Legendary US bank robber Willie Sutton famously said that he robbed banks, “because that’s where the money is”. If he were active today, his focus of attention would be the internet.
A new report from Lloyd’s emerging risks team, Digital Risks: Views of a Changing Risk Landscape, reveals how criminal activity in cyber space is an increasing threat to business – and analyses the difficulties companies face when trying to mitigate that threat.
Digital technology is now the engine of commerce, powering transactions and enabling businesses to reduce back office data processing and storage costs. But, the report shows, as businesses have become more dependent on the internet, criminals have migrated into cyber space to carry out potentially lucrative digital attacks undetected and sometimes unchallenged.
Silent cyber crime on the increase
Nuisance value virus attacks carried out by hackers continue to dog businesses, causing services to crash, the report explains. But more serious “silent” cyber crime is on the increase, with sophisticated criminals breaching inadequate safeguards to steal confidential data that can be exploited, sold on or held to ransom.
Malware, spyware and crimeware belong to the new IT lexicon that risk managers must learn about, the report explains, if they are to protect themselves against impacts that are as varied as the vulnerabilities themselves.
Third party liability exposures relate to stolen data, while first party risks include extortion, espionage and regulatory action carrying big fines. Long-term reputational damage is perhaps the most deadly yet hardest to quantify direct impact of a security breach.
Indirect but equally costly impacts include lost productivity, data retrieval, and irretrievable data loss.
Attacks becoming more sophisticated
The problem faced by businesses and highlighted in the report is that attacks are becoming more sophisticated and cyber criminals are targeting new digital technologies as they are developed.
As a result, Lloyd’s advises risk managers to take a rigorous look at new applications to examine where their vulnerabilities might lie.
But with businesses moving quickly into new digital territories, such as cloud computing, mobile technology and Web 2.0, as the report explains, their ability to stay on top of cyber threats can be compromised.
The cyber risk landscape is constantly changing and as a result, unlike other areas of corporate risk, there is no way of testing a digital security system.
It is possible, however, for companies to assess their vulnerability to attacks, the report points out. A case study in the report shows how the ISO 27001 standard can help organisations build a risk management framework to mitigate cyber threats. This sort of quality management can also help with risk transfer, where insureds can confirm to their insurers that they are compliant, or certified secure.
A systematic approach to digital risk management is important the report says, because threats do not begin and end with criminals and the internet. Related emerging technologies such as GPS, the global positioning system operated by the US military, is now used for critical processes in a number of industries, for example. A loss of signal could lead to catastrophic and systemic failure in several industry sectors.
Similarly, the digital world is vulnerable to flooding or windstorm: insurers and their clients need to examine the geographical aggregations of their critical IT and their exposure to natural disasters.
Insurers must consider cyber threats
Insurers have grown expert at modeling and mapping such physical threats to their clients’ businesses. Now both parties have to consider the exposures that are multiplying in cyber space and the products needed to cope with them.
As the Lloyd’s report points out, industry and society stand to benefit hugely from advances in digital technologies: so the risks that populate cyber space must not be allowed to stifle innovation.
