Thought Leadership

We aim to share knowledge, insights and best practices of the business and industry to inspire people with innovative ideas and thoughts.

Mitigating Cyber Risk in the Digital Economy


January 2019
Reading time: 
2 minutes

In the global digital economy, cyber risk continues to be a major threat for organisations of all scales. Large-scale cyber attacks have contributed to billions of losses across various industries and left many enterprises in great jeopardy and the statistics are staggering.

In 2016, Uber reported that hackers stole the information of over 57 million riders and drivers  and just last year, renown fitness gear brand, Under Armour, reported that its “My Fitness Pal” app was hacked, affecting 150 million users .Financial services have the highest average annualised cost of cybercrime of any industry, at USD18.3 million per organisation, according to the Accenture-Ponemon Institute Cost of Cybercrime Study in 2017 . Ransomware is also on the rise. It is reported that at the end of 2016, a business became a victim of a ransomware attack every 40 seconds. Cybersecurity Ventures, the world’s leading researcher for the global cyber economy, predicts that this will rise to every 14 seconds by 2019 — and every 11 seconds by 2021 .

“It is predicted that a business will become a victim of a ransomware attack every 14 seconds by 2019 and every 11 seconds by 2021.”

Closer to home, giant media group Media Prima was crippled by a ransomware attack in November 2018, forcing them to migrate to an entirely new email system. With the increased connectivity of machines and equipment, every organisation and individual are exposed to cyber risk. Consumers and businesses are shifting from traditional to digital transactions, further exposing them to cyber risks.

Liyana Ang, our Chief Risk Officer and Andy Chan, our Head of IT shared some thoughts in tackling the challenges of cyber risk in today’s digitally-driven business landscape and how we can play a part to mitigate those risks.

1.    Please tell us what is cyber risk?
Andy:
Cyber Risk relates to potential Information Security incidents. Some popular examples are leakage or loss of organisation’s or personal data, interruptions to operations and even hijacking of identity or devices and espionage. Ultimately, cyber risk has a detrimental impact on the organisation’s operations, financial and/or reputation.


2.    What are some major forms of cybercrime aimed towards organisation and also individuals?
Andy: These days, cyber attacks can be very sophisticated, especially when considering that it could involve a state-sponsored attack such as with the Stuxnet worm. Organisations and individuals however should at a minimum, be adequately prepared for less sophisticated attacks such as phishing, drive-by and free apps or services (example - free wi-fi) as the majority of untargeted attacks are normally done with little financial resources.




3.    With the rise of cybercrimes, how can an organisation protect itself from cybercrimes?
Liyana: As with any risk, the risk can may be mitigated by putting in place the framework and sufficient resources to mitigate such risks. This may include, for example, developing a cyber security risk management strategy, which will allow for a structured approach to cyber risk management. Subsequently, this approach may reduce risks related to your information assets and protect the organisations from potential cyber attacks.




4.    How can an insurance company help organisations better prepare themselves and help them manage risk against cybercrimes?
Liyana: Insurers can help do so by assessing a client’s (whether new or current) situation and advising them on ways to mitigate their cyber risk. Most of the steps will be undertaken by the organisations themselves (be they large or small). Some insurance products offer protection from many of the unanticipated costs incurred by the stakeholders of the organisation should a cyber attack occur.

5.    What are some major challenges for risk managers in insurance companies today in dealing with cyber risk?
Liyana: Types of cyber risks are fast changing so the frameworks and resources that have been put in place, have to always be “on the lookout” for any potential risks that may affect an insurer.


The risk and compliance team work closely to monitor any potential risk that might affect the company

6.    What are the important steps we can take to ensure that we are safe from cyber attacks?
Andy: As the means to address any risk, organisations and individuals alike should keep themselves informed and be prepared with awareness of basic cyber attack tactics such as the importance of keeping identity and password private as well as develop an innate sense of “no free lunches”.  

Liyana: Yes, and from there, they can make an assessment of any vulnerabilities that they may have with regards to cyber risk. One should then take the necessary steps to mitigate such risks and for business owners, one of the ways would be to purchase a suitable cyber insurance as a financial cover.


Organisations and individuals alike should keep themselves informed and be prepared with awareness of basic cyber attack tactics


Andy: Secondly, one should invest in a good anti-malware and anti-virus program which can also detect stealth type activities that may occur without the knowledge of the user. Lastly, to have a good practice and discipline for backups and recovery in the event of data loss.

Organisations should also go further to invest in tools and services that provides additional protection and mitigation against more advanced attacks such as advance persistent threats (APTs) and monitoring of illegal network, server and user-ID activities. Where possible, automatic quarantine of activities and behaviours that have been identified as very likely threats should be implemented.

Nevertheless, it is impossible to have a 100% infallible defence system. In view of this, cyber insurance, should be considered as a mitigation plan for cybersecurity incidents. Similar to other insurance products, the financial relief may assist the team to mobilise recovery or business resumption efforts which may be critical in the early stages of dealing with a cybersecurity incident.

Learn more about cyber and network risk here.

i) 2016 Data Security Incident. Khosrowshahi, Dara. Published 21 November 2017.  https://www.uber.com/newsroom/2016-data-incident/
ii) Under Armour Admits Huge MyFitnessPal Data Hack. Lamkin, Paul. Published 30 March 2018.  https://www.forbes.com/sites/paullamkin/2018/03/30/under-armour-admits-huge-myfitnesspal-data-hack/#7ecb8a18cc54
iii) Cost Of Cyber Crime Study 2017 Insights On The Security Investments That Make A Difference. Accenture. 2017.  https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf
iv) Cybercrime Damages $6 Trillion By 2021. Morgan, Steve. Published 7 December 2018.  https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/