risk associated with the cumulative set of an organization’s (mostly internal) IT Hardware; software; servers; and related people and processes
Counterparties and partners Risk from dependence on, or direct interconnection (usually non-contractual) with an outside organization University research partnerships; relationship between competing/cooperating banks; corporate joint ventures; industry associations
Outsourced and contract Risk usually from a contractual relationship with external suppliers of services, HR, legal or IT and cloud provider IT and cloud providers; HR, legal, accounting, and consultancy; contract manufacturing
Supply chain Both risks to supply chains for the IT sector and cyber risks to traditional supply chains and logistics Exposure to a single country; counterfeit or tampered products; risks of disrupted supply chain
Disruptive technologies Risks from unseen effects of or disruptions either to or from new technologies, either those already existing but poorly understood, or those due soon Internet of things; smart grid; embedded medical devices; driverless cars; the largely automatic digital economy
Upstream infrastructure Risks from disruptions to infrastructure relied on by economies and societies, especially electricity, financial systems, and telecommunications Internet infrastructure like internet exchange points, and submarine cables; some key companies and protocols used to run the internet (BGP and Domain Name System); internet governance
External shocks Risks from incidents outside the system, outside of the control of most organizations and likely to cascade Major international conflicts; malware pandemic

Lloyds Risk Index has Cyber Risk rising from 12th to 3rd place

Lloyds Risk Index – top 10

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: