Articles - Cyber crime: the latest big threat to insurers on the rise


The prophets of doom are doing a roaring trade. The latest subject of apocalyptic predictions for the western way of life is cyber security. It seems that everyone is interested in the contents of your computer systems, and increasingly, in damaging these systems to make your life and your business harder than it already is. The evidence from government and security services as well as numerous industry surveys and studies is that cyber risk is on the up.

 By Jonathan Burdett, Director, PwC, Cyber Security Expert
  
 Many attempts have been made to estimate the cost of cyber crime to the global economy, with the result being an estimated impact of somewhere between $100bn and $1tn. Organisations need to act fast.
  
 It is not surprising therefore, that we are increasingly seeing cyber risk appearing on Board agendas, and rocketing up corporate risk registers. This leaves insurers with some interesting questions: Are there big risks to my business that I’ve not yet got under control? If this risk is significant, should I be holding capital against it? Do these risks represent a commercial opportunity which I should be looking to exploit?
 
 Like any risk, these questions require an understanding of the risk dynamics to allow risk managers and actuaries to attempt to quantify or price it. And given the current absence of publicly available data around this rapidly changing risk, challenges are arising.
 
 A risk on the rise
 There is no shortage of data to show that cyber risk is a threat that is increasing in not only frequency but in sophistication. Industry experts estimated a 42% increase in targeted attacks in 2012, and surveys like PwC’s “Information Security Breaches” survey and “Global State of Information” survey consistently show the incidence and impact of cyber breaches to be at record levels. Security firms, including PwC, who record the threats encountered during a business’ day to day work, regularly report record levels of malware, phishing attacks and other internet “nasties”, and predict that this is set to rise throughout 2014.
 
 At the same time, target organisations are becoming more complex through outsourcing, adoption of new technologies such as mobile and cloud computing, and are increasingly reliant on electronic trading with customers and business partners. This complexity means that companies are becoming harder to defend from these cyber threats.
 
 And just to raise the stakes on all this, regulators and clients are becoming increasingly demanding on the way companies handle their data. It is rare for a corporate RFP not to include a section on information security controls, and the right to audit is being exercised with increased frequency and rigour. UK and international regulators are responding too, with the UK government investing in its Cyber Strategy, and EU’s latest proposed directive against cyber crime passing its first stage in the European Parliament in July.
 
 Anatomy of cyber risk
 One difficultly organisations are having with this risk is defining exactly what it is. Cyber risk is often broken down into a number of categories based on the types of attacker involved, the types of attack or the potential impact. Adding these up together provides a useful overview of the issues to consider.
  
 
  
 In practice, the players are becoming harder to define. With the skills and capability to perpetrate cyber attacks becoming more wide spread, and even available for hire at a reasonable hourly rate, the principal actors mentioned above could be joined by disgruntled employees and anyone else with a grudge. Similarly, successful attacks tend to combine all three methods above with an initial confidence trick providing vital information with which to target hacking and malware attacks.
 
 A possible response
 So what can insurers do to try and minimise the impact to their organisation? Firstly, Boards must take responsibility for dealing with cyber. As a major risk to an organisation, it is not credible to devolve responsibility for its management to technical experts in the IT department. While their expertise is important, the Board must understand the risks it is exposed to.
 
 Risk analysis – organisations need to think through the players, techniques and impacts outlined above, and harvest internal and external data to help quantify the risk. Once quantified, appropriate response plans need to be put in place and communicated across the organisation. We find that many organisational responses focus on preventative controls and do not take adequate account of the detection and response capability needed for such a pervasive and dynamic risk. The organisations that win the battle against cyber risk are those that share information across peer organisations, government and regulatory bodies as widely as possible. This helps with understanding the risks and the latest responses, and with such a fast moving threat, knowledge is key.
  

Back to Index


Similar News to this Story

Actuarial Post Magazine Awards Winners Edition December 2024
Welcome to the Actuarial Post Awards 2024 winner’s edition and we hope you enjoy reading about their responses on having won their award. The awards
Guide to setting expense reserves under the new Funding Code
The new defined benefit (DB) funding code of practice (new Funding Code) requires all schemes to achieve funding levels that ensure low dependency on
Smooth(ing) Operator
Private equity can be a great asset. It’s generally the most significant way to have any real world impact as an investor (eg infrastructure assets li

Site Search

Exact   Any  

Latest Actuarial Jobs

Actuarial Login

Email
Password
 Jobseeker    Client
Reminder Logon

APA Sponsors

Actuarial Jobs & News Feeds

Jobs RSS News RSS

WikiActuary

Be the first to contribute to our definitive actuarial reference forum. Built by actuaries for actuaries.