Browse by Year:

CIO Review >> Magazine >> October - 2016 issue

Cyber risks: Balancing Innovation and Resilience


Marsh is a global leader in insurance broking and risk management. Marsh helps clients succeed by defining, designing, and delivering innovative industry-specific solutions that help them effectively manage risk. Marsh’s approximately 30,000 colleagues work together to serve clients in more than 130 countries. Marsh is a wholly owned subsidiary of Marsh & McLennan Companies (NYSE: MMC), a global professional services firm offering clients advice and solutions in the areas of risk, strategy, and people.

The crimes of our childhood aren’t there anymore. The masks, the gunmen, the bank-heists, the double crossings are now just part of Bollywood films more than anything else.

Today’s crimes are dominated by an upgraded and ever-evolving criminal; the cyber-criminal, who has taken innovation to a completely different level. With nearly one million new malware threats released every day, it’s not a surprise that more than 70 percent of the Indian companies have suffered a cyber-attack in the past two years, according to a KPMG report - Cybercrime Survey Report 2015.

Cyber-attacks present a unique challenge for information security professionals. Chief Information Security Officers’ (CISO) dilemma today is that they have to guard their systems against each such attack, old or probable threats. Cyber-criminals, on the other hand, need to find just any vulnerability, using thousands of new tools available at their disposal. No information security professional, therefore, can guarantee 100 percent protection against cyber-threats.

No wonder the dark economy of cyber-crime is thriving resulting in a loss of about 450 billion USD a year across the world, according to estimates by many different organizations, including the Center for Strategic and International Studies.

When technologies, such as the internet of things (IOT), cloud computing, and industrial control systems (ICS) systems converge—and converge they have been in the past few years—there is practically no upper limit of the losses that an organization, or an industry, may have to bear.

Consider the following examples:

• The attack tradecraft used in the well-publicized 2013 data-breach case of a US retailer that cost the company more than 160 million USD, after accounting for expected insurance proceeds, reportedly originated at one of the HVAC (heating, ventilation, and air condition) vendor’s systems. The tradecraft travelled through the connected IT infrastructure and proceeded to the handheld POS device.

• In another example, a worm called “Stuxnet”, used by the attackers of a nuclear power plant in the Middle East, entered the company’s systems from a worker’s thumb drive, worked its way through the Windows OS, reached the ICS/SCADA systems, and ultimately damaged the expensive centrifuges of the uranium enrichment machinery. The financial impact was unreported, but included significant costs, including property loss, business interruption, and costs, such as forensics and IT audits, incurred by the company.

• In a more recent example, the federal bank of a South Asian country lost over 80 million USD in the biggest cyber-heist in history. While the facts of the case are slowly becoming known, it is believed that the user interface of the international payment network – SWIFT – was compromised and the connected network across Asia, US, Sri Lanka, and the Philippines was used as a conduit for laundering the
stolen money.

Interconnected ecosystems, which are the building blocks of the rapidly changing technology in the world, create room for hackers and criminals to wreak havoc. Does it then follow that there is always a trade-off between technological advances and the financial losses caused by cyber-crimes?
Thankfully, the answer to that question is no. Organizations can develop a cyber resilience plan.
The question to prepare for is not whether you will get attacked, but also how prepared you are when you do!

Building resilience and preparing for any eventuality

Cyber insurance policies can go a long way in building the resilience of organizations. These policies have become popular in mature markets, such as the US and the UK, in the past 8-10 years. India, however, woke up to this niche concept only about three years ago. In these three years, however, the cyber insurance segment has experienced more dynamism, adaptation, and innovation than most other insurance products.

Initially, cyber policies provided limited cover. They protected organizations from the expenses arising from lawsuits filed by their customers in the event of a data-breach. Therefore, it made sense to buy cyber insurance only if an organization handled sensitive
client data.

In recent years, the coverage of cyber policies was enhanced. It added business interruption losses and self-expenses associated with data-breach incidents, including costs related to crisis management, IT forensics, and credit monitoring.