Two experts discuss cyber threats and how an intelligence-led approach to addressing these exposures can reduce risk for underwriters, brokers and clients
The recent WannaCry and Petya ransomware attacks have reminded the international community of the far-reaching havoc that can be caused within a short amount of time by maliciously motivated hackers.
But in talking about the major cyber threats confronting the business community today, London Australia Underwriting’s James Crowther says the weakest links in any security chain are people without those intentions.
“Social engineering seeks to exploit this weak link by appealing to people’s greed, fear or curiosity and deceiving them, in order to get them to reveal certain information or allow access to an IT system,” he explains.
Crowther mentions phishing attacks, where fraudulent emails are sent with the hope of tricking recipients into sharing personal or confidential information (these are said to be on the rise). And then there are SQL injection attacks which, Crowther says, have been around for some time but continue to be commonly used to exploit companies.
“If a web developer, for example, creates an application where the user can interact with a database to add information, this developer may not have ensured the database is configured to prevent SQL injection attacks,” he explains. “An attacker can then perform a ‘get request’ function, which essentially dumps the entire database so they can obtain personal or confidential information.”
Crowther also discusses distributed denial-of- service (DDOS) attacks – another threat that can impact information availability and, often, business continuity.
“The attack comes when the perpetrator creates a slew of traffic requests on a website at once, in order to crash it or severely cripple it for a period of time, leading to a loss of revenue,” he says.
And when it comes to accidental insider threats, where individuals unwittingly cause data breaches and the compromise of systems, Crowther says there is a general lack of understanding as to its seriousness and, in fact, its existence.
“Some larger companies have included information security staff awareness training; however, it remains a great challenge for the SME sector to improve in this area as they are often under-resourced in the compliance department,” Crowther says.
The changing legal landscape
New mandatory data breach notification laws will likely take effect in Australia in about six months’ time. When that occurs, entities governed by Australian Privacy Principles will no longer be able to hide the fact of having suffered a ‘data breach’, as defined by the Commonwealth Privacy Act, and will be legally required to notify affected individuals as well as the Privacy Commissioner.
“Most importantly, with a 30-day time frame within which to assess whether an incident is an ‘eligible data breach’, the need for an efficient plan is all the more apparent,” Crowther says.
He points to a recent report published by global law firm Clyde & Co, which said the average cost of a breach involving less than 10,000 records was $220,000, while for breaches involving in excess of 200,000 records the average figure was a staggering $6.5m.
“What’s more, a large percentage – 36% – of the costs relate to IT forensic and notification costs not covered by traditional insurance policies, which cyber policies are specifically designed to cover,” Crowther adds.
zWhen it comes to boardroom involvement, directors and officers who fail to take active steps to address and manage their company’s cyber exposures may find themselves in breach of their legal duties. Passive delegation of that responsibility will not suffice.
How widely do business owners understand the need for cyber insurance in conjunction with robust resilience measures?
“Often we feel that customers do not understand the risks that they face and how they can be easily mitigated via simple risk management steps,” Crowther says.
“A cyber insurance policy should form part of an internal incident response plan and should not be thought of as the incident response plan. Brokers and their clients can always seek advice via a third party security consultant to provide some value in the risk management and corporate governance space to help with being better prepared, which will ultimately lead to more favourable terms and conditions.”
Jonathan McCoy, managing director of security consultancy firm Casobe & Co, reinforces how, as far as addressing cyber risk is concerned, proper preparation prevents poor performance.
“An appropriate, documented and tested incident response plan is fundamental as a first port of call in identifying, managing and mitigating a security breach for an organisation,” he says.
“Having a predefined appropriate protocol for incident response, with trained staff and access to immediate resources and board approval, significantly improves the time in responding to a crisis, when the organisation is most vulnerable. It ordinarily decreases the overall impact, investigation costs and recovery time by a significant factor.”
McCoy likens an organisation without an incident response plan to a ship, without navigational aids or lifeboats, sailing through dangerous waters against professional advice.
“They lack the required knowledge and preparedness to deal with an incident, often resulting in fatalities and significant costs,” he says. “It is not a matter of if an issue will transpire, but when.”
Seeing the full picture
McCoy says that companies are very often unaware of the true extent of their cyber security risks.
“As a result, they and their advisers can make a good-intentioned decision on partial or incomplete information, leading ultimately to significant weaknesses in information security and great expenditure in remediation, should an incident occur,” he says.
It’s for this reason that firms such as Casobe & Co provide pre-breach services to businesses.
“Effective pre-breach services aim to identify risk, vulnerability and threat, to manage salient risk,” he says.
McCoy says Casobe & Co provides detailed risk assessments on cyber vulnerability for its clients, seeking to establish their current risk and threats, including susceptibility and resilience to an identified risk. The assessment can also assist brokers to ensure there is limited scope for duplication of cover across a client’s insurance portfolio.
“Once risks have been established and graded, we ordinarily provide a benchmark on their current security state and identify key areas of risk, which can be managed internally or mitigated,” he says.
“Mitigation can be by way of a specialist cyber insurance product, both addressing the needs of the organisation and providing a response capability in the event of a breach.”
Additionally, McCoy says directors and officers are provided assistance in their corporate obligations with respect to their responsibility for cyber resilience and information security.
Each of these measures is designed to help brokers secure the best protection against cyber risk possible for their clients.
“Some insurance broking firms may not have the full technical resources or experience to appreciate a client risk exposure to cyber-related vulnerability,” McCoy says. “This is further complicated given the client may not necessarily know this either. As such, there is a risk that without professional advice in this area, their clients may be provisioned with a product that is inappropriate for their needs and fails to respond when needed.”
Engaging the services of a security consultancy can mean not only better coverage, but potentially even a better price.
“Taking an intelligence-led approach, an underwriter can be better appraised of client risk, and tailor key terms accordingly and/or provide subjectivities which can ensure a transitional increase in coverage,” McCoy says.
“The client will make the investment to meet the subjectivities and be provided with a premium and coverage that is appropriate, and competitive.”
No outcome is less desirable for a client than a policy that fails to respond when a loss event occurs. It is imperative to understand the client’s full risk exposures – to find the devil in the detail.
LAUW UNDERWRITING
Established in 2005, London Australia Underwriting provides brokers and clients with innovative products backed by first-class security. Any broker who wishes to establish a trading arrangement with LAUW is strongly advised to contact the management team. Details available at www.lauw.com.au.