Recently, insurance market specialist, Lloyd’s, and risk modeling platform, Cyence, published a report, which looked at the global cost of cyber attacks on businesses. The findings cited that economic losses from cyber events have the potential to be as large as those caused by major hurricanes. While digitalization in revolutionizing business models, it is also making global economy more vulnerable to cyber-attacks.
The report presented two different types of hypothetical cyber-attack scenarios; a cloud service provider attack and a mass vulnerability attack. Both were constructed to quantify the wide variety of damages that can occur and increase the understanding of cyber-risk liability and aggregation for insurers and risk managers. As mentioned above, every calamity whether, physical or digital has a loss attached to it. When it comes to the digital realm, is monetary loss more important or the loss of data?
This brings us to the question; has the world and businesses become more wary of cybersecurity and vulnerability after the recent WanaCrypto and Petya cyber attacks, which left large companies and individuals losing a lot of money and data?
Matthew Johnston, Area Vice President, ASEAN & Korea, Commvault says that security has been a topic of growing importance for businesses, but implementing security measures isn’t necessarily the biggest issue around the WannaCry and Petya attacks. Increasingly, the discussions are turning toward what businesses should do once they are breached, not if, and at the heart of that conversation is data.
It seems data has become the lifeblood of businesses, inevitability now that we live in a digital world, and as their most important asset, they cannot afford to lose it. Businesses that know their data understand that these recent attacks underscore the importance of protecting it. They have not only put in place essential security measures, but also looked in detail at what data assets are at risk, who needs to be notified, and what, if any, remediation plan needs to be followed.
“Recent regulatory measures reflect the maturity of the data conversation now occurring worldwide. Singapore’s proposed Cybersecurity Bill, China’s Cybersecurity Law and European Union’s General Data Protection Regulation (GDPR), have an immense focus on the regulation of data and the need to manage and protect it,” adds Johnston.
“As a result of these conversations and regulations, board-level executives have taken heed. They in turn have created a trickle-down effect in terms of decision-making and enforcement of policies within the organisation. Functions within an organisation that may have previously seen data management as an ‘IT matter’ are now taking a closer look at it as a key business issue.”
Is Cyber Insurance a need?
The study shows that organisations are responding to this risk awareness through their purchase of cyber liability insurance protection. In turn, the insurance industry is looking to develop solutions to protect those insurance risks at a time when there is limited publicly available information on the potential range and scale of cyber events.
Both the scenarios mentioned above also show that there is an insurance gap of between $4 billion and $45 billion in terms of the cloud services scenario, meaning that between 13% and 17% of the losses are covered, respectively. The underinsurance gap is between $9 billion and $26 billion for the mass vulnerability scenario, meaning that just 7% of economic losses are covered.
Taking this point into consideration, do businesses really need cyber insurance if they already have a robust cyber security practice in place, which again brings up the dilemma of money vs data? Kane Lightowler, Managing Director, Asia Pacific and Japan, Carbon Black states that Cyber insurance should, in no way, be the primary mechanism used to protect a business financially.
“A vehicle owner will not drive haphazardly simply because he has vehicle insurance. Similarly, businesses should ‘drive safely’ by making sure they can detect, prevent and respond to advanced cyberattacks. Once a robust cybersecurity plan is established, businesses can opt to augment their risk by purchasing cyber insurance. However, cyber insurance cannot replace cybersecurity.”
According to the report, a single cyber event has the potential to increase industry loss ratios by 19% and 250% for large and extreme loss events, respectively. This illustrates the catastrophe potential of the cyber-risk class.
However, money and time are not the only things that are of importance. Johnston of Commvault says that the availability of cyber insurance may offer some financial relief, the fact is that data loss has far deeper-reaching consequences than monetary compensation will ever be able to solve.
“A company’s reputation, for example, is exponentially damage the longer an incident remains unresolved, regardless of how much money a business has or is compensated. This underscores the importance of having a comprehensive data management and recovery strategy as this is the only means to minimize inevitable damage that cannot be covered through insurance.”
Frameworks, regulations and compliance; boon or bane?
In India, the Department of Electronics and Information Technology has a National Cyber Security Policy, which aims at protecting the public and private space from cyber attacks. Other countries too have their own cyber security policies as Johnston mentioned. But the question is, with such a framework in place, why is there still a need of private cybersecurity and cyber insurance practitioners?
Lightowler of CarbonBlack thinks that cybersecurity frameworks are only as strong as their adoption rates, businesses need to put in the work and the time to map their security programs to the established requirements. This doesn’t always happen universally. As a result, and because compromise can still occur, cyber insurance is an option that some businesses consider, though businesses should look carefully at what various plans cost and what elements they cover. Generally speaking, he says, most insurance plans only cover forensics costs, breach notification costs, and credit monitoring.
Data breaches involving sensitive information of individuals and companies are increasingly driving the introduction of legal obligations to notify the affected individuals. The report states that Governmental regulatory bodies across many jurisdictions can bring actions against organisations for failure to comply with laws and regulations regarding information security and privacy. This coverage will continue to be increasingly important as more countries adopt data-breach regulations.
Increases in zero day vulnerability disclosures and the resulting mass data thefts may leave the public weary of engagement with increasingly digital platforms. These circumstances increase the likelihood of movement towards a more nationalistic view, resulting in increased borders and regulations of cyber space. Some people believe that a series of large hacks could remove trust in the economy, causing governments to impose new regulations and institutions to slow down the pace of technology innovation.
Talking about the regulations and compliance policies imposed by governments, do these complex laws act as a barrier for companies to accede to cyber insurance and threat aversion tactics? Looking at it from a positive angle, Johnston suggests that companies shouldn’t see regulation and privacy laws as barriers to their business, but as validation of the need to properly understand and know their data.
“Companies face a large set of complex regulations, but many businesses are still in the process discovering the value of data. Regardless of the intent or effectiveness of existing regulatory policies, we find it is within our domain to help companies first understand and know their data.”
He states that only when companies have enough of an understanding of the issues around their data they will be able to have an informed debate on whether the current regulatory environment is appropriate, and what changes, if any, are required.
Asian companies lagging behind
The report also states that compared to US, Asian countries are under-insured and economically vulnerable against cyber-attacks. Reiterating this, an article in BT quoted Kent Chaplin, CEO, Lloyd’s APAC, saying that Asia is still slow to take up cyber insurance compared to US, even though there is a greater awareness and demand. But why is it lagging behind? Based on Lightowler’s experience, businesses in Asia are only now coming around to accepting that cybersecurity is a critical business element.
“In that regard, I’d say Asia is bit behind their peers in Europe and in the U.S. The good news is that awareness of cybersecurity risk has never been more prevalent. Before considering cyber insurance, businesses should make sure they are equipped to detect, prevent and respond to threats, he adds.”
Johnston has a different view, as he leans more towards the importance of data, he says when businesses, regardless of the country understand and manage their most valuable asset – data – only then they are in a position to best handle and limit their risk. That still applies if their data is stored on-premises, or in a completely different country in the cloud. For that reason, overall data risk is difficult to quantify based purely on where a business is located.
The way forward
Some may point towards the presence of relevant legislation to give some indication of which regions in the world are taking a more mature approach to data management. The European Union has its General Data Protection Regulation, China recently introduced its own cybersecurity laws, Australia is known for its cybersecurity and privacy stances in particular, and Singapore has its own cybersecurity bill.
However, these only paint part of the picture. In many cases, data sovereignty issues limit the effectiveness of these legislative instruments, or worse, businesses have to deal with increased complexity when data falls under the purview of multiple regulations and jurisdictions. The effectiveness of passed legislation also still remains to be seen, with the vagueness of China’s laws an increasing concern for businesses.
Businesses should not consider their data more or less at-risk due to their physical location. Business has moved into the digital world, which knows no geographical boundaries. The best means a business has in protecting its data, is to first understand it, regardless of where it is stored.
In conclusion, Lightowler suggests that education in cyber security is all about understanding risk. Risk cannot be reduced to zero, only managed within appropriate boundaries. Security technology is used to reduce risk. Asian companies should look very carefully at what cyber insurance plans cover and how much the plans cost before moving forward.
Having said that, there is no clear difference between money and data. Many companies and individuals believe that the product of the time and money invested in the digital realm is data. However, in the wake of constant cyber-attacks happening globally, crippling industries and systems, ransomware is also a big concern, which has costed people thousands of dollars. And as per the report it can go up to millions if both data value and monetary value is combined. Hence, it is imperative for governments and private agencies to work in tandem for averting and responding to a large scale cyber-threat. Just like they do for hurricanes.