A recent report on cybersecurity still shows many companies are unprepared for cyberattacks.
The report, conducted by KPMG and British Telecom, reveals only 22 percent of companies have a comprehensive plan in place to deal with a major cybersecurity incident. This is troubling, considering 97 percent of those surveyed – CISOs, CIOs and other IT executives at Fortune 500 companies in the U.S., U.K., Singapore, India and Australia – have been victims of a cyberattack. Additionally, 55 percent admitted to seeing an increase in such attacks over the past year.
Industrial and manufacturing companies in particular were the target of many of the reported data breaches and cyberattacks that caused millions of dollars in financial losses in 2015-2016.
According to the Verizon 2015 Data Breach Investigations Report, there were 525 separate cyber incidents within the manufacturing industry segment last year, up from 251 in 2014.
Sikich Consultancy, a consulting firm in Wisconsin, reported more manufacturing firms are being targeted for breach due to their possession of process secrets and client/employee data in a bring your own device (BYOD)/remote access/file sharing environment.
The KPMG and British Telecom survey also found that only 23 percent of firms surveyed have adequate cyber insurance in place. Deficiencies may include inadequate limits of liability or potential gaps in coverage, as there is no uniformity of policy design among cyber insurance carriers.
Some forms will contain a certain amount of coverage while other forms will not. Some brokers will know to ask for certain coverages, while other may not. This lack of uniformity is a concern because of the significant financial consequences at stake and an already evolving cyber threat environment.
Data Breach and Hacking
Just as there is no uniform cyber coverage, there is no typical target.
Cyberattacks targeting businesses with less than 250 employees represented 43 percent of all attacks in 2015, while headlines detailed incidents and other large data breaches at Yahoo, SWIFT, Austria’s FACC and Wendy’s, to name a few. This is an indication that companies of all sizes remain at risk.
Indeed, with the average breach cost to all companies in the United States at $6M, a breach event can be financially crippling for an industrial company.
In fact, the U.S. National Cyber Security Alliance found that 60 percent of small companies close their doors post-cyberattack, and for middle market companies, the average cost of a cyberattack has been more than $1M in 2016.
Symantec’s 2016 Internet Security Threat Report estimates that more than half a billion records were lost or stolen in 2015 due to data breach attacks.
SCADA defense reports published in Computer Weekly indicate that attacks on industrial systems have risen dramatically in the last 18 months since the end of 2014.
To protect their businesses, it is important for consumers to work with an experienced broker that can identify the value and sensitivity of information held, analyze gaps in traditional coverage and benchmark suggested coverage so that informed cyber insurance decisions can be made. Creating a cyberattack response strategy includes evaluating every risk associated not only within a company, but the storing and sharing of information among suppliers, customers, employees and regulators.
The Federal Bureau of Investigations reports that between October 2013 and February 2016, law enforcement agencies received reports of business e-mail compromise scams, or social engineering fraud and email spoofing, involving 17,642 victims. According to the Bureau, complaints involving these types of fraudulent schemes have arisen in every state and 79 different countries and amount to over $2.3 billion in losses during that less than three-year period.
Similar to breaches and hacking attacks, social engineering schemes are targeting businesses of all types and sizes. Given the prevalence of these fraudulent schemes, it is important to look for a policy that is designed to cover the actual loss of monies not reimbursed by a bank in a social engineering event. Also, it is important to keep in mind that there is little uniformity in social engineering or cybercrime coverage.
Some insurance carriers put this coverage in their crime offerings, some will put it in their cyber offering, and some do not offer it at all. Social engineering exposures should prompt a company’s management team to think about any gaps that may be present internally regarding cybercrime, the need for employee training, who should be involved in making decisions surrounding cyber security and how a knowledgeable broker can be utilized to secure the appropriate coverage.
Holding networks and network connected devices hostage for a ransom has become increasingly profitable for cybercriminals.
Symantec reports that in 2015 ransomware attacks, or cyber extortion and cyber ransom attacks, which are used to encrypt files and lock up networks, the focus shifted from PCs to Smartphones, Mac, Linux and other systems. Healthcare, automated manufacturing facilities and supply chain/time sensitive enterprises could be particularly effective targets for ransomware attacks going forward. Ransomware, along with social engineering, remain the two fastest growing cyber threats to all business as the expertise level to conduct an attack remains relatively low.
Addressing Cyber Risk
An essential point to remember when seeking to address cyber risk is to take a proactive stance regarding cyber security. This includes implementing training, education and regular testing for employees as well as developing a cyber risk strategy that includes an examination of IT infrastructure to identify potential exposures, key cyber stakeholders, types of data held and the value of that data.
Tackling cyber risk is an ongoing process that requires engagement at all levels of an enterprise. A knowledgeable broker can use analytics and cyber exposure expertise to determine how much cyber coverage limit is needed, how that limit should be allocated based on the unique needs of the business and how to avoid off the shelf policies that typically are limited in scope and coverage.
Cyber risk is not decreasing – it is increasing and morphing. All companies, especially industrial and manufacturing firms, need to be properly prepared.
Paul King is a senior vice president of USI’s Management and Professional Services (MPS) group and national cyber leader based out of the USI Dallas, Texas, office. Contact Paul at firstname.lastname@example.org or 214-443-3107. Visit www.usi.com for more information.