Tag Archives: Reagan

Complying With New EU Data Rule

The EU General Data Protection Regulation is set to bring far-reaching changes to Europe’s data protection and privacy rules. The GDPR, which will take effect in May 2018, establishes requirements governing how organizations around the world manage and protect personal data while doing business in the EU. The regulations are strict, and the potential penalties are high — fines up to 20 million euros ($23.5 million) or 4% of global turnover, whichever is greater.

But new rules can also inspire positive change. Such is the case with the GDPR, which has prompted many companies to evaluate and improve on how they manage their overall cyber risk. With the GDPR deadline fast-approaching, some companies appear to be further ahead than others in compliance planning, according to a global survey regarding corporate cyber-risk perception conducted by Marsh.

Marsh’s independent analysis of the survey’s findings highlight three key points:

1. Cyber risk is a top priority at organizations that report they are also preparing for GDPR.

The regulation comes at a time when cyber risk is — or should be — on every company’s radar, a fact underscored by survey respondents. In an age of technology-driven disruption, the threat of evolving cyber risks is real. The WannaCry and Petya ransomware attacks in 2017 had an impact on the share prices of several global companies and did significant damage to a number of smaller firms. They served as one in a string of reminders that any company that is connected to the internet, that uses technology or that stores customer or employee data is at risk — a list that excludes almost no one.

2. GDPR compliance efforts are encouraging broader cyber-risk management practices.

Organizations preparing for the GDPR are doing more to address cyber risk overall than those that have yet to start planning, according to survey respondents. And this is happening despite the fact that the GDPR does not showcase a “prescriptive” set of regulations with a defined checklist of compliance activities. Instead, GDPR preparedness appears to be both a cause and consequence of overall cyber-risk management.

See also: Cyber Crimes Outpace Innovation  

Survey respondents who said their organizations were actively working toward GDPR compliance — or felt that they were already compliant — were three times more likely to adopt overall cybersecurity measures and four times more likely to adopt cyber resiliency measures than those who had not started planning for GDPR.

Source: 2017 Marsh Global Cyber Risk Perception Survey

Practices such as cyber-incident planning and cyber insurance are not explicitly required by the GDPR, but those respondents who said their organizations had high levels of GDPR readiness had also adopted these measures. This works both ways — organizations that have adopted a cybersecurity measure such as encryption also have a jumpstart on GDPR compliance because encryption is strongly encouraged. And, while cyber-incident planning and cyber insurance are not explicitly required, they still enable firms to quickly marshal the resources to meet the GDPR’s 72-hour data breach notification requirement.

3. Even organizations with a higher degree of GDPR readiness may not be fully prepared for a cyber incident.

Consider third-party vulnerabilities. For years now we have known that weaknesses in suppliers, vendors and other third parties are prime entry points into a system for threat actors. The good news is that most organizations now realize this, as indicated by the 67% of respondents who said they assess the cyber risk of vendors and suppliers.

However, digging into what such assessments entail shows a somewhat alarming lack of detail. For example, only 17% of respondents said they have assessed the financial strength of their suppliers/vendors, something that is at the heart of the ability to pay compensation in the event of a loss.

With GDPR implementation just months away, among organizations subject to the GDPR, 8% said they were fully compliant, 57% were developing a compliance plan and 11% had yet to start. Given the effort needed to comply, this suggests many organizations will face challenges meeting all requirements by the time GDPR takes effect in May 2018.

See also: 4 Steps to Achieving Cyber Resilience  

Those who are ahead recognize the GDPR compliance process as a game-changing opportunity. Preparation has effectively focused executive attention on broader data protection and privacy issues, prompting related investments and commitment. In preparing for the new rules, organizations are strengthening their overall cyber-risk management posture and turning what is often viewed as a constraint into a competitive advantage.

Pokémon Go Highlights Disruptive Technology

If you hear employees talking about spending their stardust and candies, chances are they’re caught up in the latest pop culture fixation: Pokémon Go. The mobile phone game sensation has fans roaming the country with their handhelds out to capture the “Pocket Monsters” scattered virtually throughout the real world.

The kid in me chuckles at this innovative use of augmented reality (AR) technology. But my cyber risk side looks at AR and sees potential issues involving malware, privacy, data disclosure and employee safety.

Real-World Risks

Computer and online games become instant targets for malware, through such things as fake and cracked versions in app stores. Hackers could gain control over a phone and thus a wealth of data about its user. For companies with bring your own device (BYOD) programs, enterprise email accounts and other data could be exposed.

See also: Better Way to Assess Cyber Risks?

Of course, BYOD risks are not limited to Pokémon Go. For example, sensitive information can be exposed through employees’ social media postings and other activities.  But apps that are addictive and seemingly innocent can blind users to the risks of downloading.

AR technology combines elements of the digital and physical worlds into a single view, allowing data, text or images to be superimposed on a live video feed. In Pokémon Go, AR allows for the game map to align with a real-world map and players to find and even photograph their monsters in physical locations.

What if a Pokémon is located inside your company’s office? If a user shares a photo or screenshot of such a location, it poses a risk of inadvertent loss of sensitive company or customer information. And there are issues around invasion of privacy for people/places that don’t want to be involved in the game.

Managing Risk

As surely as Pikachu evolve into Raichu, technology like AR will morph and bring new risks. Businesses may try to block or limit employees’ access to AR and similar technology, but that may only provide temporary relief before the next threat emerges.

See also: Cyber Risk: The Expanding Threat  

So as with all cyber risks, when it comes to Pokémon Go, organizations should make sure they don’t focus only on prevention. Among the steps to bolster response and recovery, businesses can:

  • Educate employees about the risks.
  • Conduct regular cyber risk assessments and audits to identify threats and assets at risk.
  • Develop and test disaster recovery, business continuity and incident response plans in conjunction with law enforcement, regulators and others.
  • Purchase cyber insurance to deal with the inevitable risks that slip through the cracks.

AR and other disruptive technologies are here to stay, and promise to benefit companies and consumers. Risk professionals will need to be nimble as they manage the accompanying risks.

The State of Cyber Insurance

Cyber attacks are escalating in their frequency and intensity and pose a growing threat to the business community as well as the national security of countries. High-profile cyber incidents in 2014 reflected the expanding spectrum of cyber threats, from point-of-sale (POS) breaches against customer accounts to targeted denial-of-service (DoS) attacks meant to disable a company’s network. Businesses in ever-greater numbers sought financial protection through insurance, buying coverage for losses from data breaches and business outages.

Boost in Cyber Insurance Demand Drives Insurers’ Response

Healthcare facilities, universities and schools continue to be on cybercriminals’ radar, but attacks in the hospitality and gaming, power and utilities and other sectors reveal that no organization is immune to a cyber attack or failure of technology.

Healthcare and education clients had the highest cyber insurance take-up rates in 2014, followed by hospitality and gaming and services. Universities and schools present attractive targets because they house a vast array of personal information of students, parents, employees, alumni and others: Social Security numbers, healthcare information, financial data and research papers can all be compromised.

The broader scope of hacktivists contributed to the increase in cyber insurance purchases in 2014. Sectors that again showed notable year-over-year increases in the number of clients purchasing cyber coverage included hospitality and gaming and education. Other areas that stood out in 2014 included the power and utilities sector, with more clients buying standalone cyber coverage. Power and utilities companies frequently cite the risks and vulnerabilities associated with the use of supervisory control and data acquisition networks — which control remote equipment — and the cost of regulatory investigations as driving factors behind their cyber coverage purchases.

The reasons for purchasing cyber coverage vary from board mandates seeking to protect corporate reputations to companies looking to mitigate potential revenue loss from cyber-induced interruptions of operations. Insurers responded to this demand by offering broader cyber insurance coverage in 2014, including coverage for contingent business interruption and cyber-induced bodily injury and property damages. They also expanded availability of loss-control services, including risk-assessment tools, breach counseling and event response assistance.

Cyber Limits Rise

Companies with revenues of more than $1 billion have increased their cyber insurance limits worldwide by 42% on average since 2012, according to Marsh Global Analytics estimates. Over the same time period, healthcare companies have bought 178% more cyber insurance, and power and utilities firms have expanded their coverage by 98%.

Rising spending on cyber insurance

Source: Marsh Global Analytics. Percentage increase in spending by companies with more than $1 billion in revenues on cyber-risk insurance from 2012 through 2014.

Cyber Rates and Coverage

Increases in the frequency and severity of losses and near-constant headlines about attacks and outages kept cyber insurance premiums generally volatile in 2014. Average rate increases at renewal for both primary layers and total programs were lower in the fourth quarter than in the first. The increased loss activity prompted pricing challenges for some insureds, particularly retailers, where renewal rates rose 5% on average and as much as 10% for some clients.

Market capacity also varied according to industry. Most industries were able to secure cyber coverage with aggregate limits in excess of $200 million, while the most targeted industries, like retailers and financial institutions, faced a challenging market.

Insureds also face heightened due diligence from underwriters seeking to drill down beyond simple reviews of the company’s general information security policies. For example, insureds in the retail sector are being asked about their deployment of encryption and EMV (credit card) technology. And all insureds are now routinely asked whether they have formal incident response plans in place that outline procedures for protecting data and vendor networks and, more importantly, if such plans have been tested.

A Growing Concern

In 2015, managing cyber risk is clearly a top priority for organizations. For example, business interruption (BI) drew a lot of attention in 2014, a trend likely to continue throughout 2015. While BI has historically been thought of as the effect of a critical system going down for an extended period, technology failures and cyber attacks can create far-reaching outages affecting secondary systems, clients and even vendors. Such events can also lead to higher recovery costs, which are becoming a concern for boards of directors and senior management.

There is also concern stemming from the expansion of regulation and litigation. Regulators were active in policing cyber risks in 2014, and oversight is likely to expand significantly in coming years. With cyber risk seen as a critical issue on both sides of the aisle in Washington, D.C., companies will face regulatory challenges in 2015 and beyond.

Sectors that have already seen significant regulatory activity — for example, healthcare, financial services and education — will likely face more stringent regulations and larger fines. All industries should pay attention to existing and impending regulations, tighten controls and prepare to present and defend their compliance regime. Civil litigation in the wake of a breach or disclosure of a cyber event also escalated in 2014, with class actions at times following the disclosure of a breach by mere hours.

As demand for cyber insurance grows, remember that risk transfer is only part of the solution. Enhanced information sharing between industry and government is another step toward having a comprehensive risk-mitigation strategy. Insurers and brokers are expanding the availability of loss-prevention and risk-mitigation services such as risk-assessment tools, breach preparation counseling and breach response assistance. The expanded roster of services and enhanced coverage can provide additional value from policies, usually without a specific added premium.