Is the danger of cyber crime exaggerated or is cyber risk a very real threat for financial institutions? Geoffrey Allen provides a reality check and looks at the insurance protection available
Financial institutions operate in a global, networked economy where providing a secure and trusted platform for conducting transactions and exchanging information is a basic value proposition. As such, financial services have demonstrated increased reliance on the internet's vast public structure which allows information to flow easily among internal and remote users including customers, suppliers and partners. However, there is growing risk associated with e-commerce and financial institutions need to manage their exposures.
Security takes on a different meaning in the networked world. Securing information systems is a complex process that must account for:
- continuous technology advancements;
- strategic shifts such as IT outsourcing;
- security in hardware and software products;
- acquisitions requiring system integration;
- security and privacy regulations; and
- the changing threat profile.
The threat profile expands in a networked environment. Attackers not only have easier access to financial assets but richer and better opportunities for information theft, sabotage, industrial espionage, disruption and information warfare.
Information age attackers have new advantages as well. Internet-dependent communication allows attackers to:
- hide their identities;
- avoid physical risk by acting from remote locations;
- exploit vulnerabilities before their existence is known to security defenders;
- exploit interdependencies inherent in most networks; and
- use insecure systems of unrelated parties as attack tools.
In a post-9/11 world, a whole new front has opened up for terrorists and foreign governments - cyber terrorism, state-sponsored espionage and information warfare. As part of their nations' critical infrastructure, financial institutions face a growing and dangerous threat.
Evaluating cyber risk insurance
Recent surveys provide insight into a number of fundamental questions about exposure that might aid in evaluating the option of cyber risk insurance. The studies are:
- 2004 Global Security Survey by Deloitte Touche Tohmatsu, which bases its conclusions on responses by 64 financial institutions. (The survey is available at www.deloitte.com ).
- 2004 E-Crime Watch Survey by Carnegie Mellon Software Engineering Institute/CERT Coordination Center, CSO Magazine and The United States Secret Service, which bases its conclusions on 500 respondents (The survey is available at www.csoonline.com ).
Another valuable industry survey is the CSI/FBI Computer Crime and Security Survey, now in its ninth year.
The surveys deserve careful reading to ensure a balanced view of problematic areas in information security and the budgetary and regulatory forces that impact security decisions. Below are typical risk management questions in the light of key survey results. The questions assume a traditional insurance programme that has typical gaps in cyber coverage, meaning potentially unprotected risks involving computer attacks against a network or information resources by either hackers or employees.
How serious is the cyber risk threat to a financial institution?
According to the Deloitte survey, respondents are worried that attacks against their networks are becoming more sophisticated. Significantly, 83% of the respondents - up from 39% the year before - reported that their systems had been breached.
Even with the growing threat, US respondents to the Deloitte survey indicated that they were willing to take higher risks and lead in the adoption of new technologies.
Deloitte respondents noted that the growth of e-commerce increases the threat of financial fraud and the theft of customer information from inside and outside the organisation. In the 2003 survey, organised crime was singled out as a major source of such attacks. Respondents to the 2004 survey ranked the top threats as viruses/worms, loss of customer data and being flooded with software patches, characterised as inadequate patch management. According to CERT (one of the sponsors of the E-Crime Survey), the number of reported patch-related vulnerabilities increased from 140 in 1995 to 4,129 in 2002. Unless patched, software vulnerabilities offer attackers an opportunity to penetrate an information system. E-Crime respondents reported a 43% increase in the overall number of electronic crimes and intrusions involving networks, systems or data in 2003 versus 2002.
Isn't my organisation's information security risk management sufficient?
Deloitte respondents reported varying degrees of confidence in how well their network was protected from cyber attacks. Eight per cent were not very confident about internal protection and 7% said the same about external protection. Most were somewhat confident (48% internal and 37% external). Almost as many were very confident (43% internal and 53% external). A small number (2% internal and 9% external) were extremely confident.
Outsourcing IT functions and business process was found in the Deloitte survey to have grown considerably in the past 18 months. Outsourced functions are an important dimension in security risk management as risks generally follow the function. Although, no similar questions were contained in the 2004 survey, the 2003 Deloitte survey found that only 38% conducted their own rigorous assessment of third-party security measures. Only 44% received regular information from third parties that allows ongoing assessment of their security. Respondents indicated concern over customer privacy and outsourced operations.
The Deloitte survey revealed that 91% of the organisations have IT disaster recovery or business continuity plans. However, only 54% (a significant improvement from 43% last year) were very confident that their backups worked or met policy requirements for off-site storage.
What losses have occurred that justify adding a cyber risk insurance policy to my portfolio?
The E-Crime survey went rather deeply into this issue despite the fact that the base responding to these questions often fell significantly from the base of 500 participating in the survey. Disclosing losses is a sensitive issue, especially in cyber risk where the degradation of one's reputation as a trusted party for electronic commerce is often seen as too important to risk.
Three per cent of the E-Crime respondents had losses over $10m and 5% had losses between $1m and $10m. However, although 50% track their losses, they were unable to quantify them.
Some type of financial loss due to electronic crime was experienced by 83 E-Crime respondents. In terms of losses from these crimes, 56% were operational and 25% financial. The E-Crime survey reported the top electronic crimes:
- virus or other malicious code (77%)
- denial of service (DoS) attacks (44%)
- illegal generation of SPAM email (38%)
- unauthorised access by an insider (36%)
- unauthorised access by outsider (27%).
In the matter of insider intrusion, the E-Crime survey revealed that legal action was not taken out of fear of negative publicity (27%), concern that competitors would take advantage of the situation (11%) and prior negative experience with law enforcement (7%).
It appears likely that the general reticence about cyber losses together with problems quantifying such losses has caused the actual level of losses to be under-reported.
Do cyber risk insurance products address the gaps in traditional policies?
The answer is yes. Generally, cyber risk insurance policies provide coverage for computer attacks by employees and hackers, viruses and malicious code, denial of service attacks and theft of passwords by non-electronic means. These attacks are generally defined as unauthorised access or use of covered networks and include:
- liability for theft of private or confidential information including identity theft;
- inability of authorised users to access the network;
- loss of data; and
- downstream liability, or attacks launched against other computers or networks from the covered network if it is compromised by an attacker via hacking into other systems, DoS, or virus.
Some cyber risk policies offer first-party coverage as well. Again, the basis of cover is computer attacks against the covered network. Disruption of the network or the alteration or destruction of data caused by a hacker, insider, virus or DoS attack would be covered for business interruption to provide for lost income and extra expense to restore network service and data.
Cyber risk policies also cover systems and IT functions outsourced to third parties. Here cyber risk insurance can play an important role since most outsourced IT service providers are subject to the same attacks and usually limit their liability to the value of the outsource contract as well as disclaim consequential damages for business interruption.
Are other financial institutions buying cyber risk insurance?
Deloitte's 2003 survey found that 24% of the respondents had cyber risk insurance. Of the remainder, 5% more were planning to buy such coverage. This question did not appear on the 2004 survey though there is no reason to suggest the trend has changed. These results are similar to the 28% obtained by the 2004 CSI/FBI Computer Crime and Security Survey.
Addressing key exposures
As the Deloitte and E-Crime surveys show, cyber risk policies do address key exposures that are generally not otherwise covered by insurance and pose a significant risk to financial institutions. With many financial institutions purchasing cyber risk coverage, it is important for risk managers to provide the cyber coverage option to senior management or review the adequacy of current cyber risk coverage and limits of insurance. This task is especially crucial in light of the growing threat to financial institutions from attacks on their networks - attacks that threaten the basis of trust that is essential to their dealings with customers and business partners.
Geoffrey Allen is National Cyber Risk Practice Group Leader at Willis North America.