We don’t need to dwell on the severity of data breach risk, all you have to do is read the news. These threats continue to grow at an exponential rate, and cybercriminals are becoming increasingly sophisticated in their methods of attack.
Even after years of discussion and debate, cyberattacks continue and even escalate. The problem isn’t just technology breaches; breaches can be the result of employee error, improper disposal of documents, lost equipment and other non-technological failures.
As cyberattacks, hacks and data leaks proliferate in industry after industry, a holistic, enterprise-wide approach to cybersecurity has become a priority on board agendas. Companies are strengthening protections around their business models, core processes, and sensitive data. Regulators are applying their own pressures, and privacy controls are sharpening but many companies don’t fully understand the threat and don’t always prepare as well as they might.
cybersecurity must be comprehensive, adaptive & collaborative
While cybercrime is rising constantly, big and small- businesses are extremely vulnerable due to ineffective cyber security. Organizations must remain secure, vigilant, and resilient to both minimize risk and optimize new opportunities. Keeping up to date with cyber security news and knowing about security solutions is essential for all types of businesses.
Many companies lack needed information about cyber risk, the effectiveness of countermeasures, and the status of protection for key assets. Furthermore, Cyber is an important gap in most existing insurance programs. Often the risk is not covered or only insured to a limited extent.
However, such a cyber insurance is a very valuable investment in relation to the risk balance involved, as well as in terms of a global risk comparison, especially because the risk is so real. After all, several clients have already experienced phishing, hacking or network problems due to a cyber attack.
Technology has far-reaching implications in both altering the insurance risk landscape and in empowering both insurers as insurance brokers, to manage this change.
As an insurance broker of the future, Wyckaert- Comarit Insurance strives for a holistic approach to customer risk management by also evolving to become both a partner and a preventer.
Utilizing customer data to its full potential is a key component for insurance brokers to be able to take this role. This evolution revolves around participation in policyholders’ lives and the subsequent development and delivery of compelling value-added services that are fuelled by a real-world understanding of the risks customers typically face.
Also privacy compliance and information risk management play a prominent role herein, within each and every single professional enterprise. These requirements have to ensure that everything we do is compliant with local privacy and other compliance related requirements
For the first time ever, Cyber incidents (39%) ranks as the most important business risk globally in the ninth Allianz Risk Barometer 2020, relegating perennial top peril Business interruption (BI) (37%) to second place. Awareness of the cyber threat has grown rapidly in recent years, driven by companies increasing reliance on data and IT systems and a number of high-profile incidents. Seven years ago it ranked only 15th.
Businesses face a growing number of cyber challenges including larger and more expensive data breaches, an increase in ransomware and business email compromise incidents, as well as political differences between nation states are being played out in cyber space and brings therefore added risk complexity. For example, growing tensions in the Middle East have seen international shipping targeted by spoofing attacks in the Persian Gulf while oil and gas installations have been hit by cyber-attacks and ransomware campaigns. Even where companies are not directly targeted, state backed cyber-attacks can cause collateral damage. In 2017 the NotPetya malware attack primarily targeted the Ukraine but quickly spread around the world.
But even a successful merger or acquisition (M&A) can result in serious systems problems nowadays. Data breaches are the main cause of cyber incidents, and as companies collect and use ever greater volumes of personal data, breaches are becoming larger and costlier. In July 2019, Capital One revealed it had been hit by one of the largest ever breaches in the banking sector with approximately 100 million customers impacted. Yet this breach is by no means the largest in recent years.
Data breaches at hotel group Marriott in 2018 and credit score agency Equifax in 2017 were reported to have involved the personal data of over 300 million and 140 million customers respectively. Both companies faced numerous law suits and regulatory actions in multiple jurisdictions – the UK’s data protection regulator intends to fine Marriott £100mn ($130mn) for the breach, among the earliest and largest fines under the EU’s new privacy laws to date. In the same month – July 2019 – British Airways was provisionally fined £183mn ($240mn) for a data breach impacting 500,000 customers in 2018. Dealing with a mega breach (involving more than one million records) now costs $45 million on average– up 8% year-on-year.[1]
Ransomware incidents are becoming more damaging, increasingly targeting large companies with sophisticated attacks and hefty extortion demands. Five years ago, a typical demand would have been in the tens of thousands of dollars. Now it can be in the millions. Industrial and manufacturing firms are increasingly targeted but losses tend to be highest for law firms, consultants and architects, for which IT systems and data are crucial. Such incidents have resulted in worldwide losses of over $26 billion since 2016 according to the FBI.
Data protection and privacy regulation, and subsequent penalties, are widening in scope and geographical reach. The General Data Protection Regulation (GDPR), which came into force in Europe in May 2018, will definitely bring a further wave of fines in 2020.
[1] IBM Security, Cost Of A Data Breach Report 2019.
- Cyber risk is part of our overall enterprise risk management and is viewed as a key business risk (55%)
- Monitor and measure security and availability of systems through continuous vulnerability and risk assessments, remediation and sharing intelligence around cyber threats (52%)
- Regular staff information security trainings, awareness and anti-phishing campaigns (45%)
Purchasing a cyber insurance should therefore be one of the final points in a company’s plan to enhance its cyber resilience. Insurance has a vital role to play in helping companies recover if all other measures are insufficient but it should not replace strategic risk management. Investing in employee awareness, together with updating and continuous monitoring of systems should definitely be at the top of any company’s cyber to-do list.
Preparation and training are therefore the most effective forms of cyber risk mitigation and can significantly reduce the consequences of an event. Many incidents are the result of human error, which can be mitigated by training, especially in areas like phishing and spoofing, which are among the most common forms of attack. Training can also help mitigate ransomware attacks, although maintaining secure backups can also limit the damage from such incidents.
At the end of the day you need to take every reasonable step to secure information you may possess, even if only briefly. Even so, experts caution there are only three types of businesses, those who have been breached, those who will be breached, and, worst of all, those who have been breached but don’t know it yet.
As Archimedes used to say, in his speech of Syracuse: “Give me a place to stand and with a lever I will move the whole world.”
The current paradigm is a computer and an internet access point to change the history of the world.
Our attachment to technology and the never-ending connectivity between work and personal lives has created a faster, smarter and an emerging society that is filled with data and vulnerabilities. So, we need to bring rigor to the risks related to data and protect our top assets effectively.
Companies unfortunately seek for help and for such cyber insurance, after having been attacked. Given that cyber-attacks are becoming more and more focused on small businesses, it should be mandatory that companies, in case of cyber risks - hopefully - take a more proactive approach.
contact & questions
For additional practical information on this topic or regarding further insurance needs, you can always contact us via your usual confidential adviser or via insurance@mawyc.be. We remain available, both by telephone and via our e-mail addresses.
