Two recent comprehensive studies by Verizon (focusing on a review of the breaches during 2011 and their causes) and PwC (focusing on businesses’ management perception of cyber security) demonstrate some interesting trends which have implications for the cyber insurance market.

The Threats

The Verizon report found that a total of 174 million records were compromised in 2011 in 855 incidents.

The main threats were identified as keyloggers, backdoors, tampering, pretexting, phishing, brute force and SQL injection. External agents are responsible for the majority (98%) of deliberate breaches, most of which arise from hacking and malware. In addition, whilst the activities of hacktivists remain high profile (see below), the vast majority of breaches still result from the activities of those motivated by private gain (97%).

Even amongst large sophisticated organisations many of the breaches are relatively straightforward and result from exploitation of default, guessable or insufficient credentials (in 61% of cases), stolen login credentials (40%), brute force and ‘dictionary’ attacks (29%) and exploitation of ‘backdoors’ (25%). Interestingly it transpires that many of the breaches were not identified immediately, 85% took a week or more to identify and in many cases the breach was drawn to the victim’s attention by third parties, rather than the victim.

The PwC report identifies increasing concern regarding the implications of cloud computing and the data security risks posed by business partners. In fact the figures show that cloud computing is likely to have increasing security for many although concerns about lack of transparency regarding security policies remain. Similarly, breaches arising from the activities of counterparties account for less than 1% of the total.

Big is beautiful….

Both reports conclude that the vast majority of breaches relate to small companies (ie those with 10-100 employees). Verison found that 85% of breaches originated from small companies.

Often those companies are not in the technology sector. The most susceptible have been the hotel and restaurant trades industries (which accounted for 54% of all breaches) where relatively unsophisticated companies hold significant amounts of personal data. Problems reported can be as simple as a failure to change the default password on wireless point of sale handsets or a failure to implement a firewall. Verizon reported that 97% of breaches were avoidable through simple or intermediate controls.

The risk management message appears to be that, predominantly due to lack of awareness, small companies are failing to take low cost, and often rudimentary, steps to protect themselves and their customers.

…maybe not

The figures look somewhat different if one focuses on the volume of data lost. Here the clear message is that large sophisticated organisations still account for the majority of breaches. In particular the cause de jour, the so called hacktivists, whilst accounting for a small minority of breaches (3% overall according to Verizon) were the single largest cause of compromised records (58% or 48,720,000 records). Amongst larger companies, financial and insurance business accounted for a disproportionately high number of breaches (10% of breaches accounting for 40% of lost records).

As one might expect, large high profile companies are disproportionately affected by Hacktivists’ activities (25% of all incidents) and “Crackers” i.e. those without political motivation who breach security just to show that it can be done (23%). In the meantime the amount of damage done by “traditional” cyber security threats (criminals, disgruntled employees and industrial espionage and “fat finger” errors) has remained relatively static.

A theme developed by the PwC report is the amount of funding devoted to cyber security has fallen or remained static since about 2008 due to the current economic climate. As a result PwC highlight a “crisis in leadership” which is leading even large and sophisticated companies to fall behind in the cyber security arms race. As well as the high end “hacktivists” mainstream cyber criminals continue to automate and develop their models of high volume low risk attacks against weak targets. Those businesses that are investing heavily are often doing so as a result of client requirements rather than because they perceive that there is a significant threat. Nevertheless 43% of businesses consider themselves “front runners”, suggesting a degree of complacency.

The message in this case seems to be that there is no room for complacency even amongst the largest and most sophisticated organisations. The nature of many of the breaches also shows that much more could be done by simply implementing and enforcing adequate internal controls.

Comment

The reports point to a number of common trends which have cyber insurance implications:

  • Education – lack of awareness of the dangers posed by cyber security remains a major threat, particularly amongst smaller organisations. The paradox is that the implications for these organisations in terms of reputational damage and liability are severe and in some cases can threaten their very survival. This illustrates the importance of educating insureds regarding good cyber security practice and the importance of insurance in addressing potential liabilities.
  • Underinvestment – the PwC report highlights concerns regarding the gradual erosion of cyber security capability due to sustained under investment over the 2008-11 period. As well as creating a concern that this may lead to an uptick in incidents, this may give rise to coverage implications if it emerges that incidents are the direct result of budget driven corner cutting.
  • Counterparty risk and Cloud Computing – although counterparty risk only results in a tiny minority of claims, and (to our knowledge) cloud computing is yet to result in any claim activity at all, there is clearly a perception amongst insureds that these are problem areas and it is possible that these issues will drive demand for additional cover.