IP theft, extortion and interuption - a new generation of cyber risks
CFOs should prepare for a new generation of cyber risks which are fast evolving, moving beyond the established threats of data breaches, privacy issues and reputational damage to operational damage, business interruption and even potentially catastrophic losses. A new report – A Guide to Cyber Risk: Managing The Impact of Increasing Interconnectivity – examines the latest trends in cyber risk and emerging perils around the globe.
Cyber risk is a major and fast-increasing threat to businesses with cyber-crime alone costing the global economy approximately $445 billion a year and R6 billion to the South African economy.
Tougher regulatory regimes and new cyber perils
Increasing awareness of cyber exposures as well as regulatory change will propel the future rapid growth of cyber insurance. With fewer than 10% of companies currently purchasing cyber-specific policies, AGCS forecasts that cyber insurance premiums will grow globally from $2 billion per annum today to over $20 billion over the next decade, a compound annual growth rate of over 20%. Legislative developments on cyber security and personal data protection and increasing levels of liability will see growth accelerate on the continent.
In South Africa the Protection of Personal Information Act 4 of 2013 (POPI) was signed into law in November 2013 to define personal information and the processing thereof. A regulatory body referred to as the "Information Protection Regulator" will be established to ensure compliance with the Act. Recently, the Department of Justice and Constitutional Development has also published a draft Cybercrimes and Cyber security Bill for public comments.
It is imperative for intergovernmental bodies such as SADC, ECOWAS and others to agree on data protection rules in line with expected guidelines on a country-by-country basis. Previously, attention has largely been focused on the threat of corporate data breaches and privacy concerns, but the new generation of cyber risk is more complex: future threats will come from intellectual property theft, cyber extortion and the impact of business interruption (BI) following a cyber-attack or from operational or technical failure; a risk which is often underestimated. Within the next five to 10 years BI will be seen as a key risk and a major element of the cyber insurance landscape.
Connectivity creates risk
Increasing interconnectivity of everyday devices and growing reliance on technology and real-time data at personal and corporate levels, known as the 'Internet of Things', creates further vulnerabilities. Some estimates suggest that a trillion devices could be connected by 2020, while it is also forecast that as many as 50 billion machines could be exchanging data daily.
While there have been some very large data breaches, the prospect of a catastrophic loss is becoming more likely, but exactly what it will look like is difficult to predict.
Responding to cyber risk
The AGCS report highlights steps companies can take to address cyber risk. Insurance can only be part of the solution, with a comprehensive risk management approach being the foundation for cyber defense. Once you have purchased cyber insurance, it does not mean that you can ignore IT security. Cyber risk management is too complex to be the preserve of a single individual or department, so AGCS recommends a 'think-tank' approach to tackling risk whereby different stakeholders from across the business collaborate to share knowledge.
In this way, different perspectives can be challenged and alternative scenarios considered. In addition, cross-company involvement is essential to identify key assets at risk and, most importantly, to develop and test robust crisis response plans.