Cybercriminals today are devising increasingly sophisticated traps and tricks to commit fraud or disrupt business. Chris McGloin, chairman of Airmic, and vice-president of risk management and insurance for Invensys, explains to Steve Dunkerley that common-sense risk management and carefully crafted cyber-insurance policies may be the answer.
In early May, football fans eager to snap up World Cup tickets from StubHub, the online ticket vendor owned by eBay, were advised to use the official FIFA website instead, as Stubhub had just suffered a large denial-of-service (DoS) cyberattack, causing its Brazilian website to shut down. At the same time, fans were also told to remain vigilant for scams involving fake FIFA websites and rogue mobile apps capable of infecting devices with viruses and accessing personal data.
Cybercrime is rife, and it is exploiting the mushrooming volume of connected people and devices. According to the 2013 Lloyds risk index, cybercrime has become the third-biggest risk to companies, after taxation and loss of customers. Broadly, there are two crimes: the first is the disruptive, destructive type that attacks computers, systems and networks, and involves viruses, worms, Trojan Horses, botnets and the like; the second are the crimes facilitated by the use of computer networks or devices, such as fraud or the dissemination of illegal content.
The CFO sweet spot
With the advent of BYOD (bring your own device) in the workplace, businesses now need protection from cyberthreats created by employees accessing the internet in their personal and business life. Added to this is the ease with which vast amounts of data can be moved around via 4G networks and stored on ever-cheaper media, including cloud servers. Chris McGloin, chairman of Airmic, and vice-president of insurance and risk at Invensys, argues that cyberthreats are far from an issue reserved for the IT department.
"Cyber-liability is very much in the CFO sweet spot, because CFOs often have responsibility for IT and infrastructure - and certainly the expenditure on IT and infrastructure - so the CIOs will be talking to the CFOs about the issues that are going to have a direct impact on the management of data, information and interruption of the business. The CFOs are therefore pretty well tuned-in to this now."
While the CFO is being proactive, McGloin advises that companies continue to maintain a common-sense risk management strategy in order to mitigate new threats such as 'false flag' attacks, whereby criminals use tricks such as a fake 'change your password' alert to hoodwink users into revealing sensitive account information.
"There have been many recent newspaper stories about false flags," says McGloin. "The first advice was to change your passwords, but then it was 'no, don't do that!'.
"It reminds you that you probably cannot stop people inventing code that could cause lots of problems. You just have to make sure you have the right sort of physical and electronic firewalls to protect yourself. Then, if you cannot always prevent the occurrence, make sure you can minimise the impact.
"The old-fashioned risk management approach of the right effective risk assessment leading to security measures, combined with the right response, becomes important. I think people don't really realise that established approaches can be used to deal with new and emerging risks."
Moving with the times
McGloin argues that, while traditional insurance policies include coverage for perils that may have been triggered by cyber-events, other cyber-events will be excluded, either by accident or design, leaving the insured uncertain as to the efficacy of the policy.
Insurers have sought to address this by developing cyber-specific insurance policies to address some of the gaps in traditional offerings. These can address data liability, network security, network interruption, cyber-extortion and related fees, and insurable fines or penalties, as well as costs associated with the crisis response.
"For many buyers, a better approach is to seek to broaden the scope of their traditional insurance policies to include cyber-related risks," says McGloin. "A well-drafted directors and officers policy should not exclude a director's liability for cyber-risks, although the usual challenges exist to ensure that coverage applies as intended by the buyer."
According to McGloin, to ensure that companies are protected means ensuring that the intentions of the insured and the insurer are properly aligned. "To a large extent, alignment can be achieved by scenario analysis to allow the parties to outline those events that are intended to be covered and those that are excluded," he explains.
"Once the expectations are aligned, it should be the task of the broker to work with the insurers to develop the pre-inception processes and claim procedures to avoid unexpected problems at the time of an insured event."
A significant challenge noted by McGloin is to ensure that any standalone cyberpolicy links seamlessly with the other policies to eliminate claim problems. Again, the broker should take responsibility for this, and ensure claims notification and handling procedures are understood and agreed.
"All companies should develop crisis response plans to help them prepare for major adverse events, and safeguard their business and their reputation. The potential impact of cyberthreats should be considered alongside plans for other threats and crises. Such plans have to be established as an enterprise-wide strategy," he concludes.