By the time they head out for lunch on any given day, your employees and suppliers have been approached through multiple online channels: smartphone, home Wi-Fi, public Wi-Fi, company email, personal email, social media and other points of exposure too numerous to elaborate on. Adversaries are intrepid and imaginative in targeting our weakest links, and we underestimate them at our peril.
Up to 80% of companies’ valuation today resides in intellectual property and trade secrets. And strikingly, according to BlackOps Partners, a international Cyber Espionage firm, it is estimated that U.S. companies quietly lose over $5 trillion of this value each year to adversaries who steal trade secrets and use them to enter the market as cheaper, direct competitors with identical value propositions.
Every company in every industry is the next potential hit. In fact, companies, governmental entities and individuals are being cyber-attacked at an estimated rate of over 1,000 times a day. Our adversaries exploit America’s history of innovation and openness, as well as our own economic espionage laws, to their advantage and to our great loss. In many cultures, economic espionage is mandatory, trained for and rewarded. Such activities are illegal in the U.S., but we are playing in a global marketplace, largely with our “eyes wide shut.” This cannot continue at the rate that it is, as it impacts the value of our businesses and our way of life.
What does this mean for your company and its ongoing viability? How can you protect your trade secrets and maintain a competitive advantage without sacrificing shareholder value?
A perfect storm
The ubiquity of technology has created a perfect storm for cyber-attacks and industrial espionage, with the rapid acceleration of several factors:
Using technology to commit unlawful acts is certainly not limited to massive security breaches. At a much less sophisticated level, we have individuals hacking into human resource databases or filing fraudulent tax returns. Further, the internet is not the sole domain of espionage. There are documented cases of agents from foreign nations stealing agricultural products from farms and storage facilities.
If your IP (Intellectual Property) and/or brand equity were to evaporate by 5, 10, 25 or 50%, what would be the corresponding impact on your share price? How are you covered for this, and what does it mean to be covered for this?
The current state of risk transfer
Last year, the number of cyber insurance policies sold to retailers, hospitals, banks and other businesses jumped 20%, according to Marsh LLC, a global insurance brokerage firm. One in three companies now has insurance to specifically protect against losses from cybercrime. However many existing cyber liability products are outdated, have inadequate language, and are irrelevant from a protection and/or restitution perspective, making them inadequate for the state of risk. Further, cyber insurance is constantly evolving; hence a company must have a robust and dynamic loss-prevention strategy woven into its overall risk management strategy. Ultimately, the costs of these policies are shifted to consumers.This state of affairs is failing both clients of the insurance industry and the industry itself.
At this point in time, the insurance industry has a significant role to play within the value chain to help shape a true offensive model for combatting cybercrime. If the industry, specifically risk and loss management professionals, carriers, reinsurers, brokers and claims entities, does not begin to address this opportunity holistically - not simply raising prices on existing or new products - then we all suffer, since it is actual economic value that evaporates and does not return to seed new growth. The insurance industry has ample experience protecting itself and insureds from the imprudent decisions of some insureds. A similarly vigilant approach to protection must now be transferred to the risk of cyber theft and espionage.
The types of coverage contained in policy forms is certainly evolving as the risks evolve and competitive forces come into play. It is typically the case that if you have seen one cyber liability policy, the next cyber liability policy you see from another insurer will be different – leading to uncertainty and potential gaps in coverage. For example, a relatively new breed of cybercrime, “cyber extortion,” which has been termed the new kidnaping and ransom exposure, involves viruses holding corporate data hostage for ransom. Events of this nature are not presently covered under most cyber liability forms.
What hill to climb…
Faced with a creative and persistent enemy, it becomes a fiduciary obligation to combine cyber and other security measures with programmatic insurance/risk management efforts founded on a proactive pre-loss mitigation strategy. What this means in reality is that a cyber-liability policy or program is just one piece of the puzzle, and a proactive insurer will have a complete loss prevention and reaction program encompassing the technological and human elements, the latter of which is often overlooked or downplayed. In nearly every cyber breach, the human element facilitated the breach. And in many cases, the breach was staged to cover up the actions of an insider. Key here is utilizing sophisticated human and intellectual capital to advantage, prior to problems occurring!
The foundation of a new model for cyber security strategy must bring the human factor into the IT/physical/financial equation. Any cyber security strategy or policy is grossly incomplete if the human element is not addressed with a high degree of efficacy. This argument is poignantly stated: “Cyber is just the canary. Immediately addressing the human element is paramount.”
So how does the insurance industry begin to drive change and be a “white knight” in this new war?
Lack of clarity on unified technical coverage points and applied learnings to policy form creation and coverage are just some of the key hurdles to overcome. Yes, we can redesign cyber forms and coverage to be more lucid and current. Yes, first-party and third-party damages will remain, and we need to have BI and CBI covered. But what will innovative insurers begin to do to aid their clients and change the industry dynamic to one that is proactive vs. reactive, such associating loss of value with an electronic breach of trade secrets? Ultimately, if actions like these are taken, insurers stand the chance to improve their own loss experience as well.
The white knight and the corporate angle
The insurance industry can lead the move to become more resilient. That's not a new role for risk professionals, but one the industry has pioneered for decades – however every player in the industry does not move simultaneously, and change can come slowly. The industry will need to utilize alternative risk transfer mechanisms and fast-track regulatory approval for new types of innovative products, such as ILS/Capital Market and/or captive use products.
The ability to provide products that keep pace with technological and social change, such as the pervasive use of social media and requisite data usage, will become table stakes. Quid pro quo in this intricate dance of insurance and insured is effective public and private enterprise involvement. It will require an acceptance, incumbent on all of us, to maximize a safe cyber environment. Insurance can play a significant role in safeguarding our entrepreneurial spirit and prowess, and regulators must be willing to move forward with innovative products.
Finally, companies must bring their own power to bear. Senior leadership must act as the catalyst to ensure that requisite protection is present to safeguard value, constituents, shareholders and customers. To do this, they must become the driving force in implementing risk management programs and putting necessary security levers at their disposal to protect intellectual property and competitive advantage. Again, this should be seen as the fiduciary responsibility of senior executives and directors of companies.
Every company must transform its mindset and develop a protective and proactive security strategy – involving every employee, contractor and supplier. Consider it “reverse table stakes” - your employees, contractors and suppliers are continuously pursued for the spoils of economic warfare that a competitor or industrial nation-state can monetize to their advantage. We have entered into a new era of pervasive technology and resulting exponential vulnerabilities. Senior executives and boards have no choice but to get in the game and drive efforts to ensure the sustainability of their value and competitive advantage.
The key takeaways that organizations must begin to compile and weave into their corporate fabric are:
The return on investment for holistic security is your company’s survival. While insurance can be a white knight in the fight against cyber espionage and theft, it is also evident that insurance cannot be the only alternative to far-sighted mindfulness and proactive defense. A partnership of insurance and corporate vigilance will form the most effective offense – always the best defense!