By the time they head out for lunch on any given day, your employees and suppliers have been approached through multiple online channels: smartphone, home Wi-Fi, public Wi-Fi, company email, personal email, social media, and other points of exposure too numerous to elaborate on. Adversaries are intrepid and imaginative in targeting our weakest links, and we underestimate them at our peril.
Up to 80% of companies’ valuation, today resides in intellectual property and trade secrets. And strikingly, according to BlackOps Partners, an international Cyber Espionage firm, it is estimated that U.S. companies quietly lose over $5 trillion of this value each year to adversaries who steal trade secrets and use them to enter the market as cheaper, direct competitors with identical value propositions.
Every company in every industry is the next potential hit. In fact, companies, governmental entities, and individuals are being cyber-attacked at an estimated rate of over 1,000 times a day. Our adversaries exploit America’s history of innovation and openness, as well as our own economic espionage laws, to their advantage and to our great loss. In many cultures, economic espionage is mandatory, trained for, and rewarded. Such activities are illegal in the U.S., but we are playing in a global marketplace, largely with our “eyes wide shut.” This cannot continue at the rate that it is, as it impacts the value of our businesses and our way of life.
What does this mean for your company and its ongoing viability? How can you protect your trade secrets and maintain a competitive advantage without sacrificing shareholder value?
A perfect storm
The ubiquity of technology has created a perfect storm for cyber-attacks and industrial espionage, with the rapid acceleration of several factors:
- Social media, mobile device, and cloud usage, and a willingness to use these technologies across a broader range of constituents
- The level of sophistication among attackers, often on par with our defenses
- A technology-based infrastructure with elements that are in many cases linked, frequently containing a weak link
- Cross-border and geo-strategic incursions from legitimate nation-states and rogue actors dedicated to reaping economic or other types of gains
Using technology to commit unlawful acts is certainly not limited to massive security breaches. At a much less sophisticated level, we have individuals hacking into human resource databases or filing fraudulent tax returns. Further, the internet is not the sole domain of espionage. There are documented cases of agents from foreign nations stealing agricultural products from farms and storage facilities.
If your IP (Intellectual Property) and/or brand equity were to evaporate by 5, 10, 25, or 50%, what would be the corresponding impact on your share price? How are you covered for this, and what does it mean to be covered for this?
The current state of risk transfer
Last year, the number of cyber insurance policies sold to retailers, hospitals, banks, and other businesses jumped 20%, according to Marsh LLC, a global insurance brokerage firm. One in three companies now has insurance to specifically protect against losses from cybercrime. However many existing cyber liability products are outdated, have inadequate language, and are irrelevant from a protection and/or restitution perspective, making them inadequate for the state of risk. Further, cyber insurance is constantly evolving; hence a company must have a robust and dynamic loss-prevention strategy woven into its overall risk management strategy. Ultimately, the costs of these policies are shifted to consumers. This state of affairs is failing both clients of the insurance industry and the industry itself.
At this point in time, the insurance industry has a significant role to play within the value chain to help shape a true offensive model for combatting cybercrime. If the industry, specifically risk and loss management professionals, carriers, reinsurers, brokers, and claims entities, does not begin to address this opportunity holistically - not simply raising prices on existing or new products - then we all suffer, since it is actual economic value that evaporates and does not return to seed new growth. The insurance industry has ample experience protecting itself and insureds from the imprudent decisions of some insureds. A similarly vigilant approach to protection must now be transferred to the risk of cyber theft and espionage.
The types of coverage contained in policy forms is certainly evolving as the risks evolve and competitive forces come into play. It is typically the case that if you have seen one cyber liability policy, the next cyber liability policy you see from another insurer will be different – leading to uncertainty and potential gaps in coverage. For example, a relatively new breed of cybercrime, “cyber extortion,” which has been termed the new kidnapping and ransom exposure, involves viruses holding corporate data hostage for ransom. Events of this nature are not presently covered under most cyber liability forms.
What hill to climb…
Faced with a creative and persistent enemy, it becomes a fiduciary obligation to combine cyber and other security measures with programmatic insurance/risk management efforts founded on a proactive pre-loss mitigation strategy. What this means, in reality, is that a cyber-liability policy or program is just one piece of the puzzle, and a proactive insurer will have a complete loss prevention and reaction program encompassing the technological and human elements, the latter of which is often overlooked or downplayed. In nearly every cyber breach, the human element facilitated the breach. And in many cases, the breach was staged to cover up the actions of an insider. The key here is utilizing sophisticated human and intellectual capital to advantage, prior to problems occurring!
The foundation of a new model for cybersecurity strategy must bring the human factor into the IT/physical/financial equation. Any cybersecurity strategy or policy is grossly incomplete if the human element is not addressed with a high degree of efficacy. This argument is poignantly stated: “Cyber is just the canary. Immediately addressing the human element is paramount.”
So how does the insurance industry begin to drive change and be a “white knight” in this new war?
- As part of the underwriting process, require policyholders to include, in a formalized fashion within board governance, cybersecurity as a board-reported item.
- Every CEO and board must take action or face lawsuits, fines (personal and corporate), stock devaluation, profitability impact (short- and long-term), or at minimum, an embarrassment of the entity they are trying to help.
- Every senior executive and board member with a fiduciary role must take up the mantel to institute change. CIOs and CISOs must be new-breed, proactive information security champions, reporting directly to the CEO. They must operate from the same playbook, with the same business rationale. Finding vulnerabilities must be rewarded. Every board meeting needs to make this an ongoing area of focus to measure.
- Every senior executive and board member is put at significant financial and personal risk since they are in the limelight of their company’s failings.
- Develop a comprehensive scan during the front portion of the risk transfer process, adjudicating for the size of the firm. How plausible is it that the dry cleaner down the street, which has customer phone numbers, could be hacked, beginning a cycle with entry into a larger company? Even small businesses are at risk, and attacks on them can impact many elements of the economic chain.
- Most existing security programs are antiquated and made for another time and another breed of opponent. By design, these policies have proven defective, with most barriers easily penetrated. Conversely, a top-down, proactive, offensive security program affords the best measure of advanced protection along with the pre-loss perspective required to effectively address current threats.
- The loss prevention program, as an example, could be modeled on the DHS Cybersecurity Framework, which is designed to integrate standards, best practices, and guidelines to meaningfully improve critical infrastructure security. It is also designed to help organizations understand, communicate and manage their cyber risks. For organizations that don’t know where to start, the Framework provides a roadmap. For organizations with more advanced capabilities, it offers a methodology to better align the CEO and board with the management of cyber risks.
- The new model is designed to reinforce the connection between business drivers and cybersecurity activities.
- At the core of this new model is a set of activities and strategies focused on five functional areas -- Identity, Protect, Detect, Respond, Recover -- that seek to illuminate a high-level view of an organization’s cyber risk management. Companies can use the profiles to understand their current cybersecurity state, support prioritization, and measure progress toward a target state of security.
- While the marketplace is demanding insurance products, there are considerable hurdles to overcome, fundamentally around the ability to appropriately price or “box” the risk; similarly, as with extensive property catastrophic risk, there is a question of who is the insurer of last resort, e.g. who covers the electric grid nationwide when it is pulled down by an attack? Other questions that need to be addressed include:
- What is the coverage for regulatory investigations and proceedings?
- How should notification and reporting costs be handled?
- Is there real legal precedent for third-party civil liability for data breaches (including shareholders and employees)?
- Can we really model losses sustained as a result of criminal activity?
- What is the appropriate way to calculate reputational damage based on a large-scale breach?
- How should personal liability protection for senior officers be incorporated, especially if the organization is deficient in proactive defensive programs?
Lack of clarity on unified technical coverage points and applied learnings to policy form creation and coverage are just some of the key hurdles to overcome. Yes, we can redesign cyber forms and coverage to be more lucid and current. Yes, first-party and third-party damages will remain, and we need to have BI and CBI covered. But what will innovative insurers begin to do to aid their clients and change the industry dynamic to one that is proactive vs. reactive, such as associating loss of value with an electronic breach of trade secrets? Ultimately, if actions like these are taken, insurers stand the chance to improve their own loss experience as well.
- Require the creation of a plan designed to address what happens and what actions a firm must take if there is a breach, including the usage of industry experts to help mitigate the damage - all the way through post-breach and media management.
- Require an employee training program that could be delivered online and cover the following key elements: keep identified data on a “need to know” basis with passwords that are changed frequently; train employees on proper care and control of customer information; basic overview of PII and how not to leave it at risk; start with a mantra in the company to be protective and define to your employee base what is cyber risk and how to minimize it.
The white knight and the corporate angle
The insurance industry can lead the move to become more resilient. That's not a new role for risk professionals, but one the industry has pioneered for decades – however every player in the industry does not move simultaneously, and change can come slowly. The industry will need to utilize alternative risk transfer mechanisms and fast-track regulatory approval for new types of innovative products, such as ILS/Capital Market and/or captive use products.
The ability to provide products that keep pace with technological and social change, such as the pervasive use of social media and requisite data usage, will become table stakes. Quid pro quo in this intricate dance of insurance and insured is effective public and private enterprise involvement. It will require an acceptance, incumbent on all of us, to maximize a safe cyber environment. Insurance can play a significant role in safeguarding our entrepreneurial spirit and prowess, and regulators must be willing to move forward with innovative products.
Finally, companies must bring their own power to bear. Senior leadership must act as the catalyst to ensure that requisite protection is present to safeguard value, constituents, shareholders, and customers. To do this, they must become the driving force in implementing risk management programs and putting necessary security levers at their disposal to protect intellectual property and competitive advantage. Again, this should be seen as the fiduciary responsibility of senior executives and directors of companies.
Every company must transform its mindset and develop a protective and proactive security strategy – involving every employee, contractor, and supplier. Consider it “reverse table stakes” - your employees, contractors, and suppliers are continuously pursued for the spoils of economic warfare that a competitor or industrial nation-state can monetize to their advantage. We have entered into a new era of pervasive technology and resulting exponential vulnerabilities. Senior executives and boards have no choice but to get in the game and drive efforts to ensure the sustainability of their value and competitive advantage.
The key takeaways that organizations must begin to compile and weave into their corporate fabric are:
- Prepare, and then prepare again and again and again. Most organizations have opportunities to halt a major attack, but most of these opportunities are missed due to a lack of awareness, communication, prioritization, or training – as well as simple complacency. Prepare and become vigilant.
- Start at the top. Cybersecurity is not just an IT problem. It is a business problem that must be driven as a top-down priority, which the board and senior team(s) should make part of a monthly review.
- Strategize. Until the massive media coverage of sensational breaches and cyber espionage, cybersecurity has been a severely overlooked yet critical component that must be highly administered as an integral part of every information security strategy and linked to corporate strategy concepts.
- Practice. An effective cybersecurity program must be reviewed and rehearsed frequently, for attacks are not a matter of “if”, but “when.” The most astute organizations will make it a mantra and put programs into place designed to test themselves, and incorporate external resources into the mix.
- Implement Risk Transfer. Work with strong, innovative insurance organizations to create and implement a corresponding risk transfer structure that parallels the other avenues in place for safeguarding your company.
The return on investment for holistic security is your company’s survival. While insurance can be a white knight in the fight against cyber espionage and theft, it is also evident that insurance cannot be the only alternative to far-sighted mindfulness and proactive defense. A partnership of insurance and corporate vigilance will form the most effective offense – always the best defense!