By Stephanie Snyder Tomlinson, National Cyber Sales Leader at Aon Risk Solutions
Analyst group Gartner predicts that 6.4 billion Internet of Things (IoT) devices – computer devices that are sensor-equipped and designed to collect and transmit data via the Internet – will be in use in 2016, while Cisco predicts that the total number of IoT devices will rise to more than 50 billion by 2020.
As the Internet of Things advances, offering new ways for businesses to create value, we are simultaneously seeing businesses become more vulnerable to an internet-based, organisational attack. The internal silos within businesses are being broken down to allow for greater connectivity and data aggregation and this evolution should not go unnoticed by boards, as it means the exposure to cyber risk now flows through the organisation. As such, it is recommended that boards consider cyber risk from an enterprise perspective, given the potential for a breach to have physical loss implications as well as financial statement impact.
That was then and this is now “It is possible that in 2016 we will see organisations experience physical losses as cyber losses migrate from the intangible to the physical world”
Historically, we have seen cyber risk limited to the liability and expenses related to a breach of private information, such as personal information, healthcare information or credit card information. Many view 2014 as the year of the retail breach and 2015 as the year of the healthcare breach.
Privacy breaches have proved that there can be significant implications to an organisation’s balance sheet and a potential impact on the board of directors. Several recent breaches have resulted in shareholder derivative actions against the board of directors, alleging a breach of fiduciary duty to the organisation. Even robust network security practices may not offer sufficient protection in these cases.
Given the evolving nature of technology, we have started to see network security breaches result in business interruption losses. When organisations suffer a network outage, there can be significant expenses in terms of computer forensics and additional costs to keep the organisation operating, as well as the loss of net income. Many of these attacks have also resulted in losses to intangible (data) assets, in which hard drives have been wiped clean of data or employees have been unable to access servers. It was recently reported that an IT specialist is facing sentencing after illegally accessing his former employer’s network and transmitting remote commands to the system that resulted in a disruption to manufacturing operations.
It is possible that in 2016 we will see organisations experience physical losses arising from a network security breach, as cyber losses migrate from the intangible world to the physical world. In late 2014, a hack on a German steel mill resulted in massive physical damage, as the malware placed on the network prevented the blast furnace from a normal shut down. In late 2015, a network security breach resulted in a significant power grid disruption in the Ukraine. Taking it one step further, there is the potential for tangible property damage or bodily injury arising out of the hack of an autonomous or semi-autonomous vehicle, or an implanted healthcare device.
From a liability standpoint, there is potential exposure for organisations involved in the design, production, delivery and servicing of the IoT device that allegedly causes economic loss, bodily injury or tangible property damage. And from an organisational expense standpoint, smart offices, factories and computer-based logistics systems face new business interruption risks.
Risky partners: storm clouds on the horizon?
Enterprise cyber risk management extends beyond the physical walls of an organisation. Increasing corporate data aggregation will continue to drive engagement with cloud providers as organisations are forced to find more efficient ways to manage their data assets. Some may argue that replacing data centres with cloud providers reduces the overall network security risk while others remain concerned about vendor engagements and the additional potential for breaches via an outsourced network (See Risky Partners graph opposite).
According to a report from Skyhigh Networks, the average company connects with 1,555 business partners via the cloud, including suppliers, distributors, vendors and customers. As more organisations engage third party vendors to help them store data – or provide additional data security monitoring protections or breach remediation – consideration should be given not only to contractual protections but also to those vendors’ cybersecurity and level of professional expertise. In December 2015, a lawsuit was filed against a Chicago-based IT security firm, alleging that it mismanaged breach mitigation, potentially resulting in a second breach against the filing organisation. NetDiligence has reported that in the technology industry, vendor-related breaches doubled from 2014 to 2015.
Cyber risk transfer solutions
With all the cyber risk facing today’s organisations, how should a board address cyber exposures? Cyber insurance is one consideration for boards as they contemplate balance sheet protection against cyber risks. Cyber insurance contemplates the following coverages:
Breach event expenses
This reimburses the insured’s costs to respond to a data privacy or security incident. Covered expenses can include computer forensics expenses, legal expenses, costs for a public relations firm, consumer notification and consumer credit monitoring services.
First party loss
- Business interruption: reimburses the insured for actual lost net income caused by a network security failure, as well as associated extra expense
- Digital asset protection: reimburses the insured for costs incurred to restore, recollect or recreate intangible, non-physical assets (software or data) that are corrupted, destroyed or deleted due to a network security failure
Cyberextortion
Reimburses the insured for expenses incurred in the investigation of a threat and any extortion payments made to prevent or resolve the threat.
Liability coverage
- Security liability: coverage for defence costs and damages suffered by others resulting from a failure of computer security, including liability caused by theft or disclosure of confidential information, unauthorised access, unauthorised use, denial of service attack or transmission of a computer virus
- Privacy liability: coverage for defence costs and damages suffered by others for any failure to protect personally identifiable or confidential third-party corporate information, whether or not due to a failure of network security. Coverage may include unintentional violations of the insured’s privacy policy and actions of rogue employees
- Regulatory proceedings: coverage for defence costs for proceedings brought by a governmental agency in connection with a failure to protect private information and/or a failure of network security
While the above represents the ‘off the shelf’ coverages available in a cyber insurance policy, it is important to note that no cyber insurance policy should be purchased off the shelf. There are more than 60 different cyber insurance carriers, all with different policy terms and conditions. As this insurance has only been available for the last 15 years, it has not yet developed into a mature product. There is a great deal of variation in coverage triggers, definitions and exclusions. As such, it is critical for organisations to engage a knowledgeable insurance broker with specific expertise in cyber insurance, in order to ensure that the policy form is manuscripted to perform as intended.
Given the evolving nature of cyber risk exposure, it is important to review all of the organisation’s insurance policies to determine what, if any, coverage is in place to address cyber exposures, including those related to vendor and IoT exposures. While generally cyber insurance policies do not address property damage or bodily injury perils, these coverages may be addressed by an organisation’s property or general/excess liability policies. However, there is a great deal of inconsistency in how property and general/excess liability insurance carriers address (or do not address) losses arising from a network security breach. The insurance industry has yet to provide a comprehensive ‘all-risk’ cyber insurance solution.
Enterprise cyber risk management
Recognising that there is no ‘one size fits all’ solution to cyber risk, it is important to take a holistic look at the cyber risk that flows through an organisation and coordinate among the various stakeholders in senior management, information technology, legal and human resources. The risk manager effectively serves as a quarterback, aligning the various departments within the organisation to effectively manage cyber risk.
Engagement and coordination with cyber risk stakeholders is recommended as follows:
- Senior management has a critical understanding of the top risks to the organisation. Coordination with the risk manager is important to help identify which risks are and are not insurable. If such risks are not insurable, then alternative risk solution options may be identified
- Information technology has the literal ‘eyes on glass’ to provide insight into incidents or ‘near misses’ and the evolving nature of cyber risk relative to the organisation
- The legal department has the perspective to understand and craft appropriate protections in contracts with customers and vendors. Key questions to be asked are:
What risk is your company assuming?
What insurance are you required to maintain?
What insurance are you requiring vendors to maintain?
- Human resources is an often forgotten stakeholder in the enterprise cyber risk equation. According to a 2015 study by NetDiligence, about 30 per cent of the total respondents attributed cyberloss events to employees. The human resources department has the ability to implement appropriate employee training to mitigate potential breaches via stolen credentials or social engineering
Effective cyber risk management is the result of having the appropriate people, tools and processes in place. It consists of knowing who is doing what and when and practicing and communicating that process. If history has taught us nothing else, it is that even robust network security may contain vulnerabilities and that when thinking about a network security breach, it is not to consider ‘if’, but rather ‘when’.
If one assumes that the abstract “widget” of 2016 is an IoT device, consider the following cyber risk exposures:
- The widget company uses a cloud provider to store all of its data and outsources portions of its IT security to a third-party vendor
- The widget company handles all of its own manufacturing in-house, in a state-of-the-art system with connectivity between information technology and operational technology. There are public internet ingress and egress points to the network and vendors have an interface to connect to the IT system
- The widget company has an ecommerce site on which customers may purchase widgets with a credit card. It also has a widget loyalty programme with more than two million members
- The widget company has more than 100,000 current employees and keeps records on past
employees for several years, as per its record retention policy
- As the widget company is publicly-traded in the US, it must disclose to shareholders how it handles cyber risk in its SEC 10-K filing, including whether or not it transfers cyber risk via insurance
This likely describes a situation in which a large number of corporations find themselves. It is critical to identify and address cyber risk exposure through an enterprise risk lens, by leveraging risk solutions, engaging the appropriate stakeholders within the organisation and enacting a process to prepare for the inevitable.
While cyber risk continues to morph and change, it is incumbent upon corporate boards to try to protect the organisation’s balance sheet from exposure to loss through effective and strategic enterprise cyber risk management.
About the Author:
Stephanie Snyder Tomlinson is the national sales Leader for Aon Risk Solutions’ Professional Risk Solutions practice, focusing on E&O and Cyber sales. She is responsible for driving innovative solutions for clients and prospects, with a strategic focus on complex and global risks. She has experience with E&O and Cyber coverage as both a broker and underwriter. Her industry focus includes technology companies, manufacturers, retailers, media/advertising firms and financial institutions.