From the Boardroom to the Internet; Looking at Cyber Insurance with Traditional Risk Management

At CCW Global we are extremely privileged to help businesses in a wide range of industries manage and mitigate their risks. From Office Contents, Employee Compensation, and Marine Cargo insurance, through to more complicated group benefits, Professional Indemnity, and Directors and Officers coverage, as a broker we are in a unique position to understand the concerns and risks facing companies of all sizes on a day-to-day basis.

Understanding the risks facing your business is a key first step in avoiding potential issues, and it’s important that organizations understand future liability and losses – especially at a board level. In 2016 CCW Global has been spending a great deal of 2016 thinking about evolving business risks which are present in the Hong Kong and APAC markets. From our own internal analysis and observations we have understood where our greatest exposures are, as a business, and also where the biggest potential threats we face in the future will come from.

But what does this have to do with you?

In our conversations with key stakeholders and decision makers, from SMEs to MNCs, we usually have a good idea of the key concerns the organization will have – daily risks that can impact the overall operation of a business, the wellbeing of its employees, and the company’s liability to its customers.

However, one key area of risk is being significantly under-represented is something that virtually all businesses rely on in order to function in the modern world; Digital and Cyber events.

Looking at the Digital Risk Ecosystem

CCW would not be able to operate or service our customers in the way we do without the tools available to us in the form of the internet and, more specifically, the Internet of Things (IOT). Unfortunately this also presents some of our biggest risks; mainly due to the open, borderless, and often increasingly unknown quantity presented by an always-on, always-connected, digital business environment.

When we look at understanding a customer’s risk profile the risk which is being presented by internet use and cyber exposure often isn’t of a significant concern. To the extent that current industry statistics suggest less than 2% of companies in Hong Kong hold some form of Cyber insurance coverage. In an unfortunate turn of events, organizations aren’t even looking at mitigating internet liability or exposure until they have been the victim of a cyber incident.

It could be a case of “once bitten twice shy,” but the absence of comprehensive digital risk management comes against a backdrop of increasing global cyber-crime; from state actions through to lone hacktivists, the tools available to threats are becoming more sophisticated and are evolving at an exponential rate.

In Hong Kong alone, there were 6778 reported cyber events which caused an estimated HK$1.8 billion in financial losses during 2015 according to local police figures. In Q1 2016 HKCert.org reported 35,100 unique digital security events – representing a 117% increase on the previous year and mainly related to malware threats. Added to this are a number of recent high profile cyber-attacks, including the VTech Incident in 2015 and the recent loss of US$ 72 million in August 2016 from a Bit Coin exchange hack, which have recently targeted Hong Kong businesses.

Globally the figures are far more worrying, with losses amounting to billions of US$ each year – and only increasing as the perpetrators of cyber-crime become ever more sophisticated. Given the rapid increase in the ease of access and the ability of actors to create a cyber-incident the low focus given to mitigating the risks associated with cyber and digital risks is fairly concerning.

Understanding the Intangible Nature of Cyber Incidents

This may be, in part, due to the intangible nature of these incidents – having an office broken into and equipment or documents stolen is an extremely visceral and real threat, and businesses will take measures to mitigate this threat through securing their offices. A determined criminal will likely still be able to access a corporate facility through brute force, and this is well understood by security experts, but because of the “real” nature of these crimes there is a perception that losses can be handled with prepared contingency planning and law-enforcement.

This analogy extends into the digital realm; most (if not all companies) will have comprehensive IT systems designed to protect their networks, servers, and sensitive employee and customer data. These systems are akin to the security guard sitting at the reception desk, or the access codes employees must enter to enter their offices. But unlike the real-world scenario many businesses, in Hong Kong and throughout Asia, stop their digital risk management at the point of prevention. And as with a real-world office break-in, a determined and persistent attacker can bypass security systems if they deem the outcome worthwhile.

In our discussions with companies in relation to their risk management profiles we ask about cyber-preparation as a matter of due diligence. After all, if you’re securing your office risk with an Office Contents and Employee’s Compensation policy, the question of how the network and data assets are protected is extremely pertinent as part of a top down approach to mitigating risks.

In some cases it can be useful to actually understand, at the board level, what is happening in the digital world. Tools like HP’s IP Viking, which presents a real time over view of all recorded cyber-attacks currently occurring, or the Protectwise Platform, offering an innovative user interface to display penetration networks in an easier to understand format, help to turn this fairly abstract concept into a reality – watching 1,000’s of global cyber-attacks happening on a computer screen can have an extremely real impact in helping organizations to understand what, exactly, is at stake.

Employing Comprehensive Cyber Risk Management

While many companies will have taken steps to secure their networks and implement strong IT security protocols (from requiring two-factor authentication when logging into internal systems through to taking more drastic action including air-gapping computers and removing USB access from all business owned computing devices), there is a very obvious lag in after action preparation.

If the White House, top Government Officials, and extremely capable IT/Technology companies are finding themselves the victim of cyber events, there is to some extent a certain naivety in assuming that a business’s risk management responsibilities stops at the doorstep of network security. And in some of the worst cases of damaged reputations, financial losses, and simple incident mismanagement, businesses have scrambled to identify the cause and protect themselves from further harm without having any real contingency planning in effect.

There may be some confusion as to who in a company owns the responsibility of Cyber events – does it fall under the remit of IT who are responsible for securing networks, go to Operations who will ultimately have to deal with the actual business impact, get transferred to PR to calm worried customers, or even sit on the desk of internal counsel? Some business philosophies will pick one of these departments, while others will say that everyone has a role to play in the aftermath of a digital event; and at CCW it is our opinion that the latter idea is the correct one.

But a key first step in understanding how a company is placed when looking at the evolution of internet and computing threats is to first understand and create a process for dealing with a crisis if and when one should occur.

Implementing Processes and Covering the Variables

At the end of the day most organizations are not in the business of cyber crime, digital threat prevention, or forensic IT analysis. From our own company, which specializes in Insurance, to the many thousands of others operating daily in Hong Kong, we are more focused on actively servicing our customers and growing the business than we are focused on wholesale cyber protection.

As such, it can be an extremely hard ask to request that a manufacturer, financial institution, hospitality group, or law firm become overnight experts in both protecting themselves from digital intrusions and attacks and dealing with the outcome of a successful cyber event.

But what other choice is there?

A raft of recent developments within the insurance industry have seen fairly dramatic changes with regards to Cyber Insurance products – no longer are these policies designed as simple “Hack” protection, but have been created as top-down facilitators to help manage any and all cyber events as they occur.

From top executives accidently leaving their connected devices and phones in taxis around the world, through to viral content that creates unintentional DDoS situations which can interrupt a business’s ability to operate and sell to customers, the range of risks present within the cyber ecosystem extends far beyond direct attack scenarios and we are beginning to see major insurance providers cater to the increasing number of obstacles which present themselves when doing business via digital channels and using IT tools.

The sheer number of variables present within the umbrella of “Cyber Risk Events” has meant that, outside of digital risk specialists, businesses are constantly playing catch-up when trying to examine the threats they face and the solutions on offer to prevent organizational catastrophes in the cyber realm.

A recent article in Scientific American investigating the increasing exposure faced by companies utilizing the Internet of Things when doing business in an online environment shows that a determined and persistent attacker will normally be able to achieve their end objective, whatever that may be.

Ask the Questions and Understand the Risks

CCW Global is not a security specialist, and we don’t have all the answers. But our team is able to ask the right questions, and we have access to and relationships with extremely capable partners – both within and outside of the insurance world – through which we are able to assist our customers in understanding the risks they face and the tools available to mitigate those risks.

If there is one key takeaway from this post, it would be to start a conversation within your organization with regards to digital and cyber risk management. Understand who in the organization will own a cyber event, what data it is that your company wishes to most protect, and how the business will react in the aftermath of a cyber attack.

CCW is committed to expanding upon Cyber Insurance as part of our core business risk management process, and we welcome any questions or discussions which will enable us to better protect your organization.