If the insurance industry is the ultimate judge of business risk, cyber threat has grown up.
Underwriters now use cyber security ratings to determine a company's liability and offer cyber insurance. These ratings are compiled by a number of startups, which comb through stockpiles of data to rank organizations' security. Like a credit score but for cyber security, the ratings are also used by large companies to determine the preparedness of organizations they work with to weather attacks.
The growth of the cyber insurance industry mirrors the findings of BDO Global's recent Global Risk Landscape 2017 report. For business leaders around the world, cyber risk ranks second among emerging risks most likely to trip up businesses.
The survey canvassed 500 C-suite and senior experts from 55 countries on the complex risk trends shaping their industries. These leaders' objectives, worst nightmares, and best practices reveal a business climate that demands constant monitoring.
Download the report
Ransomed Networks and other Cyber Crime
Headlines over the last two months have once again spotlighted the global rise in cyber crime. In May, the WannaCry ransomware virus crippled computer systems in 150 countries. Key industries were attacked - from Britain's hospital network to Germany's national railway to India's state governments.
Then late last month, the Petya virus struck large organizations in Europe and the U.S., such as law firm DLA Piper and food giant Modelez. While the virus presents itself as ransomware, some security experts have suggested that the Petya perpetrators are intent on causing as much damage as possible, perhaps with a political agenda.
Ransomware threats, where a computer is held hostage for “ransom” money, are proliferating in part due to the enterprise's low barrier to entry. Even criminals with minimal cyber expertise can purchase the computer code online, download it, and distribute it for profit. Ransomware attacks grew by 6,000 per cent in 2016, according to a study by IBM Security.
While Canadian businesses have sustained their share of cyber attacks, we mostly escaped the brunt of WannaCry and Petya. But cyber security experts say a major blow could strike at any time.
The Bank of Canada, in its June financial system review, warned that the country's financial network is especially vulnerable to system-wide contagion. The interconnectedness that has revolutionized the industry for both institution and consumer has also increased its vulnerability. As a result, an attack on one of our financial institutions could zip through the entire network.
Harm wouldn't necessarily stop at the invisible border of the financial system. Lloyd's of London estimates that a state-led attack on the U.S. power grid could cost the economy as much as US$1 trillion.
The Bank of Canada urged all stakeholders to rethink their approach. Competing institutions, it said, should consider the public good and share cyber intelligence. Moreover, the gravity of the situation calls for the bank's own involvement in coordinating cyber defences.
The bank itself has been targeted for cyber theft, part of a trend that has affected other monetary authorities, too. Last year, hackers stole US$81 million from the central bank of Bangladesh, avoiding the arms, balaclavas, and comparative danger of a brick-and-mortar bank heist.
Ransomware has received the bulk of coverage recently, but businesses and possibly consumers are especially sensitive to data breaches. By 2016, the average cost of a data breach had risen to $4 million, according to research by Ponemon and IBM.
Where Do We Go from Here?
Cyber risk is a structural reality that is here to stay. While businesses can – and should – outfit their systems to decrease exposure, cyber criminals will continue their efforts to spot your organization's vulnerabilities. Most likely, professional hacker and cyber security professional will engage in an elaborate two-step for superiority that fails to crown a true victor.
In the meantime, ask yourself some key questions about your organization's readiness.
Have you done all you can to survive an attack and potential loss of data? Are your systems up to date with the latest security software? Have you trained your employees on the protocols that pertain to their role in the organization?
With a lot of preparation and a little luck, you and your business can avoid mention in the next major cyber crime story to dominate headlines.
For more information on how BDO's Risk Advisory team can help you manage cyber risk, contact us.
Author
David Prime
National RAS Partner
CPA, CA; CISA; CIA; CRMA