Examining the costs and causes of cyber incidents

23Apr 2019
The Guardian Reporter
The Guardian
Examining the costs and causes of cyber incidents

In 2013, the US President  Barack Obama signed an executive order designed to help secure the nation’s critical infrastructure from cyber attacks.

As part of that order, he directed the National Institute for Standards and Technology (NIST) to develop a framework that would become an authoritative source for information security best practices. Because adoption of the framework is voluntary, it faces the challenge of incentivizing firms to follow along.

Will frameworks such as that proposed by NIST really induce firms to adopt better security controls? And if not, why? This research seeks to examine the composition and costs of cyber events, and attempts to address whether or not there exist incentives for firms to improve their security practices and reduce the risk of attack.

Specifically, we examine a sample of over 12 000 cyber events that include data breaches, security incidents, privacy violations, and phishing crimes.

First, we analyze the characteristics of these breaches (such as causes and types of information compromised). We then examine the breach and litigation rate, by industry, and identify the industries that incur the greatest costs from cyber events. We then compare these costs to bad debts and fraud within other industries.

Cyber-insurance is an insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities.

Risks of this nature are typically excluded from traditional commercial general liability policies or at least are not specifically defined in traditional insurance products.

Coverage provided by cyber-insurance policies may include first-party coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks; liability coverage indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data, or defamation; and other benefits including regular security-audit, post-incident public relations and investigative expenses, and criminal reward funds.

 Because the cyber-insurance market in many countries is relatively small compared to other insurance products, its overall impact on emerging cyber threats is difficult to quantify.

As the impact to people and businesses from cyber threats is also relatively broad when compared to the scope of protection provided by insurance products, insurance companies continue to develop their services.

As insurers pay out on cyber-losses, and as cyber threats develop and change, insurance products are increasingly being purchased alongside existing IT security services. Indeed, the underwriting criteria for insurers to offer cyber-insurance products are also early in development, and underwriters are actively partnering with IT security companies to develop their products.

As well as directly improving security, cyber-insurance is enormously beneficial in the event of a large-scale security breach. Insurance provides a smooth funding mechanism for recovery from major losses, helping businesses to return to normal and reducing the need for government assistance.

Finally, insurance allows cyber-security risks to be distributed fairly, with cost of premiums commensurate with the size of expected loss from such risks. This avoids potentially dangerous concentrations of risk while also preventing free-riding.  

Information Technology is an inherent facet of virtually all modern businesses, the requirement for a separate product only exists because of a deliberate scoping exercise which has excluded theft and damage associated with modern technologies from the existing product lines.

Bruce Schneier has postulated that existing insurance practices tend to follow either the "Flood or Fire" model  however Cyber events don't appear to be modeled by either of either of these event types, this has led to the situation where the scope of Cyber Insurance is further restricted to decrease the risk to the underwriters.

Compounding this is a paucity of data relating to actual damage correlated with the type of event, a lack of standards associated with the classification of events, and a lack of evidence associated with the efficacy of "Industry best practices".  

Insurance relies upon sound actuarial data against a largely static background of risk. Given that these don't exist at present it is unlikely that either the buyers of these products will achieve the value outcomes that they desire.

This view of the market is reflected in the current market state where standard exclusions result in a situation where "An insurer could argue they apply to almost any data breach".  

 Early works in the 1990s focused on the general merits of cyber-insurance, or protocols borrowed from digital cash to enable risk reallocation in distributed systems.

In the late 1990s, when the business perspective of information security became more prominent, visions of cyber-insurance as a risk management tool were formulated.

Although its roots in the 1980s looked promising, battered by events such as Y2K and the 9/11 attacks, the market for cyber-insurance failed to thrive and remained in a niche for unusual demands.

Coverage is tightly limited, and clients include SMBs (small and medium businesses) in need of insurance to qualify for tenders, or community banks too small to hedge the risks of their online banking operations.

If not the first, at least one of the first, cyber liability policies as we now call them was developed for the Lloyd's of London market in 2000.

The policy was spearheaded by Keith Daniels and Rob Hamesfahr then attorneys with the Chicago, IL law firm of Blatt, Hammesfahr & Eaton.

Working closely with Ian Hacker, then a Lloyd's underwriter, and Ted Doolittle and Kinsey Carpenter, then brokers with Kinsey Carpenter, a San Francisco, CA insurance broker, the policy provided third-party coverage along with business interruption coverage.

In those early days, it was thought that a big risk would be for a company to negligently transmit a virus that could infect other companies systems who would then bring suit against the original company as well as business interruption.

The policy was one of the first, as well, to include first-party and third-party coverages in the same form. While such errors & omissions have likely happened, suits against organizations on this basis have proven to be rare.

The focus of forms that have developed since 2000 has been on business interruption, payment of fines and penalties, credit monitoring costs, public relations costs and the cost of restoring or rebuilding private data and they continue to expand and evolve today.

In addition, technology errors & omissions policies are now sold with third-party coverage to organizations, such as programmers and technology installers who could get sued if their advice or product fails to be satisfactory to their clients.

Other early entrants to the cyber market included American International Group (AIG) and Chubb. Today, there are more than 80 companies competing in the cyber market.

Even a 2002 conservative forecast, which predicted a global market for cyber-insurance worth $2.5 billion in 2005, turned out to be five times higher than the size of the market in 2008.  Overall, in relative terms, the market for cyber-insurance shrank as the Internet economy grew.

In practice, a number of obstacles have prevented the market for cyber-insurance from achieving maturity; absence of reliable actuarial data to compute insurance premiums, lack of awareness among decision-makers contributing to too little demand, as well as legal and procedural hurdles have been identified in the first generation" of cyber-insurance literature until about 2005.  The latter aspect may cause frustration when claiming compensation for damages. Furthermore, entities considering cyber-insurance must undergo a series of often invasive security evaluation procedures, revealing their IT infrastructures and policies. Meanwhile, witnessing thousands of vulnerabilities, millions of attacks, and substantial improvement in defining security standards and computer forensics calls into question the validity of these factors to causally explain the lack of an insurance market.

In the same vein, a specialist insurance brokerage firm in Tanzania-Howden Puri, is set to launch a Cyber Risk Insurance product with a particular focus on offering cyber security service for companies, organizations and individual clients in Tanzania.

Upon the successful launch of the product scheduled to be held in the future, Tanzania will become the first country in Africa to access such latest cyber product designed to offer protection against massive cyber breach, business interruption and loss of brand value, and more. The world is currently almost all digital with technological advancements such as the cloud system to name one that most corporate companies now use to store their data and hence at risk of being attacked by hackers.

 

 Umesh Puri, the firm’s Chief Executive Officer (CEO) revealed this during a seminar on Cyber Risk organized by Howden Puri and the British business Group.

“Tanzania should be proud that we are now advancing at the same pace as the rest of the world in terms of innovation. This product that we will bring to the market is already being used by companies around the world and offered by the Howden Broking Group. There is a plan to extend the Cyber Risk product to other East African countries like Kenya, Uganda Rwanda in the future,” said the CEO.

 

“I acknowledge that there are might be other cyber products in Africa already, but they are not offering the product in the way we are proposing. Further product specifcations and what it will cover as well as the pricing will be announced in the near future as well,” said Mr Puri.

In his presentation through a short film titled ‘Cyber Hurricane’ during the seminar on Tuesday night, the firm’s Global Head of Cyber   Shay Simkin warned that the companies and organizations were at high risk of being hacked due to an increasing number of cyber-attacks attributable to technology advancement.

 

“There are external and internal cyber mechanisms such as malware, cybercrime that impose cyber threats for companies around the World. Therefore, it is surely a wakeup call for the organizations to make sure they secure cyber insurance in order to remain secure,” said   Simkin.

 

Referring to the other cyber threats that can expose the companies being hacked, the cyber expert further pointed out that improper disposal of electronic devices and lack of education and awareness among employees could attribute to cyber-attacks.