Cyber Security has always been discussed but never given the importance that it deserves in the boardroom. However the situation seems to be changing post 2017, which saw cyber breaches of global scale and magnitude. Myths such as – only Information Technology companies are prone to cyber attacks and that fairly advanced nations like the United States and United Kingdom would be the main targets of hackers whereas countries like India would not be victims – were broken. It is time to address cyber security as a business risk, and not just a technology problem.
2017 saw hackers take down a Power Grid in Ukraine, ransomware attacks like WannaCry, Petya and NotPetya caused business interruption at ports, hospitals in UK were made to turn down patients since they lost access to their systems and the Equifax breach led to the data of 143 million customers – a number higher than Mexico’s total population – being compromised. Mondelez Inc, the world's second-largest confectionary company, said its quarterly revenue growth would be reduced by 3 percent due to a recent global cyber attack.
India too was put on the global map after becoming the third worst hit country from the WannaCry attack, with more than 40,000 computers being affected. An Indian food startup’s breach was the 6th biggest globally in the first half of 2017, compromising data of 17 million users. The list just keeps growing.
The thing about cyber risk is that it is evolving at a pace which most companies will find hard to keep up with; attacks are getting more sophisticated – from distributed denial of service attacks to ‘man-in-the-middle’ attacks, the risk just keeps changing. The popularity of cryptocurrencies and their characteristics which prevent them from being traced back will only fuel further ransomware attacks in the future.
According to a recent report published by McAfee, the total cost of cyber crime globally is USD 600 billion, or 0.8% of global GDP. With the EU GDPR becoming effective in around two months, several global MNCs will be liable to report breaches within a set timeframe and may be liable to penalties going as high as 4% of their global turnover, the cost of data breach is bound to go up.
As I write this, a fresh probe has been requested by the European Commission, asking data protection authorities to investigate Facebook's data leak to data-profiling firm Cambridge Analytica, which uses psychographic profiling to change behavior, and may have used the data of 50 million Facebook users to help bolster Donald Trump’s presidential campaign in 2016.
The increasing frequency of breaches and the costs associated with it demonstrate the need for companies to purchase cyber insurance. Let’s be clear, cyber insurance will not help a company prevent a cyber breach, but it will help it survive one. The amount of loss due to cyber attacks and its spiraling effects cannot be under-estimated. A typical breach would require the company to hire forensic experts to investigate into the breach and recover its lost data, appoint lawyers to communicate the breach to the regulators, customers and other stakeholders as per regulations.
Service of a public relations expert may also be required in order to handle the press and other media. All of these expenses can make a huge dent in the company’s bottom-line, especially to the small and medium enterprises, which may not be able to afford such costs. A standard cyber insurance policy would provide cover for all these costs, and further covers such as cover for business interruption, fraudulent fund transfer, PCI-DSS may be purchased depending upon the risk profile and needs of the customer.
The ever evolving nature of cyber risk poses an even bigger challenge for insurers, as they will have to work towards providing a wholesome risk mitigation product to customers. Such a product would help them not just cover the costs associated with a breach, but also help them improve their cyber security, provide vulnerability assessment and penetration testing services, and most importantly help educate their customer’s employees about threats such as phishing, ransomware and others – since humans are still the weakest link in cyber security.