Data loss – businesses under siege
Thu 09 Jun 2011
The audacious hack attack on Sony has heightened fears among risk managers over the huge potential cost of data loss
With hacker attacks hitting the headlines almost every day recently, perhaps it shouldn’t be surprising that the workshop on cyber crime was the best attended at this year’s AIRMIC risk management conference in Bournemouth.
Over 100 risk professionals crowded the workshop, which was hosted by Lloyd’s broker Miller Insurance Services, to debate the risks and potential solutions posed by cyber crime in today's business environment.
The big turn-out reflects the heightened concern felt by the risk management community following a spate of attacks on companies, including technology giant Sony. Sony has suffered several serious attacks recently, including one that targeted its Playstation Network and Sony Online Entertainment services. Personal data was stolen that included names, passwords and addresses of more than 100 million accounts.
The company has estimated that the data breach will result in a $170 million hit to its operating profits.
In a further incident, the company admitted that the personal data of 2,000 consumers was stolen from a Sony Ericsson website in Canada, while details of 8,500 users were leaked on Sony Music Entertainment’s website in Greece.
Cyber crime on the rise
Hostile cyber attacks on companies accounted for nearly one third of all UK data breaches in 2010 - up from around 22% the year before - and the incidents are becoming increasingly expensive.
A survey by the Ponemon Institute found that the cost of a data breach rose in 2010 for the third year running. The average data breach incident cost UK organisations £1.9 million or £71 per record, an increase of 13% on 2009, and 18% on 2008. The incident size ranged from 6,900 to 72,000 records, with the cost of each breach varying from £36,000 to £6.2 million. The most expensive incident increased by £2.3 million compared to 2009.
Delegates at Miller’s AIRMIC workshop heard that the cost of detecting and fixing security gaps is only one issue, as there is huge expense incurred in informing potentially millions of customers whose data has been compromised, and monitoring their credit ratings going forward.
The expenses associated with a data breach range from detection, escalation, notification, and customer churn - due to diminished trust.
Nick Alston of Digital Barriers, a panellist at the AIRMIC workshop, discussed the changing face of cyber crime. He said it is no longer an activity carried out by a single person, but has been taken over by major organised crime.
He went on to warn that, while businesses may be focussing closely on their own IT security, the risks around outsourced services are much less well-understood. “Companies should be asking themselves how well do they know the companies they are working with and how are they protecting data?” he said.
Risk manager Chris Maurice from telecoms corporation BT plc spoke about the risks a heavily data driven business can face, and how data risks should be treated like any other property or liability risk. “This places a responsibility on the risk manager to understand both IT terminology and the role it plays within an organisation, so that they can take an informed view on what is critical to the business and decide what [insurance] cover is required,” he told delegates.
Graeme Newman, of Lloyd’s specialist MGA CFC Underwriting, explained that hacker attacks such as the recent Sony incident, have sensationalised cyber crime. As a result, there are many more incidents, such as laptops being left in the back of cabs, that need to be considered.
“It is so topical these day that even minor incidents are widely reported, and that magnifies the reputation risk around problems,” he said. “At the same time regulators in Europe are pushing more responsibility onto a wider range of businesses.”
Companies need insurance to protect themselves
Such concerns mean that businesses are increasingly interested in insuring themselves against the potential costs that could result from data breaches or data loss. CFC Underwriting offers a standalone cyber insurance product that includes cyber, privacy and social media related risks.
The cyber part, for example, covers third party liability and first party losses, the cost of restoring data and even business interruption loss of revenue. The broad privacy cover includes customer notification costs and credit monitoring for affected individuals.
“Data represents a whole new world of liability risk and businesses in Europe increasingly recognise that they must manage it in the same way as their other big liability exposures,” Newman told lloyds.com.