Cyber attacks are becoming a part of daily life. We take a look at what companies can do about this computer cancer
Cyber attacks aren’t new. According to New Scientist, they can actually be traced back to 1903 (I kid you not) when physicist John Ambrose Fleming was demonstrating an emerging technological wonder: a long-range wireless communication system developed by his boss, the Italian radio pioneer Guglielmo Marconi.
The event took place in the Royal Institution’s celebrated lecture theatre in London – and it went horribly wrong, because, before the demonstration began, the apparatus in the lecture theatre began to tap out a message … all by itself! It started saying “rats” over and over again … and then it began a personal attack on Marconi, accusing him of “diddling the public”.
Fast forward to 1988 and yet another momentous cyber attack took place. This time it was the creation of a worm that shut down about ten percent of the world’s internet servers.
The so-called Morris Worm attacked 6 000 computers, and repair bills amounted many millions of dollars. It also earned Robert Morris, the student who created the worm, the dubious honour of being the first person to be tried and convicted of computer fraud and abuse.
Cyber attacks have now become commonplace. June 2017 saw a frenzy of attacks, not least of which were the WannaCry ransomware attack that affected more than 150 countries and the Petya ransomware attack that saw Ukranian government departments, the central bank, a state-run aircraft manufacturer, the airport in Kiev and the metro network all paralysed.
In fact, cyber crime is now the fastest-growing crime in the world. Cyber attacks have become so regular that there’s even a website devoted to the phenomenon. (Check out www.hackmageddon.com.)
All around the world, government officials are having sleepless nights thanks to cyber attacks. Recently, at the CyberWeek convention in Tel Aviv, Israeli Prime Minister Binyamin Netanyahu noted that “cyber security is a constant challenge”.
“Every single thing is being digitised, and the difference between hi- and low-tech is being erased. As that happens, in country after country, in industry after industry – as we enter the Internet of Things (IoT), the need for cyber security is growing exponentially,” Netanyahu said. The prime minister added that cyber attacks are a threat for all governments today, with Israel addressing dozens of attacks every month.
Thanks to cyber attacks, company executives are also having sleepless nights. In our internet-connected society, cyber crime is a very real threat to any business or institution. A cyber attack can also be just as physically disruptive to a business as a natural disaster or terror attack – think of critical operations in a hospital, airport or power station (all of which are operated via computer networks and sophisticated software) in the wrong hands?
While the internet has become essential to our way of life, company executives worry about the opportunities it can offer to criminals. There are many other question marks, too.
How should legislation and regulation apply to the seas of data that constitute the heart of the new digital economy? What are the implications of outsourcing data processing to cloud providers and the growing use of personal devices to conduct business?
This isn’t just a global concern; cyber attacks are prevalent within South Africa, too. Cyber crime is now the fourth most reported economic crime in South Africa. Almost a third (32 percent) of the 232 South African organisations that took part in the PricewaterhouseCoopers (PwC) 2016 Global Economic Crime Survey reported cyber crimes in the last 24 months.
This puts local companies on par with their international counterparts when it comes to cyber crime. The country leads the global stats for economic crimes, with 69 percent of local companies having experienced economic crime during the past two years, compared with the global average of 36 percent.
While companies all over the world are grappling with the relatively new risk of cyber crime, there remains a lack of consensus on how to best prioritise and respond to this threat. Incredibly, according to the 2017 Aon Risk Solutions Global Risk Management Survey, only 23 percent of companies employ financial quantification metrics in cyber risk.
Without measuring the actual financial impact of identified cyber threats, companies will not be able to adequately prioritise the capital investment in risk mitigation, nor will risk managers be able to convince a potentially less tech-savvy board of its importance.
Much more progress is needed in the area of cyber risk control and mitigation to keep pace with the pervasive and fast-evolving cyber threats that go hand in hand with the dizzying speed of technological innovation.
According to Aon, mitigating the risks that come with being a custodian of data, while embracing the opportunities that technology presents, is key to building a cyber-resilient business. Becoming more resilient to cyber risks in an age of digital disruption increasingly means understanding the full scope of cyber governance responsibilities.
As such, the company maintains that there are a number of compelling reasons why every business (regardless of size or ownership) that has a network, an internet connection and holds sensitive or personally identifiable data and sensitive company Internet Protocol (IP) address, needs cyber liability insurance.
First and foremost is the fact that all businesses that hold personally identifiable data and sensitive IP addresses are at risk. Many small and medium businesses think that they are not likely targets for a cyber attack, believing that only large corporates, banks and government institutions appeal to cyber criminals.
The reality is that any entity that conducts any aspect of its business online and holds any sensitive data – employee or client records; banking and payment details of the company, its staff, or customers; market strategies or financials; payroll information; medical or academic records; or any other sensitive data – is a potential target.
According to Aon, it is important to bear in mind that standard insurance policies do not cover the risks and liabilities emanating from cyber risk. Cyber insurance is specifically designed to cover the unique exposure of data privacy and security and can act as a backstop to protect a business from the financial and reputational harm resulting from a breach.
While some categories of losses might be covered under standard policies, many significant gaps often exist and cyber events can impact numerous lines of insurance coverage. Standard policies are often inadequate to cover the likely cost of even a more “standard” security breach, let alone cyber attack or “hacktivism”. Only specialist cyber insurance policies provide extensive cover.
Furthermore, it is important to bear in mind that a company can be held legally and financially liable if third-party data is compromised in a breach. The frequency of cyber breaches is increasing and incident response plans have become more complex, due to regulation and mandatory disclosure obligations.
The disclosure obligation is of particular interest to South African businesses with related legislation brimming on the horizon – the General Data Protection Regulation (GDPR) commenced on May 24, with its grace period ending on May 24, 2018, while the Protection of Personal Information (POPI) Act brings a further layer of complexity for any business holding personal data of clients.
Class action lawsuits and regulatory fines have become synonymous with data breaches. Furthermore, the fact that cyber risks are global makes complying with various regulatory responses across different geographies all the more challenging.
Cyber liability insurance protects a company and the sustainability of a business from expenses that could be crippling. Most cyber liability policies cover first-party costs and any resultant (third-party) liability arising from a loss of data or a breach of network security – with data being defined as personally identifiable data and corporate information.
First-party costs include legal and IT services, data restoration costs, reputation management, notification costs to all affected data subjects, credit and ID monitoring, cyber extortion and loss of profits following from a network interruption.
Third-party costs include damages and defence costs arising from liability to others following from theft or manipulation of data held in a company’s care, custody and control.
Insurance is something that is universally abhorred. However, going forward, it does seem as though cyber insurance is something without which we simply will not be able to survive.