Risk Managers Worried Over Cyber Attacks — CEOs, Not So Much
Risk managers foresee a new frontrunner in the field of emerging risks that could produce the greatest impact on business in the years ahead. The findings come by way of an annual survey that was released last week from the Society of Actuaries.
In the survey, risk of cyber attacks were on par with rapidly changing regulations as increasing concerns to risk managers all over the world. In fact, the SOA believes they may be gradually replacing the risk of oil price shock and other economic concerns that were of primary importance in 2008.
“Some 47 percent of risk managers saw cyber security as a significant emerging risk in 2013, up seven points from 40 percent in 2012,” the Insurance Information Institution (I.I.I.) reported, adding that the SOA believes “this perceived risk predates recent cyber security events (read: the December 2013 Target breach) that have opened up new corporate data security vulnerabilities.”
No One Is Safe
In addition to the Target breach mentioned above, Neiman Marcus was also hit by a cyber attack around the same time. In a formal statement, the Dallas-based company said its credit card processor had disclosed “potentially unauthorized payment card activity” following customer purchases at Neiman Marcus Group stores, D Magazine reported.
On January 1, Neiman spokeswoman Ginger Reeder wrote that the company was working with the US Secret Service, a forensics firm and others to investigate, and that the forensics firm discovered evidence of a “criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result.”
Problems like these are not solely targeted at businesses either. In fact, no entity is really safe. Take, for instance, the attack on the University of Maryland, which occurred earlier this month, or the March 16 hit on NATO websites or the St. Patrick’s Day attack on the Kremlin.
Some unestablished rumors have even linked the disappearance of Malaysian flight MH370 to a possible “cyber hijack.”
This is our new reality, but according to Matthew E. Yarbrough, president and managing partner of the Dallas-based Yarbrough Law Group, CEOs aren’t taking the issue seriously enough.
“I’m still amazed by how many CEOs treat this as a server or IT issue, instead of a boardroom issue,” he said. “CEOs need to be out in front … and ahead of the game. It’s a crisis-management issue at the highest levels.”
Yarbrough, a former assistant US attorney now works with companies on cyber-crime issues. He notes that businesses in particular are vulnerable to debit-card PIN number attacks, stating that cyber criminals “dispatch ‘mules’ with these PINs to withdraw money from ATMs in small amounts.”
To reduce their exposure, Yarbrough said, companies should “implement comprehensive strategic plans to address issues including potential theft and compromise.”
As for cyber insurance, it’s gone from being a secondhand add-on to “an automatic purchase,” notes Dave Navetta, founding partner of the InfoLawGroup in comments to Fox News.
The numbers definitely support this statement. With the Ponemon Institute estimating $5.4 million in costs per data breach in 2013 — a 26 percent increase from 2012 — the instances of attack and lack of preparedness are as alarming as they are costly.
However, warns Jim Halpert, co-chair of DLA Piper’s global privacy practice, cyber insurance is only part of an effective strategy to combat cyber threats.
Echoing Yarbrough’s statements, Halpert said, “You can’t just insure away all risks in this space.”
Cyber insurance is a necessity for all businesses, large and small alike, but as the experts have indicated, it’s only one tool for businesses in facing a multi-pronged threat. While this sector of the industry will continue to grow, it’s important for buyers to realize that minimizing risk and fully protecting their businesses involves taking preventive measures, and committing to customer privacy and data security across the whole of the company. It’s not something an IT department or an insurance company can do alone. It is, without question, a team effort.