By Neil Smith
With cyberattacks becoming more sophisticated and more damaging, risk managers are faced with the challenge of how to manage an increasingly complex digital risk environment. Businesses rely on information technology systems and the Internet to manage their processes, communicate with customers, connect with multiple sites, external information technology services and mobile staff, and store and analyze huge amounts of information.
This interdependence means widespread failures can cause systemic breakdowns and have potentially catastrophic consequences. One of the most damaging computer viruses in history, MyDoom, spread rapidly and caused losses of $38.5 billion in 2004, according to the security consulting firm mi2g.
Companies also face new digital threats through social networking, cloud computing, new applications, and mobile devices such as iPads and smartphones. With many people using the same devices for business and personal reasons, there is a blurring of boundaries and there are more potential entry points for criminals adding to the threat.
Malicious attacks are growing quickly. In 2010, they were the root cause of 31 percent of the data breaches studied, up from 24 percent in 2009 and 12 percent in 2008, according to the Ponemon Institute, an independent researcher of privacy and information security information.
Over the past several years, cybercriminals have multiplied and honed their abilities. A 2010 report by Lloyd?s, ?Managing Digital Risk: Trends, Issues and Implications for Business,? notes that, ?Like the offline world, the digital space has a criminal underworld.. . . This underworld is diverse and brings together people with different skill sets, including highly technical hackers, those who package and sell technology and those who specialize in stealing money from people?s bank accounts.?
Multiple, Costly Risks
Companies face a wide range of cyberrisks, including operational risks, such as loss of service or data; financial losses; intellectual property thefts; legal and regulatory risks, such as data breach laws that mandate notification; and reputational issues.
Cybercrime is also costly. The median annualized cost of cybercrime incurred by a benchmark sample of organizations was $5.9 million per year in 2010, an increase of 56 percent from the prior year, the Ponemon Institute found.
Those costs can escalate quickly, depending on the circumstances. A data breach earlier this year that affected Sony?s online networks, including its PlayStation Network, exposed the personal information of more than 100 million customers. The company said the initial cost from the breach was about $170 million. That doesn?t take into account, however, the costs stemming from class action and other lawsuits.
The threats come in many different shapes and forms. One that is becoming increasingly common is through malware, malicious software that can spread through numerous mechanisms. Malware hides on a business? computers, allowing an attacker to monitor and take control of the business?s systems. Once the malware is embedded, criminals can steal money and information.
For example, using a virus known as Zeus, an international network of cybercriminals stole $70 million from small and medium enterprises, municipalities, churches and individuals, mostly in the United States. The virus was carried in an email. When targeted individuals opened the email, the malicious software installed itself on their computers, where it secretly captured log-in data for online banking accounts, according to the FBI. The hackers used the information to take over the accounts and transfer money to a network of cybercriminals.
In 2010 following an investigation that lasted for more than a year and included international police agencies, the FBI arrested five people in the Ukraine, 11 in the United Kingdom and 37 in the United States.
More recently, security researchers at Symantec said in October they?d found malware that closely resembled Stuxnet, the sophisticated worm that targeted and disrupted Iran?s nuclear program. The malware, dubbed Duqu, is designed to gather intelligence from entities, such as industrial control system manufacturers, to facilitate future attacks, according to Symantec.
Risk Managers Face Complex Challenges
The size and sophistication of the criminal Zeus ring demonstrates the complex challenges risk managers face. Not only do risk managers have to stay current on cyberrisk trends, both malicious and non-malicious, they also need to be proactive and think about how attackers will adapt to take advantage of potential vulnerabilities in their information technology systems.
Looking ahead, all sorts of attacks are expected to increase, with industrial espionage and intellectual property theft, among other crimes, becoming more prevalent. To fight back, risk managers need to understand the hostile environment and address risks in an overarching, comprehensive way. Five strategies outline recommended approaches that risk managers might consider adopting to tackle this growing threat.
Strategies for Risk Managers
1. Establish a Digital Risk Working Group that informs the Board
Risk managers should lead the effort to establish a working group to monitor and review the business?s exposure to digital threats. The group should include information technology experts and strategists, key business executives and legal representatives. Increasingly, digital risk should be treated as a board-level concern and integrated into the organization?s overall risk governance processes and structure.
The group should be responsible for keeping the company?s board informed of relevant risks and determining when the board should be actively involved or simply kept up to date.
2. Become Involved in Information Technology Strategy
Risk managers should be involved in strategy and major technology transformations, working closely with the information technology department and making sure the appropriate experts are involved in decisions related to the changes. Information technology transformations also offer a great opportunity for the risk manager and staff to actively assess the company?s exposures and risk level, and work collaboratively to address any concerns.
Risk managers also have an important role in generating awareness and understanding of the levels of reliance on technology across the business.
3. Implement and Drive Best Practices
Technology is changing at a rapid pace. Risk managers should ensure that best practices and applicable standards and frameworks are being employed effectively. For example, for more common digital risk problems, risk managers can use existing standards, while looking to new best-practice guidance for more unusual problems.
Best practices should also extend to the business?s risk assessment team. A common challenge is that technology experts see risks from an information technology perspective while business units and managers often have a broader perspective. By selecting a team that has the right mixture of business and technology expertise, risk managers can help bridge the divide and develop a more comprehensive understanding of digital risk issues and how to address them.
4. Pursue Risk Transfer Solutions
Risk transfer solutions are an important part of a digital risk management strategy. Most traditional insurance policies, such as property, commercial liability and business interruption, will not cover digital risk. A standard business interruption policy, for example, is unlikely to include nonphysical damage such as a denial-of-service
attack or hacking.
Most current cyberrisk coverage is related to liability. First-party liability covers a company's own losses due to damage to availability, integrity and confidentiality
of company data, intellectual property and other privacy infringement-related issues. First-party losses will include notification letters sent to customers affected by a data breach, as well as any associated fines and penalties. Third-party liability covers related losses incurred by others, such as claims for privacy breaches.
Digital-specific business interruption policies cover a company's loss of revenue and additional expenses caused by denial of service attacks, viruses
and fraud. Some policies, among other coverages, may cover losses that result from supplier disruptions or legal actions stemming from the failure of a product or service.
Cyberrisk is a dynamic area and insurers are continually developing innovative products.
Risk managers should stay abreast of current and developing products that best meet their needs.
5. Become Involved in the Big Picture
While risk managers are responsible for their own companies, they also have a role to play in shaping digital risk research, helping researchers understand the challenges in making effective and practical decisions. In particular, they need to help promote awareness of the complex interdependency between business risks, human factors, legal issues and technology trends. As front-line participants, their contributions and insights are important.
Cybercrime is a fast-growing worldwide problem that isn?t constrained by traditional boundaries like geography. Risk managers can help contribute to a solution by becoming part of an active community of companies, industries and governments that communicate and
collaborate on digital risk. While preparedness begins at the individual business level, the threat is so large and so powerful that it needs to be tackled collaboratively around the world.
NEIL SMITH is emerging risks and research manager within the exposure management team at Lloyd's. His responsibilities include monitoring, analyzing and preparing research on emerging risks. He is also responsible for managing Lloyd's 360 Risk Insight program, which tackles emerging risk issues from the perspective of corporate risk managers.
December 1, 2011
Copyright 2011© LRP Publications