Risk managers from the global communications and technology industries met with leading risk specialists at a high level seminar in Austria organised by Lloyd’s broker Jardine Lloyd Thompson.
They were there to learn about the latest threats to their sector and how those threats are exacerbated on one hand by advances in technology and on the other hand by the economic recession.
From phishing to whaling
Rik Ferguson, senior security advisor at Trend Micro, worried delegates by explaining how organised crime is moving into cyberspace.
Take control of your online profile was Ferguson’s key loss prevention message. Use social and professional networking but use it wisely, Ferguson advised.
“We are all too free with our personal details,” he said. “We hear a lot in the news about lost data sticks and laptops stolen from cars, but malware actually accounts for most lost data.”
There is a huge evolution in the cyber threat and specifically in the use and availability of malware, Ferguson explained.
In 1988, fewer than 2,000 unique malware samples had been logged. By 1998 the figure had risen to 178,000 and in August 2008 reached nearly six million.
Rising in the priority rankings
In a seminar session dedicated to cyber liability and reputational risk, Luke Foord-Kelcey (partner at JLT) pointed out that digital and cyber risks have jumped up the list of priorities for most risk managers.
“The privacy and security related risks that arise from such events expose organisations to regulatory actions, liability claims and direct [first party] losses,” he said.
As well as the more tangible losses linked to network disruption, cyber extortion and data loss, the reputational risk is huge. “And nobody is immune,” he warned.
Enforcement
Foord-Kelcey said that cyber crime is unusual and difficult to cope with because the usual law enforcement defences are simply not able to combat the threat: action by bodies such as the Serious Organised Crime Agency is almost entirely limited to disruption, with little done in the way of prosecution.
Speaking about IT security he said, “The problem there is that cyber criminals are generally pro-active, whereas cyber-security measures are mostly reactive.”
Insurance available
But insurance cover relating to network security and the loss of intangible assets (such as licenses or intellectual property), extortion and non-damage business interruption is available.
Likewise, privacy protection risks and/or third party liability exposures can be insured by a small but evolving market. Insurance available includes cover for:
Liability protection for consumers’ personal data, even when protected by law
Defence costs of alleged violations of privacy or security regulations
Network security third party liability following cyber attacks.
Risk management
Risk managers whose companies are adapting to the opportunities presented by the internet have a lot to think about.
Charmian Steven, head of internal audit at media group Trinity Mirror explained how her company has diversified into a multimedia organisation, multiplying its exposures, for instance to customers’ personal data and reputational risk.
A risk review revealed how the group’s risk profile was changing and that insurance covers were not necessarily keeping up.
“New business models bring new risks and traditional IT security measures and insurance cover are not always enough,” she said. “Laws and regulations are not specific to the digital world and rules are emerging on a case basis.”
Based on her experience, Steven advises organizations whose business is exposed to cyber threats to first reduce the risks and then look at the new insurance products on offer.
“Take advice from your broker and use the experiences of other industries and businesses,” Steven stressed. “Look at the new insurance policies that are becoming available to protect against cyber threats and carry out a cost benefit exercise to see if they will work for you.”
