When it comes to privacy, not all states are alike. This was confirmed yet again in the 50 State Compendium of Unclaimed Property Practices we compiled. The compendium ranks the amount of personal data that state treasuries expose during the process by which individuals can collect unclaimed funds. The data exposed can provide fraudsters with a crime exacta: claiming money that no one will ever miss and gathering various nuggets of personal data that can help facilitate other types of identity theft. The takeaway: Some states provide way too much data to anyone who is in the business of exploiting consumer information.
For those who take their privacy seriously, the baseline of our compendium—inclusion in a list of people with unclaimed funds or property—may in itself be unacceptable. For others, finding their name on an unclaimed property list isn’t a huge deal. In fact, two people on our team found unclaimed property in the New York database (I was one of them) while putting together the 50-state compendium, and there were no panic attacks.
That said, there is a reason to feel uncomfortable—or even outright concerned—to find your name on a list of people with unclaimed property. After all, you didn’t give anyone permission to put it there. The way a person manages her affairs (or doesn’t) should not be searchable on a public database like a scarlet letter just waiting to be publicized.
Then there’s the more practical reason that it matters. Identity thieves rely on sloppiness. Scams thrive where there is a lack of vigilance (lamentably, a lifestyle choice for many Americans despite the rise of identity-related crimes). The crux of the problem when it comes to reporting unclaimed property: It’s impossible to be guarded and careful about something you don’t even know exists, and, of course, it’s much easier to steal something if you know that it does.
The worst of the state unclaimed property databases provide a target-rich environment for thieves interested in grabbing the more than $58 billion in unclaimed funds held by agencies at the state level across the country.
States’ response to questions about public database
When we asked for comment from the eight states that received the worst rating in our compendium—California, Hawaii, Indiana, Iowa, Nevada, South Dakota, Texas and Wisconsin—five replied. In an effort to continue the dialogue around this all-too-important topic, here are a few of the responses from the states:
— California said: “The California state controller has a fraud detection unit that takes proactive measures to ensure property is returned to the rightful owners. We have no evidence that the limited online information leads to fraud.”
The “limited online information” available to the public on the California database provides name, street addresses, the company that held the unclaimed funds and the exact amount owed unless the property is something with a movable valuation like equity or commodities. To give just one example, we found a $50 credit at Tiffany associated with a very public figure. We were able to verify it because the address listed in the California database had been referenced in a New York Times article about the person of interest. Just those data points could be used by a scammer to trick Tiffany or the owner of the unclaimed property (or the owner’s representatives) into handing over more information (to be used elsewhere in the commission of fraud) or money (a finder’s fee is a common ruse) or both.
This policy seems somewhat at odds with California’s well-earned reputation as one of the most consumer-friendly states in the nation when it comes to data privacy and security.
— Hawaii’s response: “We carefully evaluated the amount and type of information to be provided and consulted with our legal counsel to ensure that no sensitive personal information was being provided.”
My response: Define “sensitive.” These days, name, address and email address (reflect upon the millions of these that are “out there” in the wake of the Target and Home Depot breaches) are all scammers need to start exploiting your identity. The more information they have, the more opportunities they can create, leveraging that information, to get more until they have enough to access your available credit or financial accounts.
— Indiana’s response was thoughtful. “By providing the public record, initially we are hoping to eliminate the use of a finder, which can charge up to 10% of the property amount. Providing the claimant the information up front, they are more likely to use our service for free. That being said, we are highly aware of the fraud issue and, as you may know, Indiana is the only state in which the Unclaimed Property Division falls under the Attorney General’s office. This works to our advantage in that we have an entire investigative division in-house and specific to unclaimed property. In addition, we also have a proactive team that works to reach out to rightful owners directly on higher-dollar claims to reduce fraud and to ensure those large dollar amounts are reaching the rightful owners.”
Protect and serve should be the goal
While Indiana has the right idea, the state still provides too much information. The concept here is to protect and serve—something the current system of unclaimed property databases currently does not do.
The methodology used in the compendium was quite simple: The less information a state provided, the better its ranking. Four stars was the best rating—it went to states that provided only a name and city or ZIP code—and one star was the worst, awarded to states that disclosed name, street address, property type, property holder and exact amount owed.
In the majority of states in the U.S., the current approach to unclaimed funds doesn’t appear to be calibrated to protect consumers during this ever-growing epidemic of identity theft and cyber fraud. The hit parade of data breaches over the past few years—Target, Home Depot, Sony Pictures, Anthem and, most recently, the Office of Personnel Management—provides a case-by-case view of the evolution of cybercrime. Whether access was achieved by malware embedded in a spear-phishing email or came by way of an intentionally infected vendor, the ingenuity of fraudsters continues apace, and it doesn’t apply solely to mega databases. Identity thieves make a living looking for exploitable mistakes. The 50 State Compendium provides a state-by-state look at mistakes just waiting to be converted by fraudsters into crimes.
The best way to keep your name off those lists: Stay on top of your finances, cash your checks and keep tabs on your assets. (And check your credit reports regularly to spot signs of identity fraud. You can get your free credit reports every year from the major credit reporting agencies, and you can get a free credit report summary from Credit.com every month for a more frequent overview.) In the meantime, states need to re-evaluate the best practices for getting unclaimed funds to consumers. One possibility may be to create a search process that can only be initiated by the consumer submitting his name and city (or cities) on a secure government website.
This is the second in a series of three articles. The first is here.
With the entire insurance industry at a tipping point, where many of the winners and losers will be determined in the next five to 10 years, it’s important to think through all the key strategic factors that will determine those outcomes. Those factors are what we call STEEP: social, technological, environmental, economic and political.
In this article, we’ll take a look at all five.
Social: The Power of Connections
The shifts in customer expectations present challenges for life insurers, many of which are caught in a product trap in which excessive complexity reduces transparency and increases the need for advisers. This creates higher distribution costs.
A possible solution lies in models that shift the emphasis from life benefits to promoting health, well-being and quality of life. In a foretaste of developments ahead, a large Asian life insurer has shifted its primary mission from insurance to helping people lead healthier lives. This is transforming the way the company engages with its customers. Crucially, it’s also giving a renewed sense of purpose and value to the group’s employees and distributors.
Further developments that could benefit both insurers and customers include knowledge sharing among policyholders. One insurer enables customers to share their health data online to help bring people with similar conditions together and help the company build services for their needs. Similarly, a DNA analysis company provides insights on individual conditions and creates online communities to pool the personal data of consenting contributors to support genetic studies.
A comparable shift in business models can be seen in the development of pay-as-you-drive coverage within the P&C sector. In South Africa, where this model is well advanced, insurers are realizing higher policyholder retention and lower claims costs.
This kind of monitoring is now expanding to home and commercial equipment. These developments are paving the way for a move beyond warranty or property insurance to an all-’round care, repair and protection service. These offerings move the client engagement from an annual transaction to something that’s embedded in their everyday lives. Agents could play an important role in helping to design aggregate protection and servicing.
In banking, we’ve seen rapid growth in peer-to-peer lending; the equivalent in insurance are the affinity groups that are looking to exercise their buying power, pool resources and even self-insure. While most of the schemes cover property, the growth in carpooling could see them play an increasing role within auto insurance.
Technological: Shaping the Organization Around Information Advantage
More than 70% of insurance participants in our 2014 Data and Analytics Survey say that big data or analytics have changed the way they make decisions. But many insurers still lack the vision and organizational integration to make the most of these capabilities. Nearly 40% of the participants in the survey see “limited direct benefit to my kind of role” from this analysis, and more than 30% believe that senior management lacks the necessary skills to make full use of the information.
The latest generation of models is able to analyze personal, social and behavioral data to gauge immediate demands, risk preferences, the impact of life changes and longer-term aspirations. If we look at pension planning, these capabilities can be part of an interactive offering for customers that would enable them to better understand and balance the financial trade-offs between how much they want to live off now and their desired standard of living when they retire. In turn, the capabilities could eliminate product boundaries as digital insights, along with possible agent input, provide the basis for customized solutions that draw together mortgages, life coverage, investment management, pensions, equity release, tax and inheritance planning. Once the plan is up and running, there could be automatic adjustments to changes in income, etc.
Reactive to preventative
The increasing use of sensors and connected devices as part of the Internet of Things offers ever more real-time and predictive data, which has the potential to move underwriting from “what has happened” to “what could happen” and hence more effective preemption of risks and losses. This in turn could open up opportunities for insurers to gravitate from reactive claims payer to preventative risk adviser.
As in many other industries, the next frontier for insurers is to move from predictive to prescriptive analytics (see Figure 2). Prescriptive analysis would help insurers to anticipate not only what will happen, but also when and why, so they are in a better position to prevent or mitigate adverse events. Insurers could also use prescriptive analytics to improve the sales conversion ratio in automated insurance underwriting by continually adjusting price and coverage based on predicted take-up and actual deviations from it. Extensions of these techniques can be used to model the interaction between different risks to better understand why adverse events can occur, and hence how to develop more effective safeguards.
Environmental: Reshaping Catastrophe Risks and Insured Values
Catastrophe losses have soared since the 1970s. While 2014 had the largest number of events over the course of the past 30 years, losses and fatalities were actually below average. Globally, the use of technology, availability of data and ability to locate and respond to disaster in near real-time is helping to manage losses and save lives, though there are predictions that potential economic losses will be 160% higher in 2030 than they were in 1980.
Shifts in global production and supply are leading to a sharp rise in value at risk (VaR) in under-insured territories; the $12 billion of losses from the Thai floods of 2011 exemplify this. A 2013 report by the UN International Strategy for Disaster Reduction (UNISDR) and PwC concluded that multinationals’ dependencies on unstable international supply chains now pose a systemic risk to “business as usual.”
Environmental measures to mitigate risk
Moves to mitigate catastrophe risks and control losses are increasing. Organizations, governments and UN bodies are working more closely to share information on the impact of disaster risk. Examples include R!SE, a joint UN-PwC initiative, which looks at how to embed disaster risk management into corporate strategy and investment decisions.
Governments also are starting to develop plans and policies for addressing climatic instability, though for the most part policy actions remain unpredictable, inconsistent and reactive.
Developments in risk modeling
A new generation of catastrophe models is ushering in a transformational expansion in both geographical breadth and underwriting applications. Until recently, cat models primarily concentrated on developed market peak zones (such as Florida windstorm). As the unexpectedly high insurance losses from the 2010 Chilean earthquake and the 2011 Thai floods highlight, this narrow focus has failed to take account of the surge in production and asset values in fast-growth SAAAME markets (South America, Africa, Asia and the Middle East). The new models cover many of these previously non-modeled zones.
The other big difference for insurers is their newfound ability to plug different analytics into a single platform. This offers the advantages of being able to understand where there may be pockets of untapped capacity or, conversely, hazardous concentrations. The result is much more closely targeted risk selection and pricing.
The challenge is how to build these models into the running of the business. Cat modeling has traditionally been the preserve of a small, specialized team. The new capabilities are supposed to be easier to use and hence open to a much wider array of business, IT and analytical teams. It’s important to determine the kind of talent needed to make best use of these systems, as well as how they will change the way underwriting decisions are made.
Emerging developments include new monitoring and detection systems, which draw on multiple fixed and drone sensors.
Challenges for evaluating and pricing risk
Beyond catastrophe risks are disruptions to asset/insured values resulting from constraints on water, land and other previously under-evaluated risk factors. There are already examples of industrial plants that have had to close because of limited access to water.
Economic: Adapting to a Multipolar World
Struggling to sustain margins
The challenging economic climate has held back discretionary spending on life, annuities and pensions, with the impact being compounded by low interest rates and the resulting difficulties in sustaining competitive returns for policyholders. The keys to sustaining margins are likely to be simple, low-cost, digitally distributed products for the mass market and use of the latest risk analytics to help offer guarantees at competitive prices.
The challenges facing P&C insurers center on low investment returns and a softening market. Opportunities to seek out new customers and boost revenues include strategic alliances. Examples could include affinity groups, manufacturers or major retailers. A further possibility is that one of the telecoms or Internet giants will want a tie-up with an insurer to help it move into the market.
More than 30% of insurance CEOs now see alliances as an opportunity to strengthen innovation. Examples include the partnership between a leading global reinsurer and software group, which aims to provide more advanced cyber risk protection for corporations.
Surprisingly, only 10% of insurance CEOs are looking to partner with start- ups, even though such alliances could provide valuable access to the new ideas and technologies they need.
Growth in SAAAME insurance markets will continue to vary. Slowing growth in some major markets, notably Brazil, could hold back expansion. In others, notably India, we are actually seeing a decline in life, annuity and pension take-up as a result of the curbs on commissions for unit-linked insurance plans (ULIP). Further development in capital markets will be necessary to encourage savers to switch their deposits to insurance products.
As the reliance on agency channels adds to costs, there are valuable opportunities to offer cost- effective digital distribution. Successful models of inclusion include an Indian national health insurance program, which is aimed at poorer households and operates through a public/private partnership. More than 30 million households have taken up the smart cards that provide them with access to hospital treatment.
The already strong growth (10% a year) in micro-insurance is also set to increase, drawing on models developed within micro-credit. The challenge for insurers is the need to make products that are sufficiently affordable and comprehensible to consumers who have little or no familiarity with the concept of insurance.
Rather than waiting for a market-wide alignment of data and pricing, some insurers have moved people onto the ground to build up the necessary data sets, often working in partnership with governments, regional and local development authorities and banks and local business groups.
The urban/rural divide may actually be more relevant to growth opportunities ahead than the emerging/developed market divide. In 1800, barely one in 50 people lived in cities. By 2009, urban dwellers had become a majority of the global population for the first time. Now, every week, 1.5 million people are added to the urban population, the bulk of them in SAAAME markets.
Cities are the main engines of the global economy, with 50% of global GDP generated in the world’s 300 largest metropolitan areas. The result is more wealth to protect. Infrastructure development alone will generate an estimated $68 billion in premium income between now and 2030. Urban citizens will be more likely to be exposed to insurance products and have access to them. Urbanization is also likely to increase purchases of life, annuities and pensions’ products, as people migrating into cities have to make individual provision for the future rather than relying on extended family support.
Yet as the size and number of mega-metropolises grow, so does the concentration of risk. Key areas of exposure go beyond property and catastrophe coverage to include the impact of air pollution and poor water quality and sanitation on health.
A Lloyd’s report comparing the level of insurance penetration and natural catastrophe losses in countries around the world found that 17 fast-growth markets had an annualized insurance deficit of $168 billion, creating threats to sustained economic growth and the ability to recover from disasters.
Political: Harmonization, Standardization and Globalization of the Insurance Market
Government in the tent
At a time when all financial services businesses face considerable scrutiny, strengthening the social mandate through closer alignment with government goals could give insurers greater freedom. Insurers also could be in a stronger position to attract quality talent at a time when many of the brightest candidates are looking for more meaning from their chosen careers.
Government and insurers can join forces in the development of effective retirement and healthcare solutions (although there are risks). Further opportunities include a risk partnership approach to managing exposures that neither insurers nor governments have either the depth of data or financial resources to cover on their own, notably cyber, terrorism and catastrophe risks.
Impact of regulation
Insurers have never had to deal with an all-encompassing set of global prudential regulations comparable to the Basel Accords governing banks. But this is what the Financial Stability Board (FSB) and its sponsors in the G20 now want to see as the baseline requirements for not just the global insurers designated as systemically risky, but also a tier of internationally active insurance groups.
The G20’s focus on insurance regulation highlights the heightened politicization of financial services. Governments want to make sure that taxpayers no longer have to bail out failing financial institutions. The result is an overhaul of capital requirements in many parts of the world and a new basic capital requirement for G-SIIs. The other game-changing development is the emergence of a new breed of cross-state/cross-border regulator, which has been set up to strengthen co-ordination of supervision, crisis management and other key topics. These include the European Insurance and Occupational Pensions Authority (EIOPA) and the Federal Insurance Office (FIO) in the U.S.
Dealing with these developments requires a mechanism capable of looking beyond basic operational compliance at how new regulation will affect the strategy and structure of the organization and using this assessment to develop a clear and coherent company-wide response.
Technology will allow risk to be analyzed in real time, and predictive models would enable supervisors to identify and home in on areas in need of intervention. Regulators would also be able to tap into the surge in data and analysis within supervised organizations, creating the foundations for machine-to-machine regulation.
A more unstable world
From the crisis in Ukraine to the rise of ISIS, instability is a fact of life. Pressure on land and water, as well as oil and minerals, is intensifying competition for strategic resources and potentially bringing states into conflict. The ways these disputes are playing out is also impinging on corporations to an ever-greater extent, be this trade sanctions or state-directed cyber-attacks.
Businesses, governments and individuals also need to understand the potential causes of conflict and their ramifications and develop appropriate contingency planning and response. At the very least, insurers should seek to model these threats and bring them into their overall risk evaluations. For some, this will be an important element of their growing role as risk advisers and mitigators. Investment firms are beginning to hire ex-intelligence and military figures as advisers or calling in dedicated political consultancies as part of their strategic planning. More insurers are likely to follow suit.
The final article in this series will look at scenarios that could play out for insurers and will lay out a way to formulate an effective strategy. If you want a copy of the report from which these articles are excerpted, click here.
The country was rocked recently when three major enterprises, including the New York Stock Exchange, encountered cyber “glitches” that were serious enough to take them off line, leading to speculation that perhaps there was something more sinister at play. While contemplating the situation in real time, many enterprises undoubtedly engaged in a quick self-assessment of their own cybersecurity defenses and readiness and heaved a sigh of relief when the disruptions were reported to be resolved, unrelated and not caused by malicious outsiders.
But what if it had been different? How well would your company fare in the face of an attempted or successful cyber attack?
Recent events should serve as a wake-up call for all enterprises to shore up their defenses and formulate their game plan in the event of a cybersecurity incident.
Here are four key factors to consider:
1. Have you conducted a risk-based security assessment? The assessment, among other things, should determine if you’ve already been hacked, test your perimeter and scan for internal and external vulnerabilities.
2. Have you established and implemented effective employee training and awareness policies and programs? Studies repeatedly show that employees are at the heart of most security incidents. Employees should be educated about the crucial role they play in securing enterprise data, and they should be trained to recognize and avoid security threats.
3. Have you assembled an incident response team? No entity should put itself in the position of wondering what to do and who to call when it suffers a cybersecurity incident. Entities should build their incident response team and practice their response to various security incident scenarios before an incident ever happens. Companies that do this are in a better position to respond when an event occurs, thereby minimizing the financial, legal and reputational fallout of a cybersecurity incident.
4. Have you purchased insurance to cover cyber incidents? Enterprises routinely purchase insurance to transfer the risk of potential liabilities they might encounter in the course of their business operations. Cyber liabilities should be treated the same way. Cyber insurance can provide much needed financial and tactical support in the event of a cyber incident.
Thoughtful focus on these four steps can help companies protect against and mitigate the effects of a cybersecurity incident. As recent events have demonstrated, the risks are real, and they show no signs of abating.
As thieves discover more and more ways to steal personal information, it is critical that people use identity theft protection services that involve a wide security sweep of all personal identifiable information and high-risk activity. The marketplace for identity theft protection now includes all kinds of monitoring services and features. Make the best choice by understanding each feature available, how they differ from each other and their capacity for sustaining protection.
Credit monitoring is the process of reviewing a consumer’s credit activity with the credit bureau. It monitors the activity and changes to a credit report, including inquiries made by a creditor to request a copy of a report. Monitoring provides an alert system for potential fraudulent activity or accounts being established. Credit monitoring provides an alert system to activity affecting your credit report and credit score. Monitoring enables you to stay on top of fraudulent activity so that you can address the inaccuracies immediately. It also reduces the financial impact that identity theft can cause, by reporting the fraud earlier and reducing potential out-of-pocket losses.
Identity monitoring looks at more than just credit information; it encompasses all personal identifiable information: name, birth date, address, email, phone number, Social Security number, etc. This could include monitoring the Internet, national databases, credit files, public records and more. If thieves have your personal identifiable information, it’s the perfect cover for their crimes because everything will point to you, not them. Even kids can become victims of identity theft: Each year, more than 140,000 identity theft cases involve children.
Social Security Number Monitoring
It’s exactly how it sounds – protection for one of the most important pieces of information that a person has. This type involves monitoring hundreds of millions of records for unauthorized use of a Social Security number (SSN). 70% of people are worried about the safety of their SSN. Monitoring an SSN is particularly important for children because thieves have plenty of time to use the child’s information for their own gain before the child finds out by applying for an account or a line of credit and is denied because of the thieves’ damage.
Unlike previous monitoring services that focus on particular data or activities, data sweeps encompass a plethora of touch points and personal information. Data sweeps monitor the Internet for instances of criminals using stolen phone numbers, addresses, birth dates and more. How many data points are included and how often the data sweeps occur vary from plan to plan. Data sweeps cover the information that consumers are worried about, like mailing addresses (50%) and phone numbers (60%). It can also help a person feel more secure about online presence because data sweeps can lead to removing exposed personal information on the web.
Credit Card Monitoring
The lending institutions that issue credit and debit cards will usually monitor transactions and notify cardholders of suspicious activity. Credit card monitoring, as offered through an identity monitoring service, will monitor the Internet for fraudulent activity involving credit card and debit account numbers, PIN numbers and other personal information in Internet hacker chat rooms and the dark web. Credit card monitoring looks at activity outside of the credit report and outside of activity monitored by the cardholder’s bank or issuing institution. As a result, it can detect fraud that may or may not make it to a credit report or be captured by the bank.
Most services will not only keep you informed but help you resolve any suspicious activity. Features could include assistance from a credentialed professional. Some assistance features may only provide victims with next steps or resources, while others may actually take on some of the activities a victim must complete to rebuild his or her reputation. 47% of victims who spent 6-plus months fixing the issue(s) felt severe emotional distress vs. the 4% of victims who felt that way after resolving issues within 24 hours. Victims can limit the health and financial costs of recovery by using a protection plan that includes assistance from professionals who know how to get quick results.
Lost Purse or Wallet Assistance
Whether you misplace your wallet or it actually gets stolen, most identity theft protection services will help you contact the correct institutions and minimize the damage if a thief tries to use your stolen information. Despite the growing threat of malware and hacking, physical theft is still a problem, and 43% of physical theft happens at work.
Most companies have a service agreement that provides some sort of refund for customers if there’s a defect in the company’s service. New technological advances are made every day for security and thievery, so you need to make sure that a company will help you if its protection services can’t keep up with thieves’ new tricks.
Some identity theft protection services go above and beyond with the layers of security and assistance they offer, in addition to the commonly included products listed above. Some of those extra special features are:
While most services monitor your personal identifiable information online or on credit reports, not all of them will monitor databases like criminal records and sex offender registries. Some companies charge extra for monitoring these additional databases. Thieves don’t just use your personal information to empty your bank account. Thieves will steal reputable citizens’ identities and use them as aliases when committing crimes.
Medical Fraud Assistance
Monitoring for medical fraud involves protecting insurance records from criminal use and assisting victims when a thief tampers with a victim’s medical history or racks up medical debt. The crime rate for medical identity theft increases by 32% each year, and more than $12.3 billion in out-of-pocket expenses were spent in the past year because of medical identity theft.
Tax Fraud Assistance
Products include giving victims an action plan and providing forms and contact information for working with the IRS. Services that actually do recovery work for victims must have certified tax specialists who are approved for working with the IRS on behalf of the victims. In 2014, the FTC’s 1.5 million fraud-related complaints revealed that consumers have paid a total of $1.7 billion because of fraud, and a third of those complaints were tax-related. Tax fraud could include IRS phishing schemes, phone scams and stealing taxpayers’ information to file phony tax returns and get their refunds.
Protection plans may allow members to add family members to their plan; however, adding family members often comes with additional charges. When family members share accounts (e.g. bank, music, email), passwords, etc., everyone feels the consequences if one of them becomes a victim.
Other pieces of your personal information that may or may not be included in the common types of monitoring: loan/lease information, driver’s license, computer security, bank account information, passports, etc. Thieves’ use of hacking, malware and social media have skyrocketed over the past few years. As fraudsters improve their tactics, they gain access to more and more information.
Each type of monitoring covers important information that could lead to serious damage if taken into the hands of a fraudster, and no one type covers everything. Likewise, each feature has importance, but they’re most effective when working together because they create sustainable, comprehensive coverage.
People need to make sure that their identity theft protection plan includes all the necessary data points with multiple types of monitoring, assistance and recovery features, so their information stays secure.
With an onslaught of bad recent cyber news, is cyber risk worth the trouble, and how should corporate directors be looking at this issue? The recent news is the high-profile breach of 4 million employee records at the U.S. Office of Personnel Management by alleged Chinese hackers and the news that even the security experts are getting hacked, with Kaspersky Labs reporting a breach supposedly committed by a nation state.
President Obama also made cyber security an emphasis of his G7 talks in Germany, commenting that the U.S. government needs to be more “nimble, aggressive and well-resourced” to combat this threat. He also urged the U.S. Congress to pass the 2015 Cybersecurity Information Sharing Act, a first step in a coordinated and systemic public/private response to cyber risks.
The attacks show no signs of slowing. PwC’s 2015 Global State of Information Security Survey indicates a compound annual growth rate of 66% for cyber incidents since 2009. The 10,000 respondents to the survey reported almost 43 million detected incidents during 2014 alone—or 117,339 incoming attacks every day of the year.
Is cyber security risk worth it? Yes, but with a caveat. Without a doubt, the many innovations currently taking place with today’s information technologies open up many new vulnerabilities. Risks are now difficult to isolate, and a protect-and-defend model is not effective against the systemic risks inherent across any corporate ecosystem.
Attacks can also come from a growing list of sources, including hacktivists, foreign and domestic nation-states, customers, employees, partners, consultants, competitors, organized crime and the bored neighbor kid living in the basement and surviving on a diet of Cheetos, Red Bull and your weak IT security infrastructure. The direct and indirect costs of mounting an effective cyber security defense are only getting more expensive, and the risks are only increasing.
Despite this, these technologies also have an upside—a significant one as they are now competitive table stakes, as new business tools always are. These tools are changing market dynamics and customer preferences, and the technologies embody distinct economic advantages such as the lowering of transaction and engagement costs. Business models and competitive advantages are changing as a result of these tools.
These tools are shaping and defining business success, but the risks are holding many companies back. Which takes us to the caveat. The upside of these technologies outweighs the downside.
Cyber is worth the risk, but boards, directors and managers need to be looking to exploit the business advantages of these tools, while at the same time mounting a “a nimble, aggressive and well-resourced” approach to mitigating these incessant risks.
This is easier said than done; 89% of companies listed on the Fortune 500 in 1955 are no longer on the list. Business cannibalizes the companies that can’t capitalize on the opportunities presented by changing market conditions, including new technologies.
Directors need to be diligent in overseeing cyber risk as part of a comprehensive IT governance and enterprise risk governance approach. But they also need to be on top of governing cyber opportunity—that’s the only way that they can make cyber security risk worth it.