finance
monthly
Personal Finance. Money. Investing.
Contribute
Newsletter
Corporate

Adam Vincent, Co-Founder and CEO of ThreatConnect, explores the increasing risk of cyber attacks and the serious financial damage they can cause. 

Recent high-profile incidents, including the ransomware attacks against the Colonial Pipeline system and JBS USA, the world’s largest meat processor, demonstrate the urgent need for critical infrastructure owners and operators to adopt a risk-led cyber security program. It is becoming clearer by the day that these major firms are not having the proper risk conversations between their cyber security experts and business executives.

Cyber security must be treated and communicated to executives the same way as other critical business risks. “Cyber security is now a critical enabler for most businesses to continue operating,” said Michael Daniel, President & CEO of Cyber Threat Alliance, in a recent interview. “And it needs to be framed in that way. And I think that’s very much the place that we need to move is putting it in those business terms, framing it in those risk terms.” 

Organisations should be quantifying risk – including cyber risk – based on potential financial and operational impact. The process of doing so creates a common goal that unifies security teams and business leaders. My firm, ThreatConnect, recently conducted a survey and found that 70% of security professionals received “medium to high levels of pressure to produce cyber risk quantification data for their business.” A more telling aspect of the survey, however, showed that half of the respondents said they lack confidence in their ability to communicate and report the financial impact of cyber risks, prioritise vulnerabilities and security alerts, and justify their future investments to mitigate those risks. The reason for this is two-fold:

Unfortunately, the only way to completely eliminate risk is to cease operations. Understanding that there’s always going to be some residual risk, the question then becomes; what is the risk appetite of the business? A good way to determine this is to zero in on your organisation’s key value proposition and then think about the mechanisms by which a cyber incident could undermine those business metrics. Automated cyber risk quantification (CRQ) enables enterprises to quickly model changes in their security posture to understand the financial and operational impact of a cyber incident. ‘What-if’ analysis allows business leaders to answer the tough questions using real-world analysis to show the cyber risks associated with:

Automated outputs are generated in just hours for reporting that is more current and relevant. By automating risk modelling, businesses get a fast start and can then critique, or tune models over time, instead of having to create their own.

Armed with metrics like business interruption, reputational damage, and legal fines, security leaders can better communicate and justify their security initiatives. Attaching a financial impact to potential threats can help your various stakeholders see what deserves priority, estimate the net financial loss if an attack is successful, ascertain whether the organisation has proper controls in place, and determine whether future technology investments are necessary. 

The growing pace and sophistication of nation-state attacks, coupled with an ever-expanding attack surface, makes our ability to accurately quantify and prioritise cyber risks within the context of our individual businesses an urgent priority. But when business networks and systems can be compromised in a way that disrupts or halts industrial operations, that points to a clear failure to identify, understand, prioritise and remediate the most critical cyber risks facing one’s organisation.

Bridging the gap between cyber security and business, however, remains an aspirational goal for many who struggle to understand where to begin. We cannot allow this situation to continue in the critical infrastructure space. Our critical infrastructures need a risk-informed decision and operational support platform that can help them prioritise and focus on the risks that matter most and can leverage threat intelligence to drive orchestrated response. It is our single best chance of improving cyber security outcomes and protecting our businesses from harm.

The world’s biggest work-at-home experiment has now shifted into a more permanent structural change, leaving companies grappling with the next operational challenge – intensifying cybercrime. Prior to the pandemic, businesses typically over-relied on in-office cybersecurity systems to protect data, because they rarely had to worry about threats to data outside of the workplace. Fast forward to March 2020, and companies had to quickly recalibrate their entire operations or face their business model being rendered redundant. Since the crisis took hold, approximately 90% of banking and insurance workers worldwide transitioned to a work-at-home set-up[1], the majority of whom are accessing corporate and customer data online on insecure devices.

The scope for cybercriminals to exploit the vulnerabilities of remote technologies to commit financial crimes has increased exponentially for customers being onboarded, and having their financial matters dealt with online. While safeguarding customers remains at the top of the corporate agenda, providing a seamless, omnichannel digital experience cannot be compromised. In this fast-evolving FinTech landscape, financial services must seek to leverage technology that can meet both increasing expectations for an elevated customer experience, whilst fighting internal and external cybercrime. The industry has an important opportunity to leverage Artificial Intelligence (AI) solutions, used in the front-office, to prevent and react to threats, potentially saving billions in lost funds – not to mention protecting brand reputation.

Fast-evolving threat landscape

According to a recent report, the financial services sector fell victim to over half (51%) of all opportunistic cyber-attacks during the crisis[2]. Fraudsters have been launching sophisticated attacks to impersonate financial organisations, by luring in customers with fake emails or phone calls offering financial assistance, only to extract customer data. In fact, impersonation scam cases in the UK were up a staggering 84% in the first half of the year compared to the same period last year[3].

As financial services companies expand their omnichannel offerings, to meet the demand for real-time access to services, so too does the opportunity for potential vulnerabilities. Interacting with customers requires access to their personal information on a granular level, with each interaction involving a traditional phone call, but likely to also include a communication via chat, email, SMS, social media, or all channels combined. Out of 5.2bn financial transactions in the first half of the year in the UK, 84% of these are through mobile devices, broadening the number of access points and the opportunity for exploitation.

Safeguarding data with AI

Customer-facing AI chatbots present an affordable solution in fraud detection and payment protection –capable of identifying anomalous activity that could be easily missed by human agents. This helps to rectify a staggering 90% of data breaches in the UK that were down to human error last year[4]. Used to assist customers in a number of financial transactions, such as reviewing accounts and making payments, chatbots allow users to handle simple tasks on their own, but in a highly secure manner.

Leveraging deep Machine Learning (ML) capabilities, AI-powered chatbots are programmed to learn patterns of work across multiple banking channels. By monitoring vast datasets that have been collected from past incidents, companies can recognise inaccuracies in payment information or unusual behaviours of users to continuously improve detection capabilities. Alleviating pressure from IT teams in the process, security analysts can refocus their time and resources toward actual cases of fraud and strengthen trust with affected customers. Lessons learned can then be quickly communicated and translated into targeted training for affected work groups and used to tailor customer experiences accordingly.

By prioritising AI for risk reduction systems, financial services can avoid hefty fines for failing to detect fraud and improve acquisition and retention. Customers are more likely to choose or stick with trustworthy banks that have a good track record of preventing cyber-attacks.

Banking on an AI-enabled future

It has fast become table stakes for financial institutions to build and implement robust security software and include fraud prevention and detection tools at a keystroke level. Leveraging technologies that are already used on consumers’ digital channels, and using these to secure each point of interaction, can help build an ecosystem of trusted devices while maintaining a consistent user experience. As a self-learning solution, AI-powered chatbots can assume future attack scenarios in the uncertain post-pandemic world – keeping the internal infrastructure running smoothly for employees, whilst maintaining consistent and safe online transactions for customers.

[1] https://www.bis.org/fsi/fsibriefs7.pdf

[2] https://uk.finance.yahoo.com/news/covid-19-leads-to-surge-in-cyberattacks-144142232.html

[3] https://www.ukfinance.org.uk/covid-19-press-releases/impersonation-scams-almost-double-in-first-half-of-2020

[4] https://www.infosecurity-magazine.com/news/90-data-breaches-human-error/

Cyber-attacks are the new normal, so CEOs are looking for ways to protect their businesses from emerging risks. From large corporations to small businesses, everyone is a potential target for hackers.

In 2020, the trend does not seem to be submerging. Hence, many are looking into a form of cyber insurance that would cover them if worse comes to worst.

The question presents itself: what is this insurance coverage, and what does it leave out? And, more importantly, what are its main pros and cons?

Cyber Insurance: What Does It Cover?

In no particular order of importance, cyber insurance covers the following:

1.     Media Liability

Advertising your services can result in intellectual property infringement. Cover insurance covers its consequences (patent infringement not included). Do note that it covers both online and offline forms of advertising.

2.     Network Security

With information and privacy risks abound, you need to keep your bases covered against network security failure. It includes malware infection, business email compromise, cyber extortion demand, and ransomware.

If you have cyber insurance, you can recover first-party costs related to:

Cyber insurance covers against malware infection, business email compromise, cyber extortion demand, and ransomware.

3.     Errors and Omissions

If a cyber-attack hits you, you could find yourself no longer able to fulfill your contractual obligations. That leaves your customers hanging.

You won’t afford to focus on consulting, upkeep, and other services. Once there is a cyber incident, all your time and energy go toward addressing its repercussions and minimizing the damage.

Since your customers may not be as understanding as you’d like them to be, it makes sense to protect yourself by investing in cyber insurance.

4.     Network Business Interruption

Modern businesses tend to rely on advanced technology to remain operational. In the event of an incident, some form of interruption is imminent.

For instance, if your provider’s network goes down, you can’t recover expenses sustained as a result and lose profits as well. Think of system failures, unstable system patches, security failures, human error, and more.

5.     Privacy Liability

When a breach happens, it can expose the sensitive data of your customers that lies on your servers. As a result, your business could be held liable.

So if it comes to a class-action lawsuit, there will be legal fees to cover. Regulatory fines resulting from the likes of GDPR are another threat. It could bring your company to its knees. Without insurance, you could find yourself closing down the doors for good.

[ymal]

What is Left Out?

As comprehensive as it may be, do bear in mind that cyber insurance does not cover everything. For instance, losing value due to theft is not part of it. Nor does it cover the loss of potential profits in the future. It also doesn’t allow you to improve your existing internal technology systems or amass the funds to make security upgrades.

The Advantages of Cyber Insurance

To sum it up, these are pros of cyber insurance:

The Disadvantages of Cyber Insurance

As with all things insurance-related, there are also some downsides to it:

If a business operates with a more modest budget, they may not have the funds necessary for insurance.

What are The Additional Measures to Take?

As you can see, there is no one-size-fits-all solution. You need to protect your business on multiple fronts.

Conclusion

Cyber insurance remains an important consideration for every executive. The more your company depends on technology, the greater is its role. Once again, assessing the risks lies on your shoulders. Depending on the nature of your business, you stand to gain more than there is to lose.

In November, news broke that Tesco Bank had been hacked and that 20,000 customers fell victim to thefts from their balances. This was just one in a long line of recent high-profile cyber-attacks that also saw the likes of Yahoo!, LinkedIn and Ashley Madison suffer serious breaches.

When it comes to looking at the reasons behind cyber-attacks on businesses, currently the majority of breaches are from database assaults, whilst a smaller but still significant amount (around  a quarter) are reportedly due to negligent employees or contractors. Yet these are only two of a number of methods by which hackers can gain entry. Motivations for the attacks can be equally varied, from morally or politically inspired hacks, as with the Ashley Madison breach, or, as is more common, for financial gain or competitive advantage.

According to a UK government report, intellectual property theft is the most damaging form of cyber-crime for businesses in the UK, reportedly costing an estimated £9.2 billion. It is easy to understand, therefore, why cyber-security companies are such hot targets for investment and acquisition. Cyber-security firm Cylance, for instance, recently completed a Series D funding round at a valuation rumoured to be near $1billion.

The effect of a hack on companies can be severe. The 2015 cyber-attack on TalkTalk, in which almost 157,000 customers’ bank details were accessed, reportedly cost the company £42 million and led to a loss of roughly 100,000 customers. Meanwhile, many commentators expect the 2016 Yahoo! attack to negatively impact the proposed $4.8 billion sale of its core business to Verizon. What’s more, the new EU Data Protection Regulation, set to come into force in 2018, empowers regulators to levy fines of up to 4 % of turnover, or €20 million, for each breach.

Yet, regulators are not the only ones watching, potential suitors are, too. For companies seeking investment, a sale or an initial public offering, the negative impact of a successful breach could apply downward pressure on valuations. Even for those companies not actively looking for a significant corporate event, a depressed valuation, and the impact on cash and forecasts, could bring aggressive suitors to the door.

As cyber-attacks become more frequent and more powerful, the sensitivity of potential purchasers to the risks has increased. Targets must expect greater scrutiny of previous breaches and the measures in place to defend against attacks. Whereas it is difficult to control the actions of employees and contractors, companies will not be easily forgiven for failing to implement appropriate cyber-security measures and compliance plans. Conversely, demonstrating that efforts have been made should help reduce the risk of regulator fines and civil action. Having to disclose inadequate policies as part of a due diligence exercise is a potentially damaging action that could be avoided. Similarly, a business’ timely and proportionate reaction to a data breach is essential to instil trust and confidence in customers and suitors alike.

Despite there being a lack of prescriptive standards to adhere to, some best practice tips promoted both by the UK Information Commissioner’s Office and security services include the following:

This is a good starting point for identifying areas of vulnerability that hackers will exploit and also helps provide an insight as to the topics that should be investigated as part of a due diligence process. Of course, the next step is to have sufficient expertise available to assess the commercial and legal strength of the responses.

With the ever-expanding amount of non-physical, commercially sensitive information being stored virtually, combined with the frequency of hacks, the importance of cyber-security will only increase. All companies must ensure a robust security strategy is in place for the sake of their own day-to-day activities and for preserving company value. Nothing brings the strength of these systems into sharper focus than an attack or the probing questions of a sophisticated CTO, technology expert or lawyer as part of an audit or due diligence process.

 

 

About Finance Monthly

Universal Media logo
Finance Monthly is a comprehensive website tailored for individuals seeking insights into the world of consumer finance and money management. It offers news, commentary, and in-depth analysis on topics crucial to personal financial management and decision-making. Whether you're interested in budgeting, investing, or understanding market trends, Finance Monthly provides valuable information to help you navigate the financial aspects of everyday life.
© 2024 Finance Monthly - All Rights Reserved.
News Illustration

Get our free monthly FM email

Subscribe to Finance Monthly and Get the Latest Finance News, Opinion and Insight Direct to you every month.
chevron-right-circle linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram