Can you afford not to insure yourself against cyber threats?
Imagine you run a business that stores the personal information of millions of customers on its servers. Despite your cyber security measures, your company’s system gets hacked and your customers’ information is out there in the public domain. Your customers are angry, they take legal action and you are in a world of pain with lawsuits and legal fees mounting up. Fortunately you had the foresight to insure your company against such a misadventure. But to your horror, you discover that the insurance payout only covers 1 percent of your recovery effort costs.
This is a true story. It actually did happen.
Wouldn’t you be kicking yourself for not getting a more accurate picture of your risk profile and the level of insurance cover you needed? The new partnership between AIG Malaysia Insurance Berhad (AIG) and Dimension Data Malaysia Sdn Bhd aims to do just that.
Dimension Data will use its cyber security expertise to assess the risk level of an organisation’s IT systems. With this assessment, organisations will be able to work with AIG to tailor AIG’s CyberEdge insurance to meet their needs.
But are cyber threats a reality or just a bogeyman used to scare IT managers? According to CyberSecurity Malaysia it is a serious problem. In 2015 there were 5069 instances of ransomeware attacks in Malaysia and the country ranks sixth in the Asia Pacific region for social media scams. “Roughly CyberSecurity Malaysia gets about 1000 cases reported a month. The bulk of these cases are fraud,” said a representative from CyberSecurity Malaysia. He believes that an equal number of cases go unreported every month.
Data leakage is a serious problem as well because a lot of people don’t understand the issue. They think because there is no loss of data it is a minor issue, but as in the example above, the repercussions are much wider, he added.
The message from both CyberSecurity Malaysia and Dimension Data was that cyber attacks are happening all the time. There might already be malware sitting on your computer. Cyber criminals are watching and waiting for the right time to exploit this weakness.
They might wait until a seasonal holiday when everyone in the department goes off for a week or two holidays and when they return, find they have been breached, said Guido Crucq, Dimension Data Asia Pacific’s general manager of security and solutions business units.
“Attackers always have the advantage as they only have to get it right once. Whereas defenders always need to be on top of their game” added Crucq.
Cyber security is a hot topic and it’s crucial for companies to get it right. Dimension Data sees an increase in threat and there is also a huge shortage of skills. Companies need to do things smarter, he stated further.
“You get insurance to ensure business continuity for your company… risk management and risk mitigation should be part of every company’s DNA,” he added.
Crucq also spent some time discussing the threat landscape. He said this ranged from kids to organised crime syndicates with a huge amount of resources to look for weaknesses to exploit.
“We are seeing a huge increase in the professionalism of cyber criminals and the tools they employ. There are commercial software packages that they can use and a support service that they can call for help when their malware doesn’t work,” said Crucq.
And the main driving factor behind all these efforts – the huge amount of money to be made by cyber criminals extorting money in return for restoring data or preventing a disruption of network services which can be devastating for an online business.
Jason Kelly, head of liabilities and financial lines for Greater China and Australasia, AIG Asia Pacific, said that their cyber insurance product fell within the financial lines claims section and in 2015 there were 60000 financial lines claims that paid US$3.8 billion worldwide.
He believes the cyber insurance market is growing at about 25 percent annually and their projections place it to increase to US$20 billion by the year 2020.
Another development on the cyber security scene that companies need to take note off, is the increase in the number of countries introducing data privacy laws since 2012. Some of these laws put the onus of securing systems directly on the company’s individuals and can even involve prison terms for individuals within the company.
“If you think I don’t need cyber insurance, I’m not worried about financial penalties, I’m not worried about reputational damage, it can become very personal … most people don’t want to go to jail when they have a breach,” said Kelly.
Singapore is one of the countries where the possibility of going to prison in such an instance is a reality.
One of the things people don’t talk about are disgruntled employees stealing data. “When people are made redundant or get fired, they can be relatively unhappy and it’s not too difficult for them to steal data,” said Kelly.
Companies need to be aware that attacks may come from the inside and have appropriate procedures in place to guard against disgruntled employees.
When asked to rate Malaysian companies and their cyber security arrangements the consensus seems to be that there is room for improvement.
“Generally, I think the IT knowledge of the average Malaysian e-commerce provider is fair. Before going live they alway do their assessment and threat test. There is room for improvement,” said the representative from CyberSecurity Malaysia.
Crucq agreed that when compared to their peers globally, Malaysian companies need to do more to protect themselves.
The partnership which brings together the cyber security capabilities of Dimension Data and AIG’s CyberEdge, to meet the needs of organisations looking for a risk management solution, is said to be the first of its kind in Malaysia. The joint effort is in response to requests from clients for a more comprehensive risk management approach.
By Saunthra T