How can we manage the dynamic nature of cyber-risk?
Integrating board governance, technology solutions, behavioural change and risk transfer solutions can help reduce risk to a manageable level.
Beyond privacy breaches
The success and increasing connectivity of the digital world has certainly created new social and economic opportunities. Unfortunately, cyber-attacks have also kept pace with digitisation. As the technology industry develops new tools and processes to thwart sophisticated intrusions, even more complex malware is being designed to wage war against governments and critical infrastructure, and cyber-criminals continue to make fortunes through social engineering and cause severe disruptions through denial-of-service attacks. Privacy breach incidents continue to dominate headlines, in large part because companies are required by regulation to report such incidents. However, privacy incidents are far from the only cyber-risk confronting businesses. They also face:
- * Network outages. Whether due to malware, cloud failure, a denial-of-service attack or a system failure in general, network outages can mean lost productivity and lost revenues.
- * Damage to assets. Cyber-events can damage physical assets by interfering with industrial control systems. At the 2015 World Economic Forum, many CEOs expressed concern about hackers accessing and corrupting digital assets. If such corruption goes undetected, a company might wind up trading on spurious data, producing goods using the wrong designs or ingredients, or relying on an employee database to which new names or clearance levels have been added.
- * Theft. While this can take the form of financial theft through the manipulation of digital transactions or even employees, it also includes the theft of intangible digital assets. Codan, an Australian metal detection company, had its designs stolen by counterfeiters and reportedly saw its profits drop from $45 million to under $10 million in one year.
- * Extortion. This often involves holding data or systems “hostage” through malware that can block access until and unless a ransom is paid or other action is taken. Hollywood Presbyterian Medical Center’s network was recently held hostage, causing emergency room patients to be relocated to other hospitals until it paid the cyber-attacker $17,000 in Bitcoin.
In addition to the commercial consequences, cyber-attacks can damage a company’s reputation and leadership, as evidenced by the termination of executives of two large organizations that were the victims of significant cyber-attacks. It is thus no surprise that cybersecurity has found its way to the top of companies’ governance and enterprise risk management (ERM) agendas. Similarly, in the 2016 Global Risks Report, three of the world’s five largest economies — the U.S., Germany and Japan — all identified cyber-attacks as a major threat to their operations.
Overview of cyber-coverages
First-party coverage for:
- * Loss/Corruption of data
- * Business interruption
- * Cyber-extortion
- * Crisis management
- * Criminal rewards
- * Data breach response expenses
Third-party costs, settlements, judgments and sometimes punitive damages due to:
- * Privacy breaches for sensitive consumer and third-party corporate confidential information
- * Transmission of malware that causes financial loss to third parties
- * Security failure causing systems to be unavailable to third parties
- * Rendering of Internet professional services
- * Media liability for a website, including ads for other businesses on the site
Insurers also may provide event response services such as:
- * Scenario analysis
- * Pre-event planning and drills
- * Crisis management services
- * Expert coaching and legal advice
The influence of cyber-risk on ERM
Given these serious and very real consequences, it’s no surprise that the attitudes of management and boards with respect to cyber-risk management have evolved over time. No longer is cyber-risk dismissed as a problem for the IT department and given a relatively low priority. Instead, companies have adopted a proactive stance that reflects the necessity of approaching cyber-risk management as an enterprise-wide issue.
ERM provides a framework that can help companies develop cyber-risk management strategies. For example, ERM involves defining and articulating acceptable levels of risk exposure, which builds a foundation for quantitative analysis of cyber-risk (among other risks). The ERM framework can also be used to facilitate discussions between management and the board regarding how to manage cyber-risk. One stage of the ERM process is establishing a clear definition of risk management roles and responsibilities of senior officers and board members. Commonly asked questions include:
- * What are our company’s most critical data assets? How are they accessed and by whom?
- * What are our most business-critical systems, and what are their internal and external linkages?
- * How secure are our most important vendors and business partners?
- * How do we mitigate risk through some balance of internal cyber-defenses, workforce culture, employee awareness, business processes and risk transfer through insurance?
Given the potential ramifications of cyber-risk, stakeholders, including boards of directors, regulators and rating agencies, have put increasing pressure on companies to better manage it. Therefore, businesses are wise to address cyber-risk as they do other types of risk — such as natural catastrophes — through loss prevention, risk transfer via insurance and thoughtful event response planning.
Accounting for the human element
The human element as a risk factor in data security breaches is as enduring as it is troubling. Compromised laptops and phishing email scams continue to appeal to hackers as avenues to access corporate servers and the confidential, sensitive information they maintain. Effective risk management strategy and quantification must therefore acknowledge and respond to this source of widespread vulnerability.
Several cybersecurity studies have shown that approximately 60% of privacy and cyber-incidents are attributable to employee-related acts, including lost laptops, rogue employees and software errors. Those studies indicate that hacking-related claims can involve employee errors as well; a majority of such incidents are the result of social engineering or inadequate network security practices and protocols. However, none of those studies has addressed how organisations can track the extent of risk inherent in their people’s behaviours and determine how to mitigate this factor. Tackling this critical issue is not only relevant to human resource professionals charged with addressing employee behavioural issues, but also pertinent to corporate leaders, network security professionals, corporate risk managers and insurance underwriters — all of whom are links in the chain of cyber-risk management and mitigation.
To more closely examine the extent of cyber-risk inherent in employee behavior, Willis Towers Watson analysed employee opinion results from over 450,000 employees corresponding to a period during which significant data breaches were experienced within their organisations. The results were then benchmarked against high-performing companies (that had not experienced data breaches) and global IT staff. This snapshot of employee opinions within companies that have experienced data breaches suggests that workforce culture may be the first line of defense against cyber-risk (Figure 1).
Figure 1. Employee opinions of breached companies versus global high‑performance companies and IT staff
We observed significant gaps between scores at companies that had experienced data breaches versus each benchmark group. Compared to the high-performance group, employees at the breached companies gave the lowest scores to three areas of workforce culture:
- * Training
- * Company image
- * Customer focus
When we look at responses from IT professionals, IT workers in the breached companies also reported less favorable views of training than the IT respondent group as a whole, with especially low scores on perceived training of new employees. The analysis points to new staff as a blind spot and potentially serious source of cyber-risk. Pay for performance also emerges as a challenge in the IT employee group. The findings indicate that frontline IT staff members in the breached companies perceive a misalignment between their efforts and associated rewards, potentially undermining efforts to identify and manage cyber-risk.
Compared to both benchmark sets, employees in the breached companies indicated a significant lack of customer focus. The perception among respondents that customer focus is lacking in breached organisations is significant from a risk mitigation perspective. Customer service is a foundational company value for many organisations and is essential to business success in service industries. A lack of emphasis on the customer as central to organisational performance may undermine the vigilance needed to successfully counteract attempts to steal online customer information.
Quantitative risk analysis
Quantitative risk analysis is also an important component of the ERM process. Empowered with quantitative risk metrics, organisations can make informed decisions related (but not limited) to:
- * Assessing the overall risk profile
- * Setting business plans and strategies
- * Assessing risk transfer requirements and pricing
- * Calculating regulatory and rating agency capital requirements
Including cyber-risk in such an analysis involves not only identifying, assessing and quantifying the risk, but also understanding how it affects and might correlate with other business risks.
The insurance industry and risk quantification
For insurance companies, cyber-risk is two-pronged, encompassing both their own risk and the risk they take on through underwriting. While cyber-risk has affected all industries, health care insurers have been hit especially hard given the amount of personally identifiable information, credit information and health information they possess, and the considerable amounts of money that such data can command on the dark web. Insurers can address the non-underwriting-related aspect of cyber-risk much as any other corporation would do — that is, by adopting an enterprise-wide approach that focuses on the specific data and assets at risk.
As to underwriting activities, insurers must take care to understand the coverage they are offering and quantify the associated risk. Today, most cyber-insurance policies combine a blend of first- and third-party coverages (see sidebar on page 11 for a summary of insurers’ offerings).
Most insurers that write cyber-specific policies (or policies that explicitly contain an element of cyber-exposure) have processes in place to select risks, set deductibles or attachment points, and establish the price for each policy. These underwriting processes and pricing models vary widely in approach but typically reflect factors such as the insured’s industry type, revenue and employee count, number of records, and value of assets as well as underwriters’ qualitative assessments of the insured’s network security, cyber-risk management procedures and risk culture.
Modeling risk for a cyber-insurance policy
- * Privacy breaches have been the headline exposure because breached data are the most readily available data about the cyber-peril. As a result, privacy breaches have been the initial focus of cyber-modeling tools, which tend to focus on industry sector and company size as key high-level drivers of an insured’s vulnerability to privacy breaches. Once a breach occurs, the potential economic loss depends on the number and type of records exposed. Different responses are required for:
- * Payment card industry information such as credit or debit card numbers
- * Protected health information such as medical records
- * General identity data that fall into the category of personally identifiable information
A real-world breach could involve exposure to any one or a combination of these data types. Therefore, a quantitative risk model must reflect this dynamic as well as the cost per record, which may include:
- * Forensic investigation and crisis management
- * Credit monitoring/identity fraud remediation
- * Regulatory defense and fines
- * Civil liability: legal defense/damages/class actions
Data on cyber-losses other than privacy breach can be difficult to obtain, but since this is only one of the covered perils, understanding the full risk inherent in a cyber-insurance policy ideally should also include consideration of other perils, such as network outage and business interruption.
Modeling for cyber-portfolio risk
While cyber-risk insurers have a method for quantifying the risk of individual policies, they tend to be less comfortable with assessing the risk of their overall cyber-portfolio. To help insurers with this task, in 2015, Willis Re released PRISM-Re™, the industry’s first model that estimates the risk of a portfolio of cyber-policies. PRISM-Re incorporates advanced algorithms to investigate the possibility and impact of “contagion scenarios” within an industry sector and across related sectors — a useful tool given markets’ concerns about the potential for systemic loss.
Also, AIR Worldwide recently announced plans to create a stochastic model. In January, a joint effort by AIR, Risk Management Solutions (RMS), Lloyd’s of London and the Centre for Risk Studies at the University of Cambridge, supported by eight leading insurance and reinsurance companies, produced a cyber-exposure data schema, which offers a standardised approach to identifying and reporting cyber-exposure data. Moreover, in February, RMS announced a quantification framework for cyber-accumulation based on five key scenarios. This deterministic top-down approach differs significantly from, but complements, PRISM-Re’s stochastic bottom-up modeling approach. Then in April, AIR released the industry’s first open-source scenario and announced plans to release a series of such scenarios over the next 12 months. That same month, at the 2016 RIMS conference, Willis Towers Watson unveiled Cyber Quantified, a network outage and privacy breach model to help clients better predict and quantify cyber-risk and potential loss; a similar model is slated for Willis Re’s insurance company clients, which can bee seen here.
These developments reflect the insurance industry’s commitment to and keen interest in cyber-modeling. Still, cyber-models, like the risk itself, are quickly developing. As we observed with property catastrophe models, our understanding of the risk will continue to evolve and the capabilities of cyber-modeling tools will expand. For example, the new area of study involving workforce culture and cyber‑risk offers an exciting new angle that can allow insurers to do a better job of quantifying risk for both individual insurance policies and insurance portfolios. As with all models, the critical factors for cyber-modeling will be the availability of data, the state of the science in understanding the peril and the insights that allow model builders to shed new light.
Given the dynamic nature of cyber-risk, organisations would do well to adopt a multidimensional approach in which each component on its own does not prevent the risk but, in an orchestrated fashion, can help reduce it to a manageable level. Thus, organisations should consider the following approach, which cyber-insurers would (and should) also view favorably during the underwriting process:
- 1) Develop a forward-looking governance framework. This effort should be led by the board, which should set the business strategy for the organisation regarding cyber-resiliency and hold the C-suite and other senior executives (e.g., legal, risk management, technology and HR) accountable for organisation-wide implementation. The board must fully understand the organisation’s vulnerability and susceptibility to attacks (i.e., who, why and how) and categorise and quantify assets that may be at risk in order to ensure that the framework is implementable, adaptable and sufficiently fluid to address emerging threats.
- 2) Identify the organisation’s “crown jewels” — assets critical to its reputation and operation — and conduct regular IT and operational technology data stress-testing to improve detection, monitor for corrupted assets and reduce hackers’ return on investment.
- 3) Consider technology as one of several lines of defense.
- 4) Develop a cybersecurity workforce culture that attracts and retains qualified IT professionals and incentivizes all employees to protect the organisation’s digital assets.
- 5) Use data and analytics to quantify cyber-exposures and inform risk choices, including risk transfer and capital allocation.
By implementing this multidimensional approach — combining board governance and technological solutions, influencing human behavior and leveraging risk transfer solutions — organisations can mitigate cyber-risk in order to enjoy the growth potential of a connected future.
Adeola Adele specialises in employment practices and cyber-risk at Willis Towers Watson, New York
Kevin Madigan specialises in P&C enterprise risk management at Willis Towers Watson, New York
Patrick Kulesa specialises in employee research and organisational culture at Willis Towers Watson, New York
Alice Underwood specialises in reinsurance analytics at Willis Towers Watson, New York
For any further enquiries please email Software.Solutions@willistowerswatson.com