Cyber security is now a buzzword so commonplace, many businesses may be increasingly deaf to its message. However, a new report from
Zurich Insurance Group and the Atlantic Council sheds light on how data breaches may affect much more than the immediate concerns of the compromised information.
In a presentation at the RIMS 2014 annual conference, report author Jason Healey and CEO of Zurich Global Corporate North America Dan Riordan highlighted the aims of and findings from the partnership’s year-long study.
“To help protect the integrity and reliability of cyberspace and the bottom line for businesses and governments, the private sector and civil society must work closely together,” Riordan said. “We need a clear plan of what to do in the case of an event, both at the individual company level and also holistically, and hopeful this report becomes a catalyst for developing such a plan.”
Healey pointed out that the advent of Heartbleed only underlines the importance of companies shifting from a “protection” mindset to a “resilience” mindset, which highlights the “cyberization” of risks—including those outside of the immediate organization.
The report identifies seven of these so-called “aggregations” of risk related to the interconnectivity of different technologies in business. They are:
1. Internal IT enterprise
Description: Risk associated with the cumulative set of an organization’s (mostly internal) IT
Examples: hardware; software; servers; and related people and processes
2. Counterparties and partners
Description: Risk from dependence on, or direct interconnection (usually non-contractual) with an outside organization
Examples: University research partnerships; relationship between competing/cooperating banks; corporate joint ventures; industry associations
3. Outsourced and contract
Description: Risk usually from a contractual relationship with external suppliers of services, HR, legal or IT and cloud provider
Examples: IT and cloud providers; HR, legal, accounting, and consultancy; contract manufacturing
4. Supply chain
Description: Both risks to supply chains for the IT sector ad cyber risks to traditional supply chains and logistics
Examples: Exposure to a single country; counterfeit or tampered products; risks of disrupted supply chain
5. Disruptive technologies
Description: Risks from unseen effects of or disruptions either to or from new technologies, either those already existing but poorly understood, or those due soon
Examples: Internet of things; smart grid; embedded medical devices; driverless cars; the largely automatic digital economy
6. Upstream infrastructure
Description: Risks from disruptions to infrastructure relied on by economies and societies, especially electricity, financial systems, and telecommunications
Examples: Internet infrastructure like internet exchange points and submarine cables; some key companies and protocols used to run the internet (BGP and Domain Name System; internet governance
7. External shocks
Description: Risks from incidents outside the system, outside of the control of most organizations and likely to cascade
Examples: Major international conflicts; malware pandemic
Zurich officials reminded listeners that cyber liability insurance is only one piece of an organization’s solution, and as de-facto risk managers, agents and brokers should be prepared to take a holistic look at a company’s cyber security—something that may involve hiring outside experts.
You may also enjoy: "Average corporate cost of data breach up to $3.5m"
"One sector especially at risk for cyber attacks"
"Cloud computing leaves commercial clients exposed"
