Cyber Risks: Balancing Innovation and Resilience

Aditya Samag, VP-Cyber Risk, Marsh India Insurance Brokers

The crimes of our childhood aren’t there anymore.  The masks, the gunmen, the bank-heists, the double crossings are now just part of Bollywood films more than anything else.

Today's crimes are dominated by an upgraded and ever-evolving criminal; the cyber-criminal, who has taken innovation to a completely different level. With nearly one million new malware threats released every day, it’s not a surprise that more than 70 percent of the Indian companies have suffered a cyber-attack in the past two years, according to a KPMG report - Cybercrime Survey Report 2015. 

Cyber-attacks present a unique challenge for information security professionals. Chief Information Security Officers’ (CISO) dilemma today is that they have to guard their systems against each such attack, old or probable threats. Cyber-criminals, on the other hand, need to find just any vulnerability, using thousands of new tools available at their disposal. No information security professional, therefore, can guarantee 100 percent protection against cyber-threats.

No wonder the dark economy of cyber-crime is thriving resulting in a loss of about 450 billion USD a year across the world, according to estimates by many different organizations, including the Center for Strategic and International Studies. 

When technologies, such as the internet of things (IOT), cloud computing, and industrial control systems (ICS) systems converge - and converge they have been in the past few years - there is practically no upper limit of the losses that an organization, or an industry, may have to bear.

Consider the following examples:

• The attack tradecraft used in the well-publicized 2013 data-breach case of a US retailer that cost the company more than 160 million USD, after accounting for expected insurance proceeds, reportedly originated at one of the HVAC (heating, ventilation, and air condition) vendor’s systems. The tradecraft travelled through the connected IT infrastructure and proceeded to the handheld POS device.

• In another example, a worm called “Stuxnet”, used by the attackers of a nuclear power plant in the Middle East, entered the company’s systems from a worker’s thumb drive, worked its way through the Windows OS, reached the ICS/SCADA systems, and ultimately damaged the expensive centrifuges of the uranium enrichment machinery. The financial impact was unreported, but included significant costs, including property loss, business interruption, and costs, such as forensics and IT audits, incurred by the company. 

• In a more recent example, the federal bank of a South Asian country lost over 80 million USD in the biggest cyber-heist in history. While the facts of the case are slowly becoming known, it is believed that the user interface of the international payment network  - SWIFT - was compromised and the connected network across Asia, US, Sri Lanka, and the Philippines was used as a conduit for laundering the stolen money.

Interconnected ecosystems, which are the building blocks of the rapidly changing technology in the world, create room for hackers and criminals to wreak havoc. Does it then follow that there is always a trade-off between technological advances and the financial losses caused by cyber-crimes? Thankfully, the answer to that question is no. Organizations can develop a cyber resilience plan. 
The question to prepare for is not whether you will get attacked, but also how prepared you are when you do!

Building resilience and preparing for any eventuality

Cyber insurance policies can go a long way in building the resilience of organizations. These policies have become popular in mature markets, such as the US and the UK, in the past 8-10 years. India, however, woke up to this niche concept only about three years ago. In these three years, however, the cyber insurance segment has experienced more dynamism, adaptation, and innovation than most other insurance products.

Initially, cyber policies provided limited cover. They protected organizations from the expenses arising from lawsuits filed by their customers in the event of a data-breach. Therefore, it made sense to buy cyber insurance only if an organization handled sensitive 
client data.

In recent years, the coverage of cyber policies was enhanced. It added business interruption losses and self-expenses associated with data-breach incidents, including costs related to crisis management, IT forensics, and credit monitoring. 

Today, cyber policy covers go even further. They can be designed to protect an organization from risks associated with property damage and injuries caused by cyber-attacks, cyber-extortions, and even losses from cyber-theft of money.

The way forward

Today, the world of technology is taking a step beyond IOT, ICS/SCADA, and cloud systems, and moving towards even newer technologies, such as cognitive computing and artificial intelligence. Risk resilience solutions will also need to evolve with this. Those insurers and broking houses that have the required expertise and knowledge to drive these changes will help organizations stay financially insulated, while others will leave gaps, potentially causing free falls.