Cyber Risks – Prevention through a TwoPronged Strategy Risk Assessment December 2013 BLOG POST
Increased use of technology brings increased risk of cybercrime attack Today more and more firms are conducting business over the internet, and ongoing technology innovation offers great benefits to businesses and ultimately to their customers. Not only large global multinationals but also small local businesses and startups use the online infrastructure to facilitate cost savings and faster communication. However, this increased use of technology comes with a key challenge in the form of cyber risks and protection against them. Additionally, the interconnected nature of the business world and increased mobility has put pressure on the cyber security function. Future data breaches are expected to be global in nature, adding significant complexity to the data-breach response process. With the rise of business outsourcing and cloud computing, considerable amount of sensitive data is stored in large data centers across the world and very often travel across national borders. There is a significant variation in the average cost of cyber attack among companies in different geographies. The US reports the highest total average cost at around USD 10 Mn and the UK reports the lowest. US companies are much more likely to experience cyber attack in the form of malicious insiders, malicious code and web-based incidents which are considered as the most expensive types of cyber attacks. Cyber security is not enough to prevent potential risks To prevent cyber attacks, companies employ cyber-security measures including a combination of technology and security procedures. The scale and scope of cyber attacks is increasing day by day which is motivating firms to invest in security technologies such as firewalls, intrusion detection system and other authentication system. Although these security systems may reduce vulnerabilities and losses from security breaches, it is not clear to firms as to how much they should invest in IT security. Flaws in IT system change dynamically and new attacks are released daily. This ever changing face of cyber threat demands for continuous assessment of exposure to security breaches. Hackers and cyber attackers keep innovating new ways to penetrate the firms’ IT systems, which makes it technologically impossible to have a complete preventive measure and, in some cases, even undesirable because of the high cost of preventive maintenance. Technology investments as well as insurance to hedge risk seem to be the best option as a two pronged strategy to minimize loss through cyber attacks. Some risks of security attacks can be minimized or avoided with investment in security protection products and personnel.
Cyber Risks – Prevention through a Two-Pronged Strategy
Page 2
Two options are available for the risks that cannot be avoided: • •
Outsource the risk by transferring it to an external insurance company Assume the risk internally via self-insurance
Small organizations that cannot afford to transfer the risk due to premium costs should make sure that the probability of risk from security attack is low enough to assume internally. For large organizations that can afford to transfer risk externally to an insurance company, hedging through insurance seems to be the best option but it has the following set of limitations. • •
Risks must be tangible so that they can be predicted, avoided, or mitigated Potential loss must be identified and quantifiable
Cybercrime insurance categories Security of IT assets of one company is dependent on security of IT assets of other companies. This interdependency has an impact on firms’ motivation to invest in IT security and also affects the insurance coverage. Cyber insurance can be an extremely valuable asset in an organization’s strategy to address and mitigate cyber security, data privacy, and other risks. But selecting and negotiating the right insurance product can be challenging in terms of deciding on the adequate match with the organization’s risk profile among the many “off the shelf” policies. To overcome these challenges, companies should be familiar with the first-party risk exposures and the third-party liability exposures before choosing an insurance coverage.
First-Party Insurance
Third-Party Liability Insurance
Provides protection for the property owned by the Insured Organization for the following Risk Exposures:
Provides protection against a wide range of third-party risks associated with the operation of IT systems for the following Risk Exposures:
• Provides
protection against damage to digital assets
loss or
• Protection against business interruption
• Security and privacy breaches • Investigation of privacy breach
from network downtime • Customer notification expenses • Protect against cyber extortion and theft
of money and digital assets
• Multi-media liability •
Cyber Risks – Prevention through a Two-Pronged Strategy
Loss of third party data Page 3