By Jonathan Burdett, Director, PwC, Cyber Security Expert
Many attempts have been made to estimate the cost of cyber crime to the global economy, with the result being an estimated impact of somewhere between $100bn and $1tn. Organisations need to act fast.
It is not surprising therefore, that we are increasingly seeing cyber risk appearing on Board agendas, and rocketing up corporate risk registers. This leaves insurers with some interesting questions: Are there big risks to my business that I’ve not yet got under control? If this risk is significant, should I be holding capital against it? Do these risks represent a commercial opportunity which I should be looking to exploit?
Like any risk, these questions require an understanding of the risk dynamics to allow risk managers and actuaries to attempt to quantify or price it. And given the current absence of publicly available data around this rapidly changing risk, challenges are arising.
A risk on the rise
There is no shortage of data to show that cyber risk is a threat that is increasing in not only frequency but in sophistication. Industry experts estimated a 42% increase in targeted attacks in 2012, and surveys like PwC’s “Information Security Breaches” survey and “Global State of Information” survey consistently show the incidence and impact of cyber breaches to be at record levels. Security firms, including PwC, who record the threats encountered during a business’ day to day work, regularly report record levels of malware, phishing attacks and other internet “nasties”, and predict that this is set to rise throughout 2014.
At the same time, target organisations are becoming more complex through outsourcing, adoption of new technologies such as mobile and cloud computing, and are increasingly reliant on electronic trading with customers and business partners. This complexity means that companies are becoming harder to defend from these cyber threats.
And just to raise the stakes on all this, regulators and clients are becoming increasingly demanding on the way companies handle their data. It is rare for a corporate RFP not to include a section on information security controls, and the right to audit is being exercised with increased frequency and rigour. UK and international regulators are responding too, with the UK government investing in its Cyber Strategy, and EU’s latest proposed directive against cyber crime passing its first stage in the European Parliament in July.
Anatomy of cyber risk
One difficultly organisations are having with this risk is defining exactly what it is. Cyber risk is often broken down into a number of categories based on the types of attacker involved, the types of attack or the potential impact. Adding these up together provides a useful overview of the issues to consider.
In practice, the players are becoming harder to define. With the skills and capability to perpetrate cyber attacks becoming more wide spread, and even available for hire at a reasonable hourly rate, the principal actors mentioned above could be joined by disgruntled employees and anyone else with a grudge. Similarly, successful attacks tend to combine all three methods above with an initial confidence trick providing vital information with which to target hacking and malware attacks.
A possible response
So what can insurers do to try and minimise the impact to their organisation? Firstly, Boards must take responsibility for dealing with cyber. As a major risk to an organisation, it is not credible to devolve responsibility for its management to technical experts in the IT department. While their expertise is important, the Board must understand the risks it is exposed to.
Risk analysis – organisations need to think through the players, techniques and impacts outlined above, and harvest internal and external data to help quantify the risk. Once quantified, appropriate response plans need to be put in place and communicated across the organisation. We find that many organisational responses focus on preventative controls and do not take adequate account of the detection and response capability needed for such a pervasive and dynamic risk. The organisations that win the battle against cyber risk are those that share information across peer organisations, government and regulatory bodies as widely as possible. This helps with understanding the risks and the latest responses, and with such a fast moving threat, knowledge is key.
|