With 556-million victims of a cyber attack in the past year, that means 1.5-million people per day, or 18 per second, fell victim to hacking, phishing, malware, viruses, and ‘computer-borne’ fraud and theft. Fully two-thirds of adults online, and 46% in the past year, were compromised and suffered losses in what is a USD104-billion per annum global industry. South Africa, too, suffered and had the third-highest percentage of cybercrime victims of any country in the world, with 80% of those online experiencing a loss.
From a corporate perspective, the problem is also quantifiable. In 2011, AIG dealt with 855 reported data breaches worldwide, accounting for over 174-million records being affected. Nearly three-quarters (71%) of data breaches affected companies with 1 to 100 employees, a category into which the great majority of South African businesses fall. With just 10% of the businesses affected being in the financial services industry, cybercriminals are not focusing on this seemingly likely target, but are broad in their approach; accommodation and food services experienced 54% of the breaches and the retail trade 20%, with health care/technology and ‘other’ making up the balance.
In this period, AIG in the United States handled over 100 network security claims totalling some USD25-million; since 2009, AIG globally has paid out over USD85-million in cyber-related claims. Directors have long appreciated the necessity to insure the companies under their stewardship against operational, credit and business risks – and rightly so. But a recent risk assessment published by the World Economic Forum ranks IT higher than nearly every other type of threat.
The Challenge: Extending Risk Protection to a Complex Threat
Arguably, the risks which are created simply by deploying and using essential technology systems are greater than any others that your company faces. The likelihood is, for example, very good that your premises and stock are insured against fire. Likely, too, is that your cover extends to the possibility of accidental loss or theft in transit or on the shelf.
Indeed, while the necessity for insurance to protect against cyber risks is growing in popularity in more developed nations, including Europe and the United States, to date the inevitable exposure related to IT systems hasn’t enjoyed any significant focus from South African companies or the providers of insurance solutions. That is not necessarily because the problem hasn’t been identified. It is at least partly the result of the complexity of gauging the level of risk and then providing a solution which is affordable, yet, at the same time, flexible enough to cover the multifaceted impacts which can flow from a cybercrime event.
Considering the Impact
It is useful to consider the range of consequences which can manifest themselves if a breach of information systems is experienced by a corporate entity. While the immediate loss may be sensitive customer records, the nature of that information can have further, increasingly deleterious consequences. What may start as an immediate financial loss for a company can quickly spiral into business interruption, reputational damage, and liability for losses incurred by customers and suppliers if negligence is proved.
A domino effect is not uncommon, with consequences starting off with an initial financial loss that quickly spirals into reputational damage, legal exposure, impaired operations, and further financial consequences as customers resist doing business with the organisation. Furthermore, privacy and data protection are issues of growing importance worldwide, given the ease with which data can be electronically stored, retrieved and transmitted. Loss of private data exposes offenders to civil liability and public relations crises. In countries which have specific data-protection laws, statutory penalties may also apply. While South Africa does not presently have a specific data-protection law, there have been recent indications that the Protection of Personal Information Bill, which will govern data protection, will become law early next year.
The Boardroom Response
These consequences are undoubtedly a boardroom issue, since they can, and do, impact on profitability and even company sustainability. By considering an appropriate insurance policy, it is now possible for directors to mitigate against demonstrable financial losses. But, as indicated above, financial losses are but one aspect of a cyber breach. What about reputation and legal exposure to liability, and what about identifying the culprits and holding them responsible? Perhaps, most importantly, what about making sure the company emerges from any such incident stronger and more secure than before?
These are issues that leading insurers have taken into account in creating a ‘multidimensional’ policy which anticipates and deals with the domino effect and all its implications. Rather than simply providing financial compensation, the schedule of benefits in respect of such solutions includes access to specialist assistance, including reputation management, IT industry-specific legal aid, and even digital forensics to identify, track down and retrieve lost or stolen data. Such insurance solutions arguably go further than any cover previously offered on the market; instead of merely solving the financial-loss aspect, they address the complexity of cybercrime by way of a multifaceted, coordinated and multidisciplinary response.
As a responsible director, the time may be right to ask your fellow board members: ‘Shouldn’t we be quantifying the risk presented by our dependence on IT systems – and putting in place a comprehensive insurance policy to mitigate it?’ AIG has introduced a unique solution which addresses information technology risk. Dubbed CyberEdge, the solution addresses financial, legal, investigative and reputation exposures for a single premium. It puts the expertise of subject matter experts Norton Rose Attorneys, Cyanre digital forensic investigators and Livewired public relations practitioners at the disposal of policyholders.
Most executives have a pretty sound notion of just how dependent their business is on information technology (IT) systems. For most, computers and connectivity are every bit as essential as electricity is; take these out of the equation, and work stops. But together with that dependency comes considerable risk, a good deal of which is entirely out of the hands of the Chief Technology Officer (CTO), IT specialist or any other members of the executive committee. That’s because the nature of the Internet means computer systems are potentially open to compromise, even if the best efforts are made to protect them. Shouldn’t your risk-mitigation strategy therefore extend to insuring against the potential losses which can result from a cyber breach?
The magnitude of the problem is perhaps best demonstrated by the findings of the recently released Norton 2012 Cybercrime Report. While the report is consumer-focused, it should be borne in mind that consumers all come to work, many of them bringing their own devices (and the potential exposures that come with that) and, perhaps more tellingly, their personal online habits to the workplace.
Cyber Risk: An Uninsured Exposure?
by Quinton Kotze, Financial Lines Manager, AIG South Africa