k88nFi

Recommendations

Info

FIGURE 4: RISK PROFILE FOR LARGE BUSINESSESMaterial(could cause abalance sheet loss)(A)IP theftPrivacy event(liabilty and incident response)(F)SEVERITYHarmful(could impactannual profit)(J)Death and bodily injuryPhysical asset damage(I)(G)(B) Network business interruption(H) Reputational lossNetwork security liabilityLow-loss level(no material impacton annual profits)(D)Cyber extortion(C)Data/software damage(E)Crime/fraudUnlikely(0.5% - 1% chance)Possible( 1% - 5% chance)PROBABILTYLikely( 5% - 25% chance)For large organisations, intellectual property (IP) theft is seen as the risk that could have the most severe impact.Quantifying the economic damage caused by the loss of IP or commercially sensitive data is challenging,however, because IP assets are difficult to value and the loss suffered by an organisation is dependent upon howthe attacker uses the acquired information. In addition, not all industry sectors are affected in the same way,with IP-rich segments like aerospace and defence, chemicals and pharmaceuticals, and creative media amongthe most targeted in the UK 12 . There is also less information available for this type of event than for other types ofloss, partly due to the fact that incidents are harder to detect and, if detected, more likely to be kept confidentialby the victim.Two other key risks identified by this analysis are the unauthorised disclosure of personal data and system outageevents. In particular, losses deriving from the unauthorised disclosure of personal data have a higher severity andfrequency than most other risks; a recent high-profile example of this type of loss is the case of a large US retailerthat suffered a breach involving approximately 40 million payment card records and the personal data of around70 million further individuals, following the infiltration of their corporate network via a link with a third-partycontractor. The breach resulted in significant costs incurred to respond to the incident, in addition to defendingliability claims. Disclosed costs currently stand at £160 million and continue to rise.Network business interruption or system outage events also display relatively high frequency and severity.Recently, two major games console manufacturers, with a combined total of nearly 160 million subscribers,had their online services disrupted by massive distributed denial-of-service (DDoS) attacks, which took thecompanies’ services offline for more than 24 hours.Reputational damage is a relatively high-frequency event, as most cyber breaches can have a reputational impactif not handled adequately. Severity for this type of damage is difficult to quantify, but it is an area where properincident response can limit the severity of loss. This is in line with the 2014 Information Security Breaches Survey,which estimates that reputational damage accounts for around 5%-20% of the cost of a cyber-security breach forlarge businesses.12 Cyber-attacks: Effects on UK Companies, Oxford Economics, Oxford, 2014.12 • UK Cyber Security
Physical losses are a growing concern – both in terms of severity and frequency – given the interconnectednessof cyberspace and the physical world. One example of this new category of risk can be seen in the way thatindustrial control systems operate in the energy sector. Today, these new generation control systems are builton the concept of openness and interoperability, and this has exposed the sector to a host of cyber securityrisks that are only just beginning to be understood. A recent example of a physical loss resulting from a cyberattack occurred at a steel mill in Germany, after hackers managed to gain access to the control systems followinga successful “spear phishing” attack, which targeted particular individuals for login details. Once access wassecured, the hackers were able to cause the unscheduled shutdown of a blast furnace that resulted in “massivedamage”, according to the German Federal Office for Information Security.For the time being, the probability of death and bodily injury resulting from a cyber attack is considered tobe negligible. We should note, however, that in future, as more devices go online, cyber hacks and systemmalfunctions could pose a more material threat to human life.Physical lossesare a growingconcern – both interms of severityand frequency– given theinterconnectednessof cyberspace andthe physical world.The picture for SMEs (see Figure 5) is broadly consistent with that for larger firms, but for this segment ofcompanies insurers see a higher incidence of cyber crime. For example, a small broker was targeted by aphishing scam, where an email containing a link to malicious software was sent to the financial controller withinthe business. The controller was tricked into installing the software onto their PC, and this software was used tosteal banking credentials. The cyber criminals were subsequently able to complete electronic wire transfers tothe total of £100,000 over the following 10 days.SMEs are also considered to be at a greater risk of data/software damage. This reflects the belief that SMEs aremore vulnerable to attack and lack the back-up disaster-recovery solutions of larger firms. On the other hand,with the exception of those working on innovative technologies, most SMEs are considered less likely to sufferfrom losses connected to damaged reputation or IP theft.FIGURE 5: RISK PROFILE FOR SMESMaterial(could cause abalance sheet loss)SEVERITYHarmful(could impactannual profit)(J)IP theft (A)Death and bodily injuryNetwork security liability (G)Reputational loss(H)(B)(F)Network business interruption(E) Crime/fraudPrivacy event(liabilty and incident response)(C)Low-loss level(no material impacton annual profits)Physical asset damage(I)(D)Cyber extortionData/software damageUnlikely(0.5% -1% chance)Possible( 1% - 5% chance)PROBABILTYLikely( 5% - 25% chance)The Role of Insurance in Managing and Mitigating the Risk • 13
Page 1 and 2: MARCH 2015UK CYBER SECURITYTHE ROLE
Page 3 and 4: FOREWORDThe cyber threat remains on
Page 5 and 6: 1 INTRODUCTIONCyber attacks against
Page 7 and 8: 1. HELPING FIRMS GET TO GRIPS WITH
Page 9 and 10: 3. HELPING LONDON TO BE A GLOBAL CE
Page 11 and 12: The point of attack outlines the vu
Page 13: 4 BUSINESSES AND THEIREXPOSURESRISK
Page 17 and 18: RISK GOVERNANCE AND RISK QUANTIFICA
Page 19 and 20: 5 INSURANCE SOLUTIONS FORCYBER RISK
Page 21 and 22: Figure 9 describes the level of ins
Page 24 and 25: PRICING AND DATA AVAILABILITYAn ana
Page 26 and 27: FIGURE 12: COMPARISON OF CYBER INSU
Page 28 and 29: 7 RECOMMENDATIONSThis report has an
Page 30 and 31: CYBER SECURITY INFORMATION SHARING

k88nFi

Create successful ePaper yourself

Delete template?

Save as template?