Managing Cyber Risk in the Financial Sector: new book edited by Ruth Taplin urges wide-ranging response to crime that costs businesses $500bn a year
By James Brewer
As Professor Ruth Taplin flatly states in her introductory chapter to the new book she has edited, the question of cyber risk and threat “is all around us!”
In the midst of compiling her book about this very topic, Prof Taplin was – like so many of us have been – the target of a phishing scam that bombarded her computer with bogus emails.
By today’s parameters that was a minor attack, but it was a reminder of how vulnerable both the individual and the corporation are to disruption and theft that in some cases cause harm to the tune of millions of dollars and wreck business reputations.
Hers is not the first extended analysis of this devastating 21st century plague, but its scope is truly ambitious and a tribute to her multi-disciplinary approach and her access to international expertise. She takes what might be called a wide-screen view of the subject – and a very smart one.
Business and finance clearly underestimated at the outset the dangers of mass digitisation, and many still do. Cyber attacks cost businesses of all kinds as much as $400bn a year, said Inga Beale, chief executive of Lloyd’s, in January 2015; more recently a report from Bank of America Merrill Lynch put the figure at $500bn in the private sector alone. Threat-prevention company FireEye contends that only 31% of organisations are able to discover breaches using their own cyber resource. It is small wonder that provision of security products such as firewalls and detection tools is a massive and expanding discipline: global spending on cyber security was expected to be nearly $77bn in 2015, according to Gartner.
Refining the costs is a particular headache. Prof Taplin has long been an advocate of devising clearer means of valuing intellectual property: companies tend to under-estimate the value of their intangible assets and overestimate the coverage of their insurance policies. The lack of take-up of intellectual property insurance is remarkable, she maintains.
In 2014 the insurance industry globally collected $2.5bn in premiums – mainly from US firms –against cyber attack. Judge that, for instance, in comparison to that year’s global marine premium which was in a weak market close to $33bn. That surely indicates that the cyber premium figure has a good deal of room to grow.
Setting the scene in Managing Cyber Risk in the Financial Sector: Lessons from Asia, Europe and the USA Prof Taplin underlines that until recently the volume of threats, attacks and pilfering of information has been largely under-reported. Among reasons for the cover-up is that executives are worried about scaring customers away, potential legal action and upsetting regulators – although silence only makes things worse in the end.
Prof Taplin is director of the Centre for Japanese and East Asian Studies, which means she is in an ideal position to address this subject from the regional as well as international perspective. China, Japan and South Korea have enormous, globally-entwined economies – and in addition to being targets they harbour thriving communities of hackers. Of course the US has suffered widespread hacking in banking, retail, and medical data. Almost all governments put much secret effort too into monitoring and sometimes disrupting information processed by both national and commercial enemies and allies.
Ruth Taplin wisely avers that managing the risk in an all-encompassing manner is central, as many of the technologically based ‘solutions’ are inadequate to deal with proliferating permutations of attacks. Alongside legal and other procedures must sit insurance and an in-house watch for disgruntled or revenge-bound current and former employees.
In his foreword, Kuni Miyake of the Foreign Policy Institute, Tokyo, shines a light on a little-advertised fact: that insurance companies often hold even more personal data than do banks. Insurance entities may even be unaware of all the data they hold, although some hackers seem to be keen to get at it. Last year in Japan, says Mr Miyake, there were more than 25bn cyber attacks on Japanese institutions across the board, and at least 40% emanated from China, while others were set off by people in North and South Korea, Russia and the US. At the same time, China and the US suffer large amounts of internal attacks.
The San Diego-based non-profit Identity Theft Resource Center has said that the number of data breaches tracked in organisations in the US in 2015 totalled 781, according to a recent report sponsored by IDT911, a provider of data breach defence services. This might not sound a lot, but it represents the second highest year on record since the Center began tracking breaches in 2005.
While the overwhelmingly motive for data breaches remained financial gain, said the Center, “we saw a shift in new motives for obtaining sensitive and private personal data… This compromised data can now be used to compel behaviour changes in breached individuals and groups. This data is also being used for social justice purposes, and even to embarrass our nation.”
As of mid-February 2016, the Center – which monitors incidents daily – had since the beginning of the year become aware of 83 breaches potentially exposing 1.6m records.
In close-up, to take just one industry – shipping – cyber risk has become a major topic on the agenda of organisations including the International Union of Marine Insurance, the BIMCO shipowners’ body and the International Association of Classification Societies.
Prof Taplin says that maritime industries, which are increasingly becoming digitally connected like the internet of things in the home, are becoming the next target of hackers.
After the overview, the six experts commissioned to write for the book quickly get down to the granular detail of the ‘who, why and how’ of nefarious cyber activity, while IT outages can do just as much damage.
Stating that cyber crime is complex and that the literature on it is theoretically underdeveloped, Monica Lagazio, a partner at Trilateral Research & Consulting, undertakes a detailed study of its approaches and taxonomy. She opens her chapter by making the point that cyber crime operates at the scale of and with the sophistication of a global industry. The activities of modern cyber criminals often appear to have clear business objectives, she warns.
Cint Kortmann an entrepreneur and consultant, tackles the question of big data, the phenomenon which is aimed fundamentally at boosting productivity, enhancing decision-making, understanding human behaviour – and providing information to help fight cyber crime. Some say that data is the new oil (although look what happened to oil) and the fact remains that some of the biggest shares on the stock market – Google, Facebook, Apple, Twitter, Alibaba, Amazon – are centred on data-based operation. Mr Kortmann presents valuable case studies of how data analytics can work to the advantage of businesses.
Motohiro Tsuchiya takes a look at the cyber security of financial sectors in Japan, South Korea and China. Prof Tsuchiya, of Keio University, Tokyo, drew up a cyber security strategy for the Japanese government. He suggests that the main reason why east Asia is one of the most active cyber battlegrounds is that it is the most dynamically developing area of the internet, and goes on to examine some shocking and disgraceful attacks, such as the malignant files sent in emails to Japanese government officials during the widespread panic about radiation levels following the March 2011 earthquake and tsunamis.
Marcin Czech, a Warsaw professor and public health specialist, draws attention to the fact that medical records are full of our most sensitive personal details – not just medical history, but insurance records, social security numbers, home addresses, family details, credit card information and so on. This makes them a very attractive quarry for hackers, and cyber attacks on healthcare providers are escalating. It comes at a time when telemedicine is one of the fastest growing domains in healthcare. Prof Czech goes on to address many implications of the big data era for health records security.
Malgorzata Skorzewska-Amberg, head of legal informatics at Kozminski University, Warsaw, focuses in great detail on how Poland is confronting the innovative tools and methods of extortion and theft threatening its financial sector. The immense amount of work being done in that country in battling malware and in relation to protection of property, identity theft and manipulating electronic documents calls for close study by other countries in the EU, and beyond. In what will be of help to all concerned with applying legal systems to this (mine-) field, Ms Skorzewska-Amberg looks at how the Polish Penal Code deals with the offences of changing, modifying or interfering with data processing.
Insurance practitioners have much to address in the area – AM Best s Review Cyber Sabotage reported in 2015 that insurers were struggling to bridge the gap between cyber and property coverages. During the Risk Management Solutions Cyber Risk Seminar in New York, Andrew Coburn, senior vice president at RMS said cyber risk poses accumulation risks – unforeseen amassing of liability being a current bugbear throughout the sector.
Following a client survey, Allianz Global Corporate & Specialty cyber insurance expert Jens Krickhahn was quoted as saying that companies are increasingly concerned about the growing sophistication of cyber attacks. “Attacks by hackers are becoming more target-oriented, lasting for longer and can trigger a continuous penetration. Studies show that it takes, on average, 90 days for businesses to discover they have been hacked. Often the incident is identified, not by the business itself, but by the customer or another stakeholder, which is another reason why cyber risks pose a huge threat to a company’s reputation.”
Prof Taplin and her collaborators have combined to produce a terrific backgrounder for everyone dealing with this inescapable challenge to individual and corporate daily activity and their rights, and to all in financial and insurance markets.
So fast-moving are developments that she has been obliged to write a postscript alluding among other things to the latest potentially billion-dollar dilemma going to the root of privacy rights: the defiance by Apple, morally supported by other tech giants, of FBI requests for access to information on an iPhone used by a man shot dead by police after going on a killing spree in California.
She will address the subject of cyber risk in the financial sector on March 14 2016 at one of the informative London market briefings organised by the International Underwriting Association.
Declaration of interest: Prof Taplin kindly acknowledges in her book a degree of assistance provided by the author of this review for her first chapter.
Managing Cyber Risk in the Financial Sector: Lessons from Asia, Europe and the USA. Order information is atwww.routledge.com