The Hacktivist Gunslinger
What costs more than the $288 billion black market for marijuana, cocaine and heroin combined? You expose yourself to it every day, at your home and at your office, every time you log in to your computer.
It’s cybercrime, of course, and its cost in time, money and reputation is enormous and growing.
Norton, an Internet security firm, says global cybercrime reached $388 billion last year. The Ponemon Institute estimates the average cost of a data breach hit $7.1 million—$214 for each compromised record. Sony’s data breaches last year will cost $200 million. Software firm McAfee estimates 2008 losses at more than $1 trillion.
No one is immune. Every 19 seconds someone is victimized. Cyber risks come in many forms, from malicious hacking to identity theft to espionage and terrorism.
Last year McAfee uncovered a massive cyber spying operation, likely carried out by China, dubbed “Operation Aurora.” The malware attacked Google, Adobe, Northrop Grumman, Dow Chemical, the United Nations and dozens more around the world. The attacks were systematic, sophisticated and well resourced—the type often launched by a government or organized crime.
Loose-knit hacktivist groups, such as Anonymous and LulzSec, recently wreaked havoc on some very high-profile targets, including the Vatican, Sony and the CIA. A LulzSec leader who threatened to burn down the White House was recently arrested.
Even scarier, the world’s most critical infrastructures—oil, gas and electric grids—are at risk. A 2010 report by McAfee and the Center for Strategic and International Studies, “In the Crossfire: Critical Infrastructure in the Age of Cyberwar,” said nearly 70% of those surveyed frequently found malware designed to sabotage their systems.
What’s troubling is how few are prepared. In 2011, McAfee found only a handful of businesses surveyed use sophisticated off-site security measures, a quarter have tools in place to monitor networks, and only 36% use tools to detect anomalies. Yet nearly 40% expect a major attack within the year. To make matters worse, recession-driven cutbacks in security have left many companies exposed.
Interestingly, China, Italy and Japan have twice the security measures in place as Brazil, France and Mexico. The U.S. and the EU lag behind. The most vulnerable to attack are the U.S., Russia and China.
Governments are stepping up, but not soon enough. The EU is considering a new directive to harmonize data privacy laws across Europe, but the process could take several years to ratify. A number of EU countries are acting on their own and adopting data privacy regulations that require data breach notification to customers.
U.S. privacy laws vary state-to-state, but 46 states require organizations to notify customers of data breaches. There is no federal law, but the Obama administration supports one.
Last October the Securities and Exchange Commission issued new guidelines on corporate responsibility for disclosing cyber attacks and their cost to shareholders. The guidelines also require companies to disclose “a description of relevant insurance coverage.”
Cyber liability insurance is a new frontier. Advisen research found that only a third of the companies it surveyed had a cyber insurance policy. Despite the increase in cyber risks and the potential harm an attack can do to customers and a company’s reputation, many companies don’t think they need it or figure other policies will cover their losses. The bad news is they often don’t. Sony is still battling with its insurers over coverage of its cyber attack.
Emily Freeman, a cyber insurance broker at Lockton, says most policies cover the “twin risks of privacy and security.” Policies can include business interruption, notification costs, class-action lawsuits, IT forensic auditing, legal costs, fines and extortion.
There is ample capacity for cyber liability in the London and Lloyd’s markets. But insurers are looking for companies where top management takes cyber risk seriously, has a good risk-management IT program in place and invests in IT security.
Brokers, of course, can play a meaningful role in alerting clients to potential cyber risks and helping them find the coverage that best suits their circumstances and needs.
A word to the wise from a hacktivist: “We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us.”