WIXLIB

The cyber risk landscape todayThe cyber risk landscape today.5 top trends in cyber risk I ncreasing interconnectivity and “commercialization” of cyber-crimedriving greater frequency and severity of incidents, including data breaches D ata protection legislation will toughen globally. More notificationsand significant fines for data breaches in future can be expected B usiness interruption (BI), intellectual property theft and cyber-extortion riskpotential increasing. BI costs could be equal to – or exceed – breach losses Vulnerability of industrial control systems poses significant threat No silver bullet solution for cyber securityCyber risk is complex and forever-changing. Attacks and incidents areincreasing with costs climbing into the multimillions. There are certainrisks that cause the most concern; most notably those around databreaches and the potential for significant business interruption. 3.8mThe average cost ofdata breaches isrising for companiesaround the world,up from 3.5m ayear earlier1What ishacktivism?The subversive useof computers andcomputer networksto promote apolitical agenda.Security breachesOver the past decade, data breaches involving personaldata have become a major concern for manyorganizations, both in the private and public sector. Majorcorporations, governments and public services have allbeen targeted by cyber criminals or so-called hacktivists.Since 2005 there have been 5,029 reported data breachincidents in the US, where organizations must reportdata breaches to regulators, involving more than 675million estimated records, according to the Identity TheftResource Center2.Some of the largest breaches include the likes of USretailers Target and Home Depot, health insurer Anthem,entertainment and electronics firm Sony and investmentbank JPMorgan Chase.The Target data breach in 2014, in which the personaldetails of some 70 million people may have beencompromised, was one of the largest in history. It hasbeen reported that it has cost the company well in excessof 100m, not including damage to reputation and lossof business, and was followed by the company’s chiefexecutive leaving the post 4.Statistics outside the US are patchy. However, there havebeen at least 200 breaches in Europe involving 227million records since 2005, according to an estimate bythe Center for Media, Data and Society at the CentralEuropean University3.61 2015 Cost of Data Breach Study: Global Analysis, Ponemon Institute2 abreaches.html3 ticle/663/databreachesineurope.pdf4 breach/6

The cyber risk landscape todayHow much does cyber-crime cost the world’s leading 10 economies?This AGCS atlas examines the estimated total cost to the global economy from cyber-crime per year, witha particular focus on the impact on the world’s top 10 economies, according to GDP. 200bn annual cost to topfour economies.5. UK3. Germany 4.3bn 445bn1 annual cost tothe global economy8. Russia 59bn 2bn1. US1 108bn7. France 3bn2. China 60bn10. Italy50% top 10economies share ofannual cost 250bn cost of cyber-crime toworld’s 10 leading economies 900mCSIS/McAfee9. Japan 980m6. India 4bn4. Brazil 7.7bnRankings according to cyber-crime costsCountry Rankingby GDP112345USChinaJapanGermanyFrance 16.8trn 9.5trn 4.9trn 3.7trn 2.8trnCyber-crime asa % of GDP2Estimatedcost3.64%.63%.02%1.60%.11% 108bn 60bn 980m 59bn 3bnCountry Rankingby GDP1678910UKBrazilRussiaItalyIndiaCyber-crime asa % of GDP2Estimatedcost3.16%.32%.10%.04%.21% 4.3bn 7.7bn 2bn 900m 4bn 2.7trn 2.4trn 2.1trn 2.1trn 1.9trnSources: 1World Bank (2013) 2Net Losses: Estimating the Global Cost of Cyber-Crime, CSIS/McAfee 3Allianz Global Corporate & SpecialtyIncreasing trend42.8mThe number ofdetected cyberattacks skyrocketedduring 2014 – up48% at roughly117,339 incidentsper day11 The Global State ofInformation SecuritySurvey 2015,PricewaterhouseCoopersThe frequency and sophistication of cyber-attacks andincidents continues to increase and looks likely to do sofor the foreseeable future.“ As recently as 15 years ago, cyber-attacks were fairlyrudimentary and typically the work of hacktivists,” saysAllianz Global Corporate & Specialty (AGCS) CEO,Chris Fischer Hirs.“ In addition incidents on computer/networkinfrastructures (outages, disruptions of different sizesand scales) are also occurring. However they are notreported due to fears about loss of reputation or lack oflegal requirements and, thus, don’t make the headlines.Alternatively, businesses manage these internally due tolack of insurance,” says Georgi Pachov, Group PracticeLeader Cyber, CUO Property, AGCS.“ But with increasing interconnectivity, globalization andthe commercialization of cyber-crime there has been anexplosion in both frequency and severity of cyberattacks,” he adds.7

The cyber risk landscape todayPotential risk scenarios from cyber-attacks/incidentsEnter the darknet The darknet is anencrypted part of theinternet that can only beaccessed with specificsoftware, configurations,or authorization – and iswhere an increasing listof criminal activities aretraded anonymously.Guns, explosives,counterfeit documents –including money andcredit card numbers –alternate identities andeven uranium are justsome of the itemsavailable for sale. Thedarknet is wherecommercialization ofcyber-crime alsocontinues to evolve, withhackers trading anddeveloping computer“bugs”, creating furtherpotential for futureincidents. Critical data is lost Extortion C ustomers may be lost and business interrupted Breach of contract Property damage Product recall Theft Notification costs and other response costs;i.e. forensic IT A dverse media coverage/damage to reputation/lower market share – 71% of customers said theywould leave an organization after a data breach1 Network security liability Directors’ and officers’ liability Regulatory actions and associated fines and penalties P rofits impacted/value of shares may fall L oss of trade secrets/confidential informationShifting regulatory landscapeHarsher penaltiesAwareness of cyber risk is highest in the US, where strictdata protection laws require companies to notifyindividuals of a breach.For example, draft legislation has proposed mandatoryreporting of a data breach to the regulator, andpotentially to individuals affected by the breach. Thereare also proposals to impose larger fines for breaches ofdata protection laws – of between 2% to 5% of acompany’s global turnover.Outside the US, data protection regimes differ by country,but there is now a general trend towards tougher rules asgovernments look to bolster cyber security.“Legislation has already become much tougher in the US.Hong Kong, Singapore and Australia all have new dataprotection laws, and Europe looks to be heading in thesame direction,” says Nigel Pearson, Global Head ofFidelity, AGCS (see map featuring commentary from lawfirm Clyde & Co on page 9).The European Union (EU) is currently reviewing its dataprotection law, looking to introduce a new harmonizedregime. While the exact scope and shape of theproposed regime is still hotly debated, it is likely to meangreater powers for regulators and more stringent rulesfor most EU member states.Similar requirements in many US states have significantlydriven up the costs of dealing with a data breach.“In Europe we can expect tougher rules on a country-bycountry basis,” says Pearson. “Politically, it is difficult to beseen to be soft on data breaches. We will see morenotifications and significant fines for data breaches infuture.”Consumers are increasingly likely to seek compensation forthe loss or misuse of their personal data, a view that appearsto be shared by regulators and courts.At the same time companies – conscious of both theirstatutory and corporate social responsibilities – arebeginning to recognize the need to compensate thoseaffected by a breach.1 Edelman Privacy Risk Index8

Clyde & Co Legal Snapshot: Around the World in Cyber RegulationUSCurrently, there is no universal federal law governingdata breach notification, although support is growingfor a national standard. At state level, all but three states(Alabama, New Mexico and South Dakota) haveimposed notification requirements, but these are notconsistent and can sometimes conflict. Specificnotification requirements exist for breaches in thehealthcare (HIPAA/HITECH), financial entity (GLBA) andeducation (FERPA) fields.Regulatory actions, brought by, amongst others, theFederal Trade Commission (FTC), Office of Civil Rights,state Attorneys General, California Department ofPublic Health, Department of Education, andDepartment of Justice, are increasing as regulatorsbecome more sophisticated and better trained/staffed.Investigations remain very expensive and can lead tofines or corrective actions requiring long-termcompliance.Commentary: Clyde & CoMENAThe Middle East and North Africa(MENA) region consists ofseveral countries with distinctand separate legal systems.There is a heightened focus oncyber liability across the MiddleEast with several countrieshaving recently enacted orproposed new legislation.Focusing on the on-shore UAEregime, recent cyber-specificlegislation was passed in 2012,which introduced a number ofnew offences. As this legislationis new, it has not been widelytested to date. Further, there isno concept of binding precedent,so while the introduction ofcyber-specific legislation is awelcome move, there is stilluncertainty about application.

The cyber risk landscape todayEUAt present, data protection regimes within the EUvary, as existing legislation regulating personal dataprocessing within the EU (Directive 95/46/EC)leaves member states free to set their own lawsprovided they substantially comply with the directive.The General Data Protection Regulation will, indue course, replace the directive, and will be directlyeffective in all member states; the intention being toharmonize data protection regimes within the EU.While the changes proposed by the regulation arewide-ranging, three key developments are: Notification - if a personal data breach does occur,and there is a “high risk” for the rights andfreedoms of individuals, the data controller mustinform its supervisory authority and the individualsconcerned without “undue delay”. The imprecisethreshold requirement means that there isconsiderable uncertainty around this key issue. O ne-stop-shop - any business operating inmultiple EU member states will be subject to asingle supervisory authority in the member statewhere their “main establishment” is located. Thejurisdictional scope of this mechanism iscontroversial and the final formulation remainsunknown. Penalties – the current proposals set out athree-tiered system, with the most seriousbreaches resulting in fines of up to 1m ( 1.1m) or2% of worldwide annual turnover. Compensationmay also be payable to individual(s) who havesuffered loss as a result of any data breach.AustraliaA number of high profile cyber breaches, coupled with anestimated 20% increase in cyber-attacks on businesses in2014, have led to the Australian Privacy Commissioner andother regulatory authorities including Australian PrudentialRegulation Authority (APRA) and the Australian Securities andInvestments Commission (ASIC) focusing on the regulation ofpersonal information and security of online business platforms.Legislation requiring mandatory reporting of serious databreaches is likely to be enacted in the next year, and thereafterincreased levels of reported breaches and fallout regulatorysanction are expected.SingaporeThe Personal Data Protection Act(PDPA), introduced in 2014, is thefirst privacy specific legislation inSingapore, and aims to providetransparency in relation to the useof individuals’ personal data.PDPA investigations are nowunderway following unrelatedbreaches at a telecoms companyand a karaoke company, in whichcustomers’ personal data wasaccessed and/or leaked by hackers.The PDPA introduces fines of up to 1m per breach.Graphic: Allianz Global Corporate & Specialty

The cyber risk landscape todayBusiness interruption an increasing concernWhat is malware?Malware is anumbrella term forthe many differenttypes of malicioussoftware, such ascomputer virusesand spyware, forexample. Nearlyone million newmalware threatswere releasedonline every day in2014, according tocyber security firmSymantec6.Top risks for business:The rise of cyber risk20136%Ranked 15thWhile data breaches are a major concern fororganizations holding large volumes of personal data,security breaches highlight other threats to business,such as business interruption, intellectual property theftand even cyber-extortion.With more companies increasingly reliant on technology,business interruption exposures are becoming ever moresignificant; particularly in sectors such as telecoms,manufacturing, transport, media and logistics.For example, hackers took French broadcaster TV5 off airin April 2015, affecting 11 TV stations, social media,websites and email.1 In June 2015, hackers grounded 10planes belonging to a Polish airline (LOT)2 after a denialof-access attack blocked the sending of flight plans.During the same month 4,900 United Airlines flightswere impacted due to a “network connectivity” issue.5“The impact of cyber business interruption, triggered bytechnical failure, is something which is frequently beingunderestimated by businesses relative to cyber-attacks,”says Pachov.Top risks for which businesses are least preparedCyber risk29%Business interruptionand supply chain18%Natural catastrophesPolitical/social upheaval16%7%6%2014Source: Allianz Risk Barometer 2015. Figures represent a percentageof all eligible responses (292 responses in total). More than one riskselected.Ranked 8thCyber risk is the risk most underestimated bybusinesses according to the Allianz Risk Barometer.2015“Companies need to be clear about the impact acyber-attack or incident could have on their supplychain, the liability they could face if they cannot delivertheir products in time or if they lose customer data,17%Stocks worth 28trn in total were suspended for threeand a half hours during July 2015 on the New York StockExchange, with authorities reporting that the glitch wasnot due to cyber terrorism or criminal activity.4Meanwhile, in 2012, “malware” disabled tens ofthousands of computers at oil company Saudi Aramco,disrupting operations for a week3.Terrorism12%Of course business interruption can also be caused bytechnical failure or human error as well, as demonstratedby two high-profile recent examples.any jurisdictional laws which might apply, as well asthe costs for hiring lawyers, IT experts and publicrelations experts to resolve any issues,” explains JensKrickhahn, Practice Leader Cyber & Fidelity atAGCS Financial Lines Central & Eastern Europe.“There is still the misconception that larger companiesare more frequently the target of cyber-attacksbecause of the bigger financial rewards for criminals.But cyber-attacks have become an almost daily event,affecting small, medium and large businesses.”The Allianz Risk Barometer surveys over 500 riskmanagers and experts from 40 countries. isk-Barometer-2015 EN.pdfRanked 5thSource: Allianz Risk 09w 00-passengers-warsaw-lotw er-attacks-a-wake-up-call-says/w tock-exchange-reopens-shutdownm hts-grounded-computer/m attack-hacks-security/11

The cyber risk landscape todayIndustrial control systemsRecent years have seen growing concern about thevulnerability of industrial control systems (ICS), whichare used to monitor or control processes in industrial andmanufacturing sectors, for example.An attack against an ICS could result in physical damage,such as a fire or explosion, as well as businessinterruption.“A number of ICS still used by manufacturing and utilitiescompanies today were designed at a time before cybersecurity became a priority issue,” explains Pearson.245recorded incidentsinvolving ICS in2014. The energysector reported themost incidents,followed by criticalmanufacturing1Vulnerability of ICS was first highlighted by the Stuxnetcomputer worm in 2010. Stuxnet was reportedlydeveloped by Israel to target Iranian nuclear facilities –the worm allegedly destroyed uranium enrichmentcentrifuges.ICS are also vulnerable to both technical failure andoperator error as well, which can be much more frequentand severe in terms of impact and are often not capturedin cyber reports, Pachov adds.While ICS are a particular issue for the energy sector (seeleft), similar cyber-related physical damage and businessinterruption risks exist in other industries.For example, car manufacturing plants rely on robots tomake and assemble vehicles. Should a robot be hackedor suffer a technical fault, a production line could beinterrupted for hours or days, at a potential cost of tens ofmillions of dollars per day.And the potential cost of damages could be even higherfrom an incident involving security-sensitive facilitiessuch as nuclear power plants, laboratories, watersuppliers or large hospitals.Which cyber risks are the main causeof economic loss?Loss of reputation61%Business interruptionsoftw49%Damages to be paid due toloss of customer data45%Loss of IP/trade secrets20%Subsequent requirementfrom regulatory bodies11%Website downtime9%Notification costs9%ExtortionOtherMoU7%1%Source: Allianz Risk Barometer 2015. Figures represent a percentage of alleligible responses to the questions (127 in total). More than one risk selected.Which cyber risks do companiesfear the most?Data theft and manipulation1 Industrial Control Systems Cyber Emergency ResponseTeam, US Department of Homeland SecurityProareSourceligiblWhbet64%Loss of reputation48%44%Increased threat ofpersistent hacking40%Data exfiltration attackAccidental data breach21%Website hacking15%Other13%12IT infra

Cyber security and protectionCyber security and protection 5 top cyber risk mitigation tips Identify key assets at risk and weaknesses such as the “human factor” or over-reliance on third parties C reate a culture of cyber security and a “think-tank” approach to tacklingrisk – different stakeholders from the business need to share knowledge Implement a crisis response or breach response plan. Test it Consider how merger and acquisition activity and changes in corporate structures will impact third party data Make decisions around which risks to avoid, accept, control or transferBusinesses must understand how cyber risk impacts theiroperations, how it can be mitigated and then determinetheir own risk appetite.Everyone is a targetSize doesn’tmatter Almost two-thirds ofall targeted attackshit small- andmedium-sizebusinesses,according to cybersecurity firmSymantec 1. Smallcompanies areincreasinglytargeted becausethey can provide abackdoor intocompanies withmore robustsystems.Whatever their size or sphere of operation, allorganizations need to consider their cyber exposures andprepare for a potential incident.“Too often we find that people believe that cyber is onlyan issue for the big brands, banks and retailers,” saysRishi Baviskar, Senior Cyber Risk Consultant, AGCS.“In reality hackers are more likely to target the companieswith the weakest security, irrespective of their size.”Broad risk spectrumDepending on the nature of its business and the sector inwhich it operates, a company is exposed to its own set ofcyber risks.For example, a financial institution will hold a wealth ofdata on its customers, the theft of which would causeimmeasurable damage to its reputation. Banks also facehuge business interruption exposures through the use ofelectronic trading systems.In contrast, a utility company will be exposed to risksassociated with industrial control systems, where a hackcould cause cata

06 The Cyber Risk Landscape Today Increasing interconnectivity and "commercialization" of cyber-crime are driving greater frequency and severity of incidents. 13 Cyber Security and Protection Best Practice Businesses must understand how cyber risk impacts their operations, how it can be mitigated and then determine their own risk appetite.