Businesses woefully under-prepared for holiday period cyber attacks

The stats show cyber threats are both common and commonly ignored. At least one major insurance player is doing something about it

Cyber

By James Middleton

Barely a day goes by without cyber security making the headlines, and as the victims get bigger so does the scale of the problem. With the US about to move into prime shopping season, criminals are also preparing to fill their carts.
 
A survey released by Columbus-based small business insurer Nationwide Property & Casualty on Tuesday revealed that almost eight out of ten small businesses do not have a cyber-attack response plan in place. This is despite 63% of them being victims of cyber attacks.
 
Of the 79% that do not have a cyber-attack response plan, 46% said that they felt their systems were secure enough to prevent such an attack and 0% said they did not think they would be targeted.
 
That said, 63% did acknowledge that an attack had already taken place, with 16% reporting being victims of hacking and 11% reporting a data breach. A similar number said criminals had accessed customer information and company information.
 
“The holiday shopping season kicks into high gear this month, with Thanksgiving, Black Friday and Small Business Saturday,” said Mark Berven, president and chief operating officer of Nationwide Property & Casualty. “But unfortunately, this is also the time of year when many cyber criminals target shoppers and businesses.”
 
With JPMorgan Chase & Co becoming the latest high-profile victim alongside the likes of Target and Ashley Madison, the insurance industry is being forced to take notice.
 
At the IA15 conference taking place in London, UK this week, Robert Hannigan, director of UK spy agency GCHQ, warned delegates that standards are not yet as high as they need to be. “The global cyber security market is not developing as it needs to: demand is patchy and it is not yet generating supply,” he said.
 
UK market Lloyd's is leading the charge. On Tuesday the marketplace unveiled a nascent Oversight Framework for Cyber-Attack Exposure Monitoring, saying it is essential that its syndicates’ cyber-attack exposures are clearly understood and recorded so that Lloyd's can properly consider the market’s accumulation-risk.
 
Lloyd’s requires syndicates to have a specific risk-appetite for cyber attack across all classes of business, signed off by their boards, for all policies in force from 31 December 2015.
 
In acknowledging the size of the task ahead, Lloyd’s did say that the diversity of the threat means that no one cyber-attack scenario would meaningfully reflect aggregate exposures across the market at present.
 
“There are different types of cyber-attack, which could cause different types of harm: denial of service, data-theft, data-damage, reputational harm, physical damage etc. The economic damage for each type may differ, with consequences including direct financial loss, bodily injury or property damage.
 
“Lloyd’s believes that it is premature to create fully-defined scenarios, similar to the property catastrophe RDSs [realistic disaster scenarios], with specified insured losses and types of exposure. Understanding of potential accumulation risk from cyber-attack, particularly for lines of business that do not explicitly address cyber-attack coverage, is at a much earlier stage,” the organization said.
 
In July, Lloyd's published a research report estimating the economic and insurance impacts of a severe, yet plausible, cyber attack against the US power grid. The key findings were that attackers are able to inflict physical damage on 50 generators which supply power to the electrical grid in the Northeastern USA, including New York City and Washington DC, triggering a wider blackout leaving 93 million people without power.
 
The total impact to the US economy is estimated at US$243 billion, rising to more than US$1 trillion in the most extreme version of the scenario, with insurance claims arising in over 30 lines of insurance and total insured losses of US$21.4 billion, rising to US$71.1 billion in the most extreme version of the scenario.


Related stories:
Hackers charged over ‘largest ever’ theft of financial services customer data

Keep up with the latest news and events

Join our mailing list, it’s free!