Cyber-Risk and the Insurance Industry's Double-Edged Responsibility
Insurance Experts' Forum, July 27, 2012
The World Economic Forum at Davos surveyed 469 experts and industry readers for its publication on the top risks facing world economies, Global Risks 2012. Of the top five global risks in terms of likelihood, only one, cyber-attack, could be said to have potentially significant insurance coverage available.
Even there, the potential for damage may not be well-understood by businesses if one measures that by the take-up rate. Recent reports on the Stuxnet and Flame malware may have raised awareness of the damage cyber-attacks can do to a network, but few may realize how insidious and dangerous a good hacker can be, even without causing meltdowns or obvious destruction.
A New York Times small business report from June 14 noted just such an example of cyber-disaster that many business owners may not have considered or may have presumed was someone else’s problem. It told the story of a small business whose office manager violated protocol and visited a social networking site, infecting her computer. That allowed hackers access to the company’s banking information. They “made two automated clearinghouse batch transactions with the office manager’s user name and password, routing stolen money to eight other banks across the country,” the Times said, stealing a total of $125,000.
Fortunately, they were covered by insurance. Most businesses may not be, wrongly assuming commercial accounts receive the same protection as personal accounts where banks may restrict the account owner’s liability. Oops! That’s especially unfortunate since these types of crimes are rising, with the Times saying one research company estimated more than 10 percent of small businesses have had funds stolen from their bank accounts, with losses totaling about $2 billion.
One might think small businesses, which probably are the least equipped to survive this kind of attack, would take advantage of the available insurance. But the CFO of the company mentioned in the Times report said brokers told her only one in 10 small businesses ask for this type of insurance.
Lest big businesses, like many insurance companies, feel complacent, I had the good fortune of recently hearing a presentation by Lieutenant General Harry D. Raduege, Jr., (USAF, Ret). The General is now Chairman of the Deloitte Center for Cyber Innovation, but previously led the Department of Defense preparation for Y2K and was in charge of communications during 9/11.
The General pointed out that cyber is becoming the Pentagon’s fifth domain, joining air, land, sea and space. This is a recognition of both its importance to our nation and the possibilities of cyber warfare.
He quoted current Defense Secretary Leon Panetta as saying when he was CIA Director: “The next Pearl Harbor we confront could very well be a cyber-attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems…This is a real possibility in today’s world.”
Unfortunately, we may not be ready. According to polls of global experts from the last two Worldwide Global Cybersecurity Summits, 61 percent anticipate the impact of losing global connectivity for an extended period of time to be catastrophic with irreversible consequences while 54 percent doubt their organization is capable of defending itself against a sophisticated cyber-attack.
This is all while the world moves from the presumption that it would take a government to launch a major cyber-attack, to a place where groups like Anonymous and LulzSec have demonstrated that small groups of individuals can be just as destructive. It also comes when rumors have surfaced that the United States has been at least partially responsible for some cyber-attacks, raising the possibility that terrorist groups, already well-versed in the art of asymmetric warfare, may extend the conflict to the cyberworld at our most vulnerable spots—attacking corporations through the use of bots, for example.
All this should prompt two responses from insurance companies. The first is to beef up their own technology, including their ability to repel and respond to cyber-attacks. One cybersecurity company has estimated the average cost of 24 hours of downtime from a major cyber-attack was $6.3 million. But the direct cost is not the worst of it for an industry dependent on its customers’ trust. In addition to financial loss, not being properly prepared carries significant reputational and strategic risks.
The second response is to look outward to help our customers be prepared, including educating them on the need for coverage in order to recover from cyber-attacks. As the industry gets its own house in order, we become even more credible on the subject.
That may mean organizational investments in information technology and talent, but effective cyber risk management may prove just as important for future survival as the other forms of enterprise risk management we now accept as essential.
Howard Mills is a director and chief advisor of the Insurance Industry Group of Deloitte LLP and can be reached at firstname.lastname@example.org.
Readers are encouraged to respond to Howard using the “Add Your Comments” box below.
This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.
The opinions posted in this blog do not necessarily reflect those of Insurance Networking News or SourceMedia.
Add Your Comments...
If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.
You must be registered to post a comment. Click here to register.