Language: English (United Kingdom)  Deutsch  français  Print

Expert Risk Articles

The changing risk and liability landscape - Daily mitigation necessary for IT Security and Data Risks

Modern corporate risk and liability exposures can arise from many sources, including third parties, supply chains, products, IT security, new technology and the environment. Global Risk Dialogue examines current and emerging risk management and insurance issues across a number of trends.

Cyber risks are fast-evolving, posing an ever-changing threat to businesses. According to the annual Allianz Risk Barometer, which surveys more than 1,900 risk experts, they now rank as the second most important peril globally, but are also the most underestimated. Five years ago they ranked just 15th. Negligence scenarios are increasing.

/assets/Insights/GRD%202018-01/ITSecDataRisks2_471.png

Photo: iStock

RISKS

There are now multiple threats to a company’s digital presence. Personal information or intellectual property can be compromised through a data breach, resulting in third party liabilities such as legal or regulatory actions, as well as first-party costs responding to the breach. Businesses can incur network liability if a corrupted file is transferred to another company. Then there are newer perils, such as the threat of cyber extortion, and particularly business interruption (BI), caused by a targeted attack against a company’s computer system. The recent rise in distributed denial of service (DDOS) and ransomware attacks, so-called “cyber hurricane” events, where hackers disrupt a large numbers of companies by targeting common internet infrastructure dependencies, means BI is now the leading cause of economic loss for firms after a cyber event. As the recent WannaCry ($8bn) and NotPetya ($3bn) incidents demonstrate, such events can inflict significant financial and reputational damage.

Growing anxiety about the threat to data and IT security coincides with the introduction of more robust privacy rules around the world, such as the General Data Protection Regulation (GDPR) and the Network and Information Security Directive (NIS) in the European Union, and reform of data protection in many US states. Global companies are now exposed to tougher potential liabilities and fines in the event of non-compliance.

Currently, we aren't just seeing cyber risks as a driver of liabilities in the technology sector. We are seeing them trigger property, product recall and other claims, as well. Cyber vulnerabilities are experienced by large and small businesses, alike, in almost every sector -- and those companies that think they are immune are not being realistic. It is important that clients understand the impact of not being prepared for a cyber incident, not only to the bottom-line but to intangibles like reputational damage, brand exposure, BI and loss of share price. Cyber risks are here to stay, and mitigation procedures should be thought of as a natural part of every company's daily operations.”

Emy Donavan, Global Head of Cyber, AGCS
emy.donavan@agcs.allianz.com

TRENDS

Target, Home Depot, Yahoo, Sony, JP Morgan Chase, Equifax and Uber are just some of the global companies that have made big headlines for big data breaches recently. Companies suffering data breaches can experience large losses, BI, reputational damage and even class action lawsuits from customers whose data and privacy are compromised. Equifax’s 2017 breach, which impacted 140 million people in the US alone, is forecast to have cost it around $439m by the end of 2018[1], making it one of the most costly ever. It also led to the CEO’s resignation.

Research shows costs associated with breaches are rising. Last year, the average cost of a data breach globally increased by over 6% to $3.86mn. Meanwhile, the average cost for each lost or stolen record also increased, by almost 5% to $148[2], according to the Ponemon Institute.  Another study by the institute shows that although close to half (48%) of cyber incidents involve malicious or criminal activity, even more (52%) involve human factors, such as negligent employees, or IT and business process failures, demonstrating companies face exposures from all areas.


The potential fall-out from such incidents is exacerbated by the introduction of  tougher data rules around the globe. The NIS Directive requires “essential services” providers, such as ports and transport services, to show they have taken sufficient measures to manage cyber security and report incidents; otherwise they could face substantial penalties. Similarly, under GDPR, steep fines of up to 4% of a company’s global revenue can be imposed for data protection breaches. The introduction of new notification requirements and new rights for consumers could also increase third party liability risk and threat of litigation. GDPR also allows consumers to “opt-out”, requiring businesses to find new ways to isolate data and beef-up IT security. Its introduction has also spurred 11 US states to expand data breach notification rules, mirroring some of the protections GDPR provides, during the first half of 2018 alone[3] - 48 states now require companies to notify individuals if their data is compromised.

It is not just companies who could be on the hook in the event of a cyber incident. In future, it may be possible to claim substantial damages from their directors if there has been negligence in any failure to protect data or a lack of controls.  There are a wide range of scenarios in which a director could be potentially considered negligent, such as a fund transfer fraud, or where a vulnerable network is compromised, leading to significant BI, property damage or loss of intellectual property.

Also, looking to the future, new threats will create new loss and liability scenarios. Wider adoption of Artificial Intelligence technology could be accompanied by a greater number of more sophisticated cyber-attacks. Vulnerability of connected systems and machines to system failure or hacking will also increase. Cyber-currencies and blockchain systems could also be compromised.[4]

RISK MANAGEMENT AND INSURANCE IMPACT

While it is impossible to prevent data and IT security events completely, their impact can be lessened.  To address data privacy concerns, businesses should ensure they review data protection and classification practices, implement security automation tools which can highlight pre-compromise vulnerabilities, and deliver timely software updates and patches. If a ransomware attack is a primary concern, maintain secure back-ups of data and servers on a regular basis.

If sensitive data is compromised, the business needs to respond at all levels: board, IT, communications, compliance and investor relations. According to reputation analysis and research institute MediaTenor, 75% of all companies which suffer a cyber-attack also incur reputational damage or loss. The way an organization manages a breach has a direct impact on the cost. This will become even more the case as the regulatory environment toughens.

Cyber insurance should be considered as part of any mitigation strategy and is no longer just about protecting against financial losses such as BI and restoration costs. If a business suffers a cyber-incident,  it will need instant access to specialist counsel, network forensics services and crisis management consultants to help mitigate the impact in real-time, in accordance with necessary regulations.  Insurance provides this. Increasingly, many insurers are also forming partnerships with other cyber experts to bolster their security offering. For example, AGCS partners with risk modeler, Cyence Risk Analytics, to identify emerging cyber trends to better understand how businesses respond to catastrophic scenarios.  It has also formed a cyber risk management solution partnership, which comprises cyber resilience evaluation services from Aon, secure technology from Cisco and Apple and enhanced insurance coverage from AGCS.

DRIVING DATA PRIVACY AND IT SECURITY

Allianz, Siemens, IBM, Airbus and a number of other companies recently launched a "Charter of Trust" which establishes minimum standards for cyber security and data privacy. While governments must take a leading role in this effort, companies at the forefront of the cyber space can help develop and implement standards. The charter contains 10 principles to make the digital world more secure and also sets three important goals: Protect the data of individuals and companies; prevent damage to people, companies and infrastructure; and create a reliable foundation for instilling trust in a networked, digital world.

Click here for more information on GDPR compliance.

Click here for more information on a cyber risk checklist for directors.


[1] Reuters, Equifax breach could be most costly in corporate history, March 2, 2018

[2] Ponemon Institute, 2018 Cost of a Data Breach Study, 2018

[3] Norton Rose Fulbright, Data Protection Report, US states pass data protection laws on the heels of the GDPR

[4] CSO Online, 2018 cybersecurity trends and predictions, December 27, 2017