Cybercriminals don't hang around - they're often at the forefront of tech innovation and network security - just on the wrong side. Big businesses, on the other hand, struggle to move quickly, and usually end up playing catch-up.
So how should multinationals insure against, and mitigate for, the inevitable hack?
Cybercrime is a booming industry
And Forbes estimates the worldwide annual cost of cybercrime will be $6 trillion by 2021.
These numbers illustrate the problem with software based threats: they can easily be cut, copied and pasted to attack devices on a monumental and global scale, unfathomable to the old-fashioned, analogue criminal.
And cybercrime is no longer the sole preserve of highly skilled hackers: websites are popping up selling Ransomware-as-a-Service. For a fee, you can outsource your cybercrime.
For multinationals, it's a case of when, not if, the hack arrives.
The cyber insurance perception gap
Given the likelihood of a cyberattack – “inevitable”, according to most experts – a surprising number of companies have not taken out specific cyber insurance.
In fact, 50% of US firms do not have cyber insurance. And that number may be even less, as one report showed five times as many CEOs think their companies have cyber insurance than is actually the case.
This is changing however, as cybercrime becomes more prevalent, and more notorious: Large-scale attacks such as WannaCry took down companies and databases across the world, including the NHS in the UK.
Cyber insurance is not a legal requirement at the moment, but governments and regulatory bodies are starting to take threats more seriously. EU regulations – such as GDPR – are predicted to cause an uptick in cyber insurance purchases, and the UK government launched a Cyber Essentials Certification, encouraging companies to consider how they protect themselves, and also reducing premiums should they have it.
The cost of cybercrime
So what does a cyber insurer insure against? The UK government, working with insurance firms, allocated cybercrime losses into eleven categories:
1. Intellectual Property theft – the loss of an IP asset, expressed in terms of lost revenue.
2. Business interruption / critical failure – loss of profit due to unavailability of IT systems.
3. Data and software loss – the cost to reconstitute data or software that has been deleted or corrupted.
4. Cyber extortion – the cost of expert handling for an extortion incident, combined with the amount of the ransom payment.
5. Cybercrime / cyber fraud – the direct financial loss suffered by an organisation arising from the use of computers to commit fraud or theft of money, securities, or other property.
6. Breach of privacy event – the cost to investigate and respond, including IT forensics, notifying those affected, third-party liability claims arising from the same incident, and fines from regulators.
7. Network failure liabilities – third-party liabilities arising from certain security.
8. Impact on reputation – loss of revenues arising from an increase in customer churn or reduced transaction volumes.
9. Physical asset damage – loss due to the destruction of physical property resulting from cyber attacks
10. Death and injury – liability for death and bodily injuries resulting from cyber attacks.
11. Investigation and response costs – direct costs incurred to investigate and “close” the incident and minimise post-incident losses.
Other than insurance, how do multinationals insure against cybercrime?
Insurance won’t stop an attack. So how can multinationals minimise the threat?
Invest in the latest tech – the newer the tech, the more secure it will be – as cyber criminals have had less time to work through its defences.
Invest in people and processes – employ a Chief Digital Officer to oversee the implementation and upkeep of cybersecurity. Many hacks happen because of human error, so water tight processes coupled with proper training can minimise risk.
Hack yourself – if a multinational can find its IT vulnerabilities before the criminals, it can patch them first too.
Anti-virus software – obviously.
Trusted IT partners – outsourcing your IT outsources the responsibility. For example, NSC supply up to date tech, design secure networks managed by security experts, and purchase cyber insurance on behalf of our clients. The broad cyber security expertise we have, gathered from working with many world-class multinationals, is invaluable in this space.
Smart networks – tech itself is helping fight cybercrime: the new Cisco smart network can anticipate, halt and remedy hacks, and learn from these over time to become even more secure.
Encryption – blockchain technology is making encryption even more powerful: data can be split across multiple servers, only remade in a coherent unit with private keys, making a hack almost impossible.
Hybrid cloud – the hybrid cloud introduces siloed networks to organisations, which means the impact of hacks are minimised as data isn’t centralised.
Cyber resilience – cyber resilience is having a plan, a protocol and the personnel to cope with the inevitable hack. Being well drilled can be the difference between getting a business quickly back on track with no revenue or reputation loss, and watching your share price tumble.
Cyber resilience must include appointing a board risk committee that functions independently of the executive management, whose recover plan links finance, operations and reputation.
The cybersecurity solution?
Every tactic to counter cybercrime is not equal, but neither is there one solution to the threat.
In sport, there is a concept of ‘marginal gains’. It means finding small, incremental improvements in every area, that all add up to a significant improvement. The same should be applied to cybersecurity – the most effective method of securing an organisation must be to optimise defences everywhere possible.
This, of course, is not without expense, so outsourcing your IT is an effective way to get security in a changing and challenging environment at a fixed price. Equally, cyber insurance is not cheap, but can avoid company-destroying disasters down the line.
Cybercrime is a constantly mutating threat, so what works today may not tomorrow. Whether an organisation does its cybersecurity in-house, or works with a partner organisation such as NSC, it is imperative to hold regular reviews to keep analysing, updating and evolving cybersecurity.
Benjamin Franklin said "in this world nothing can be said to be certain, except death and taxes”. We can add cybercrime to that.