THERE’S a ghost in your machine; and it’s far from Gilbert Ryle’s interpretation of Descartes’s work. However, there’s nothing philosophical about cyber threats as these are costing businesses billions.
Indeed, according to a report by Microsoft Philippines last year, the potential cost of cyber threats would hit about $3.5 billion annually.
The Insurance Commission (IC) even emphasized that a breach in data privacy and cyber security poses real risks for insurers and their policyholders, which is why the IC encourages businesses to be covered by cyber insurance.
“Looking out for data privacy infringement and cyber-attacks should both be part of a company’s risk management,” Insurance Commissioner Dennis B. Funa said. “The threats of privacy breach and cyber-attacks are all too real.”
Funa cited the business-process outsourcing (BPO) industry as an example.
“The BPO sector is one industry with greatest need for cyber insurance protection as it deals primarily with data,” he added. “[However,] there is, as of now, a low take-up of cyber insurance policies.”
Bangladesh, costs
Citing data, Funa pointed out that malware—or malicious software—infections on smartphones grew nearly 400 percent in 2016, while there were 500,000 unknown cyber threats per day during 2017.
A year before that, he said, the personal data of about 3.7 million Hong Kong voters were stolen. About 3.2 million debit cards were compromised in Asia, he added.
“The cost of these attacks is astounding. The cyber-attack on a Bangladesh bank resulted in the loss of $81 million.”
Funa explained that the country’s adoption of the Data Privacy Act of 2012 or Republic Act (RA) 10173, as well as the Cybercrime Prevention Act of 2012 (RA 10175), is a helpful addition in terms of protecting against cyber security incidents.
The United States’ Computer Emergency Readiness Team website defines “cybersecurity incident” as “[a]n occurrence that actually or potentially results in adverse consequences to…an information system or the information that the system processes, stores, or transmits and that may require a response action to mitigate the consequences.”
Risk identification
CALLING out the cyber bogeyman necessitates bringing out a ghost fighter: cyber insurance.
Philippine Insurers and Reinsurers Association (Pira) Executive Director Michael F. Rellosa explained that cyber insurance is a new kind of coverage, which basically covers everything in line with cybercrimes.
“A cybercrime can be any crime that’s committed using computers or intelligent systems, etc.,” Rellosa told the BusinessMirror.
A cyber insurance policy can cover things, namely actual damages in the aftermath of the cyber crime done to a company or person if there was money lost, the litigation costs, or the increased cost of working.
“Now, you cover two things, you can cover the actual damages or how much money was lost, or you can cover including litigation because sometimes the cost of litigation is even more than the actual money that was stolen,” Rellosa explained. “You can also cover things, like for example, you have to change the system so you call it ‘increased cost of working’ or Icow. So it covers [this] Icow, legal fees and the actual damage.”
One product
AIG Philippines Insurance Inc. (AIG) President and CEO Mark Lwin told the BusinessMirror that cyber liability insurance covers the financial costs that come with cyber breaches.
“Cyber liability insurance covers the financial costs associated with a cyber breach, as well as first-party costs including event management, notification, data restoration, financial costs to third parties, network interruption and cyber extortion,” Lwin said.
The IC has tagged the AIG as a leading provider of cyber insurance in the country. The AIG explained its insurance product for one can cater to companies in various sectors and fields.
The firm’s trademarked product is a specially designed solution that incorporates crisis response, legal advisory, forensics, a breach coach, and other capabilities to allow companies to respond in the real-time nature of the threat, according to AIG.
“However, in the current threat environment with fast-moving attacks which can bring down entire networks or prevent a company from conducting its very fundamental transactions with customers, an effective policy has to have the capability for an immediate and full-spectrum response.”
Audit, steps
LWIN said cyber insurance “can be thought of similar to a travel insurance policy where there is an immediate travel assistance hotline, and if needed, medical and security advisory or even evacuation, if the situation warrants.”
The company is a leading nonlife insurer in the Philippines providing property and casualty insurance to businesses in the country with vast expertise on cyber risk.
“The services embedded in a cyber liability policy are critical to the protection of the insured,” Lwin said.
In terms of how one gets cyber insurance, Rellosa said the insurer implements a number of assessment measures to determine the extent of the cyber insurance coverage. These steps include the conduct of a system audit on the company or business buying the cyber insurance coverage, a sight inspection, security walkthrough and even background checks on the company’s IT division or team, among others, he added.
Depending on needs
ACCORDING to Rellosa, insurers look at a lot of things to determine cyber insurance coverage.
“For example, the IT room: Does it include a cloud system? Does the company have a backup? What is its connection: is it fiber optic or copper wire? There are a lot of things being looked at; several pages long on the checklist,” he explained. “Insurers also look at the company’s IT specialists, the underwriters of the insurance companies should also be knowledgeable on systems; that’s why it’s a specialized coverage.”
Rellosa further explained that premiums for getting cyber insurance varies depending on the needs of the business or company. He cited as an example that some insurers charge premium at 1 percent of the total sum insured under the cyber insurance coverage.
“For example, you want to cover P200 million, so it’s one percent of P200 million [so it’s P2 million]; that’s the premium,” Rellosa said. “But it can go up and down depending on so many factors.”
One factor that can increase the premiums set for a cyber insurance policy is if the company has a previous hacking incident, among others.
“For example, you already got hacked in the past, then your premiums are higher unless you can show that since you got hacked you replaced all the systems and everything from passwords to people, etc.,” Rellosa added. “Again, a lot is being looked at in terms of cyber insurance; it’s not just in the system but also on the people, the background of the IT guys. It’s like a credit check and not just a background check.”
Entails many elements
LWIN pointed out that as the global arena changes in step with technology and innovation, there is also a growing frequency and sophistication in terms of cyber attacks.
“With the growing frequency and sophistication of cyber attacks, risk management must entail many elements of protection from managed security services, proactive monitoring, training and awareness about social engineering and insider threats, and risk transfer through insurance.”
He pointed out that cyber liability insurance is indeed a need as all industries across all sectors are vulnerable to cyber threats and cyber attacks. The coverage is seen as a critical risk management tool.
“In today’s world, all industries are vulnerable to cyber threats, and cyber liability insurance can be a critical risk management solution,” Lwin added.
The AIG believes companies that are using just one form of defense mechanism to cover their IT needs are more susceptible to current and future cyber threats and are at more risk.
“Companies [that] rely upon only a single line of defense are vulnerable, either to current threats or those which are being deployed in the weeks or months ahead,” Lwin said. “Moreover, hackers and cyber criminals have not in the past, and will not in the future, restrict their activities to more-developed economies.”
Responsibilities under law
LWIN also explained that cyber criminals and hackers do not limit their unscrupulous activities to just developed economies, emphasizing that anybody is susceptible to these cyber attacks.
“Philippine companies are, unfortunately, equally exposed and, with the Data Protection Act of 2012 now in effect, have significant responsibilities under the law to protect client information,” Lwin added.
Pira echoed the same sentiment that cyber insurance is really seen as a need pointing out that based on several surveys, the top concern of CEOs and top officials would be protecting their company or businesses from cyber threats.
“I think it’s a need already, you know there were several surveys done locally and internationally and actually it’s the biggest worry. In the survey with CEOs and CIOs as the respondents, a number of them said that this is their biggest worry,” Rellosa said. “They think they have the biggest risks along these lines. More than being robbed in banks through a pick axe, etc. It’s easier to get money by hacking.”
Lots of discussion
Apart from cyber insurance, there are some companies that also offer financial crime and risk management measures to protect businesses brought about by today’s networked working environment.
For one, Fiserv Inc., a company that provides financial services technology to countries across the globe, sees the importance of having correct customer data to improve detection techniques as well as procedures in terms of having comprehensive anti-money laundering solutions for companies.
Fiserv’s Andrew Davies told the BusinessMirror that one of the interesting things he noticed when he visited the Philippines in March this year was that there was a lot of discussions within financial institutions in line with anti-money laundering and tax evasion measures.
“One of the interesting things I’ve found over time is that there is an interest in development going on particularly around anti-money laundering but also tax evasion [in the Philippines],” said Davies, Fiserv’s vice president for global market strategy, financial crime risk management. “There [are] many financial professionals in the Philippines focused on managing risk appropriately to protect their customers and the financial system itself.”
Overseeing operations
DAVIES explained that the quick movement of money and data around the world is not a bad thing, as it provides convenience among others, to people. However, he emphasized that having technology in place to keep that movement safe should come with the shift.
“Moving money and data around the world is something we have as a mission; that moves the world really. It’s a good thing; moving money more quickly is a good thing],” Davies added. “But having technology in place to manage any risk or fraud or money laundering associated with the movement of that money is very important [as well].”
He said a company like Fiserv, which provides financial solutions and risk management services to financial institutions, can help monitor the movement of data or money in real time as well as monitor unusual activities through transactions to help prevent threats such as money laundering, among others.
“We know payments, and we know payment fraud risk, and we can also do that in real time. So you stop the money moving into the hands of the criminals before the money has actually left the financial institution,” Davies said. “You’re very much protected. Just look at behaviors and unusual activities and red flags.”
Other costs
CITING data from a study conducted by the United Nations (UN), Davies pointed out that the amount of money laundered through the global financial system annually is up to $3.6 trillion, adding that experts estimate cybercrime damage costs to hit $6 trillion annually by 2021.
Davies explained that financial crime and risk management solutions from Fiserv incorporate modern technologies that employ advanced analytical approaches, robotic process automation for improving alert investigation efficiency, and artificial intelligence that can sift through volumes of unstructured data, analyze risk cases, and identify early signs of potential future issues.
“I believe the UN estimates that the amount of money being laundered through the global financial system on an annual basis is between 2 percent and 5 percent of global gross domestic product,” Davies added. “And that’s variously giving it a total of around a global number anywhere between $1.6 trillion and $3.6 trillion laundered through the global financial system on an annual basis.”
He added that “that number needs to materially change going forward, particularly the application of more intelligent technology to uncover money laundering [schemes] from solutions like that provided by [companies like us].”
Key research
Latest research from Canalys Pte. Ltd. shows cybersecurity solutions for public cloud and “as a service” accelerated in the first quarter of the year.
“These deployment models collectively grew 46.0 percent year on year,” the Singapore-based analyst company said. “These types of solutions accounted for 17.6 percent of total cybersecurity market value, up from 13.8 percent in the same period a year ago.”
The company added that virtual security appliances and agent solutions also grew strongly, up 18.2 percent on an annual basis.
“Traditional hardware and software deployments still dominate, representing almost 75 percent of the total,” Canalys said. “Both models continued to grow but at a slower rate of just over 8 percent.”
The company added this data highlights the ongoing transition in cybersecurity solutions as organizations look to protect more data assets and workloads based in the public cloud.
“Vendors have introduced new ways of doing business with channels and enterprise customers in terms of purchasing, consumption and servicing, as well as helping simplify operations in increasingly complex IT environments.”
The statement quoted Canalys principal analyst Matthew Ball as saying that “investment in cybersecurity shows no sign of slowing down as it remains a priority for all organizations.”
“The security industry will be immune to the increasingly challenging macroeconomic and political environment,” Ball said. “Recent high-profile ransomware attacks have resulted in organizations paying large sums to regain access to critical IT systems and data. Strengthening security strategies across devices, infrastructure, perimeters and applications will continue to be critical.”
Ball also recommends that “increasing employee training and gaining more comprehensive cybersecurity insurance will also be important to counter these threats.”
Image credits: Pop Nukoonrat | Dreamstime.com