Mitigating Cyberrisk in 2018

Marc D. Schein


January 25, 2018

Businesses face many risks related to technology, including the risk of a cyberbreach resulting in the loss of protected health information (PHI), personally identifiable information (PII) or payment card information. The threats are real, and the potential losses can be steep. The Ponemon Institute found in its 2017 Cost of a Data Breach report, that the average cost of a data breach in the United States in which customer privacy was compromised was about $7.35 million, or $225 per lost or stolen record.

Organizations may also incur losses through phishing (malicious email disguised as coming from a colleague, customer or financial institution to gain access to assets); ransomware (an attack that encrypts valuable information to extort funds from the victim in exchange for the data’s release); or a denial of service attack (an attack that cripples an organization’s online operations, preventing it from doing business). These scenarios were illustrated by the WannaCry and NotPetya global ransomware campaigns and the Mirai botnet DDoS attack that disrupted internet and e-commerce services in both the United States and Europe.

The WannaCry and NotPetya attacks were the broadest and most damaging cyberattacks in history. Like most ransomware, WannaCry encrypts a victim’s digital files until the victim pays for a key to unlock the files. Hackers often demand bitcoin payments of a few hundred dollars for personal files or thousands of dollars for business files. NotPetya was spread via the compromised software update service from a distributor of tax accounting software mandated by the Ukrainian government. Once NotPetya infects a system, it sets up encryption routines and attempts to spread over the network.

The Mirai attack was notable not only for its size and impact, but also for the implications. Mirai hijacked the communications of hundreds of thousands of internet-connected devices to carry out its attack. According to some estimates, there will be more than 20 billion such internet of things (IoT) devices in service by 2020. That is a significant increase in the amount of connected devices currently in use, meaning there is a corresponding increase in the risk that security vulnerabilities will be exploited for similar attacks in the future.

Whether the result of a malicious attack, technical malfunction or human error, a data breach can trigger costs related to legal, technical response and forensics, crisis management, credit monitoring, and associated services. Financial losses can also be associated with a technical failure, or fines levied by regulators. In order to help mitigate the risk, cyber insurance can provide financial protection for out-of-pocket expenses arising from a data breach. A select group of carriers have also started to offer coverage for customer flight related to loss of brand trust.

Astute business leaders appreciate that cyberrisk can be managed by coupling technology with risk transfer that protects the company and unlocks growth. A select few insurance carriers have also evolved their cyber insurance forms in order to provide coverage for losses that cause bodily injury and property damage that may have been caused by a breach of the network and/or system.

Cybersecurity should be managed as both a technical and economic challenge. It should also be viewed as an opportunity to improve performance and optimize capital efficiency—not just as a cost that needs to be managed. A quantitative analysis can enable companies to more efficiently allocate capital and other resources to reduce and manage cyberrisks. In order to fill the gaps and provide financial relief from a data breach, companies are increasingly turning to insurance, especially as increasing competition among underwriters has driven prices surprisingly low, while the breadth of coverage being offered has expanded.

Cyber insurance premiums, which totaled an estimated $3 billion in 2016, are on pace to reach $20 billion by 2020, with more than 60 underwriters offering policies in a competitive marketplace with no standard forms, definitions, exclusions or conditions to follow when underwriting a cyber policy. These costs are in addition to the more than $80 billion a year that Gartner says businesses worldwide spend on technologies intended to protect both data and the systems where data are stored and managed.

The tumult of operating in a new market amid so many unknowns and variables means businesses should work with a cyber insurance expert who can accurately identify and inventory key assets, data, systems and infrastructure essential to the businesses operations, quantify a business’ internal controls, and create a digital profile to identify internal vulnerabilities and external threats. Perhaps most critical is to work with a cyber insurance expert on quantifying a value of cyber assets at risk using modeling and technology tools.

Data protection is not easy and it is made even more difficult when investments in IT security are misallocated. Because technology and the threats posed by hackers evolve quickly, it is imperative organizations take the time to better understand their risk and to examine their networks for security vulnerabilities. Whatever an organization spends on technology, cyberrisk management starts with a highly-trained and aware workforce. It is imperative to have a security-focused culture, reinforced through continuous training and positive reinforcement.

Itzik Kotler, co-founder and CTO of SafeBreach, said that there are a number of emerging trends that may introduce previously unknown risks and how keeping pace with these innovations is imperative to minimizing cyberrisk. For example, Kotler recalled his own conversation with the chief information security officer (CISO) of a media entertainment company in the process of constructing a new office building that included features like smart lighting, smart blinds and other IoT-enabled devices connected to the corporate network.

Kotler said the CISO expressed concern about connected devices being compromised by a hacker. He was worried about the risks if the smart HVAC devices became an infection point, or worse, were used as a malicious cyberweapon. What if, for example, their data center servers were brought down because the air conditioning was no longer cooling the facilities?

According to the Ponemon study, 24% of breaches were due to human error. Despite the billions of dollars spent on technology, people make mistakes, cut corners, become reckless and are sometimes simply unaware that their behavior is outside the bounds of company policy.

In an age when doing business requires moving data from point-to-point, and every step of that process increases the level of risk for a data breach, there is little room for complacency. That is why it is imperative companies establish and enforce policies that teach their employees proper handling of data and for introduction of new technologies—including hardware, applications, mobile devices and cloud-based services—into the enterprise.

From a technology standpoint, it is important to recognize that no business—big or small—is fully protected from a possible data breach. For organizations considering the addition of a cyber insurance policy to their risk management portfolio, the message is clear: Adding cyber coverage as a hedge against the financial costs associated with a data breach is an effective way of transferring that risk.
Marc D. Schein, CIC, CLCS, a risk management consultant for Marsh & McLennan Agency, assists clients by customizing comprehensive commercial insurance programs that address the burden of financial loss through cost-effective transfer of risk.