Cyber Evolution

Despite some discussion of a disconnect between how much of a threat cyber risk is (as portrayed in the media) and how high it is ranked by organizations (measured by actions taken), talk of cyber risk/security/attacks abounds.

The issue received yet another unwelcome reboot here at home with allegations in July that Chinese hackers had infiltrated the IT network of the National Research Council of Canada (NRC), the very council now working with others to develop a photonics-based, quantum-enhanced computer encryption system that would make such infiltrations a no-go.

“The emerging field of quantum communication promises unhackable, secure communication that can be applied to protect our digital infrastructure,” notes information on NRC’s website. For the time being, NRC computers will remain isolated from the rest of the federal government systems.

A study issued last year by the International Cyber Security Protection Alliance shows that 69% of surveyed Canadian businesses reported experiencing an attack in a 12-month period.

Another recent survey, this one released by ForeScout Technologies Inc., indicates 96% of the responding organizations, spanning five industries in the United States and Europe, had a significant IT security incident in the past year.

The majority of IT organizations are aware that some of their security measures are immature or ineffective, ForeScout Technologies notes, but only 33% are very confident in the likelihood that their organizations will improve less mature security controls.

The lack of confidence is hardly heartening. The Insurance Information Institute (III) in the United States reports there were 614 publicly disclosed data breaches in the U.S. last year compared to 449 in 2012, 419 in 2011 and 662 in 2010.

Cyber risk is a concern that has received notice from regulators and legislators both north and south of the border. In the paper, Plans and Priorities for 2013-2016, the Office of the Superintendent of Financial Institutions (OSFI) has listed cyber risk as one of its top priorities, notes a recent bulletin from Clyde & Co.

OSFI has made clear that the regulator expects senior management of all federally regulated financial institutions (FRFIs) to review cyber risk management policies to ensure they remain effective in light of changing circumstances and risk, writes Shani Briffa, an associate with Clyde & Co. As well, Briffa adds, “OSFI appears committed to providing the guidance and oversight required to encourage FRFIs to use (its) template to develop and maintain effective cyber security practices.”

As for the U.S. House of Representatives, it has passed the National Cybersecurity and Critical Infrastructure Protection Act of 2013, which includes provisions to strengthen public and private information-sharing, a move that could incentivize behaviour to deal with the increase in cyber attacks.

That is all encouraging, but not everything is in the wake of attacks that have put a decidedly fine point on how close to home (and business) cyber attacks can come.

“Despite the fact that cyber risks and cyber security are widely acknowledged to be a serious threat, many companies today still do not purchase cyber risk insurance,” notes the III, although that appears to be changing.

“As the standalone market for cyber insurance grows and as existing covers expand to encompass cyber exposures, we will see more and more claims come into the market,” notes a white paper from Crawford & Company.

There is also some encouragement in statistics from Munich Re. Responses from more than 100 risk managers at this year’s RIMS annual conference in Denver shows that 77% reported they plan to have some level of coverage in the next 12 months. As well, 42% said they plan to increase their level of cyber insurance or buy coverage for the first time.

Risk managers “understand that having financial protection is an important component of managing this increasing risk,” Gerry Finley, a senior vice president at Munich Re America, said at the time.