8
Managing Escalating Cyber Risks in Australia THE BIGGER ROLE OF CYBER INSURANCE IDC InfoBrief JANUARY 2018 Sponsored by
Managing Escalating Cyber Risks in Australia
T H E B I G G E R R O L E O F C Y B E R I N S U R A N C E
IDC InfoBriefJANUARY 2018
Sponsored by
IDC InfoBrief: Managing Escalating Cyber Risks in Australia: The Bigger Role of Cyber Insurance2 Sponsored by
60%of Australian businesses detect a security breach every month1
2016-2017 saw a
15%increase in the number of cyber crimes reported2
80%
of Australian organisations have no structure in place to deal with evolving data governance regulations5
82%of Australians surveyed cite “trust” as more important than “convenience” in digital interactions6
Customer churn is a clear and real risk as more than
50%
of Australians would terminate their relationship with service providers after a fraudulent incident7
60%
of Australian businesses believe senior leadership support is the most important factor for mitigating cyber risks8
More than
25%
of CISOs regularly update their board of directors9
Cyber Risk in Australia: Why It is Time for an Effective Response
Source:1. Telstra Cyber Security Report 2017, Online scams and fraud accounted for more than 50%2. 2017 Threat Report, Australian Cyber Security Centre (ACSC)3. Telstra Cyber Security Report 20174. Lloyd of London estimates, 20175. AON Cyber Insights Report 2016 Australia, Privacy Amendment Bill of 2016 introduced more stringent guidelines for companies, including notification of material breaches6. IDC Trust Survey, 20177. IDC Research & Survey, 20178. 2016 Cyber Security Survey, Australian Cyber Security Centre (ACSC)9. IDC C-suite Barometer Survey
Cyber threats show no signs of abating. It is no longer a question of whether a business will confront a cyber incident but when. Businesses are implementing various technologies to address their security vulnerabilities, but only a small number have transferred the risk to a third party. Only 10% of major Australian businesses have cyber insurance coverage compared to 70% of large businesses in the United States, according to Aon Research.
In this IDC InfoBrief, we explore cyber insurance as part of an organisation’s fight against cyber risks and how DXC Technology can help businesses and insurance companies alike respond to this business-critical issue.
1/3 of Australian companies admit to a business-impacting cyber incident in 20163
Australia faces economic losses from cyber attacks of no less than
A$16 B in the next decade4
IDC InfoBrief: Managing Escalating Cyber Risks in Australia: The Bigger Role of Cyber Insurance 3Sponsored by
The True Cost of Cyber ThreatsThe average cost incurred by an Australian business from cyber crime is estimated to be A$6 million. This can increase by up to 10 times depending on the size of business operations and the severity of the cyber incident.1
Source: 1-4: IDC research and estimates. Other references: APRA, ACSC, Smart Online
THE INTANGIBLES(HIDDEN COSTS) • Reputational loss• Intellectual property loss• Diminished customer
relationship
FIRST-PARTY LOSSES (DIRECT COSTS) • Incident response cost• Detection and recovery cost: 40-60% of direct cost• Fines, penalties, compliance cost
AFTERMATH(POST-INCIDENT COSTS) • Litigation cost• Restoration service cost• Cost to reacquire lost
customers• Cost to put in additional
prevention and detection measures
• Expenditure in security tools and technologies
T Y P I C A L C O S T S I N C U R R E D
85-90% accounted by
hidden and post-incident costs3
COMPLEXITY OF RESOLUTION• If the incident is severe, resolution time increases,
affecting cost and effort• Average time, effort, and resources needed to resolve
incidents depend on attack type, and can vary from as short as a few hours to a few months or even longer
SIZE OF BUSINESS• Attack surface (points of vulnerability) is wider for
larger firms• Bad actors have extra motivation to attack large
organisations. The probability of a cyber attack is 2x higher for larger and more regulated businesses
• Nature of business, profile in the market, systemic importance mean more negative publicity
ORGANISATIONAL PREPAREDNESS• Without a cyber incident response plan, there will
typically be unanticipated costs in the protection of an organisation’s assets
K E Y M U L T I P L I E R SFactors that increase actual costs4
T H E B I G I M P A C TMajor impact of cyber crime on businesses2
INFORMATION LOSS
Impact is usually highest; contributes to 25-40%
of total losses
BUSINESS DISRUPTION
Downtime in operations; contributes
to 30-35% of total losses
LOSS OF REVENUE
Accounts for 20-30% of total losses (excludes
opportunity loss)
IDC InfoBrief: Managing Escalating Cyber Risks in Australia: The Bigger Role of Cyber Insurance4 Sponsored by
The Life of a Cyber IncidentA N O R G A N I S A T I O N ’ S B E S T R E S P O N S E S T A R T S W A Y B E F O R E , A N D E N D S A F T E R , T H E I N C I D E N T I T S E L F
Source: 2016 Cyber Security Survey, Australian Cyber Security Centre (ACSC), Telstra Cyber Security Report 2017
A comprehensive, documented IT risk assessment program, including setting up of cyber security controls and processes.
Proactive security measures like access controls and patch management are critical. If prevention is not possible, the next best measure is to detect the attack. And only when it cannot be detected—and the damage is material—should one make the incident known.
Real-time detection of an anomaly and determination that it is a legitimate cyber incident.
A comprehensive and effective corporate incident response to stop the cause of the incident, and to quickly restore services.
An efficient process for investigation and forensic support, including immediate notification to the insurer, claims lodging and triage as well as claims assessment and settlement.
The focus should be on providing financial compensation to allow cash flow for business to operate.
ASSESS
PREVENT
INCIDENT RESPONSE & SUPPORT
DETECT
INVESTIGATE & RECOVER
SETTLE COSTS
PRE-CYBER INCIDENT
DURINGCYBER INCIDENT
POST-CYBER INCIDENT
THE GOAL
AUSTRALIA’S READINESS INDEX
• Less than 33% of Australian businesses have engaged in formal monitoring of security capabilities against industry standards.
• 50% of SME businesses do not expand their digital footprint to reduce cyber risks.
• Less than 50% of businesses engage in routine audits of their security system.
• More than 60% of businesses have neither adopted data loss prevention technologies nor established security operations centres.
• 51% have had to be alerted of breaches by third-parties.
• Less than one-third of Australian businesses have an incident response plan to address cyber incidents.
• 56% have fallen short of resources to address consequences of a major incident.
• 1/2 of Australian companies who face business-impacting cyber incidents are likely to face another incident in the next 6 months.
• Without recovery plans, 33% of Australian SME organisations that paid the ransom in a ransomware incident could not recover files.
ASSESS
PREVENT
DETECT
INCIDENT RESPONSE & SUPPORT
INVESTIGATE & RECOVER
SETTLE COSTS
IDC InfoBrief: Managing Escalating Cyber Risks in Australia: The Bigger Role of Cyber Insurance 5Sponsored by
Source: IDC research and estimates
The Best Response is a Complete ResponseC Y B E R I N S U R A N C E I S P A R T O F T H E B E S T R E S P O N S E
• Invest in security capabilities and related tools for Assessment, Prevention and Detection.
• Purchase a cyber insurance protection policy.
• Focus to contain, eradicate the risks, and restore business services.
• Cyber insurance protection will minimise incurred costs and losses to businesses.
• Launch an incident response plan.
• Notify the insurance company.
A S S E S S Increase your commitment towards information security. Involvement of senior leadership. Purchase cyber insurance for risk management, ensure adequate coverage of total risks.
P R E V E N T Improve the overall defence programme on the total attack surface, such as improving monitoring capabilities in endpoint protection and conducting vendors’ security assessments.
D E T E C T Set up continuous monitoring of assets and real-time detection capabilities: Adoption of next-gen emerging technologies (machine learning, advanced analytics) for improved vulnerability assessments and network intrusion detection.
I N C I D E N T R E S P O N S E & S U P P O R T Improve accessibility and leverage on expert teams for risk containment. Report the incident to the cyber insurance company. A rigorous approach will limit the effect of an incident breach, help to establish credibility, and reduce the severity of impact.
I N V E S T I G A T E & R E C O V E R Aim to minimise post-incident expenses: An efficient cyber insurance policy aims to cover costs for forensic investigations, legal advice and specific assistance services.
S E T T L E C O S T SA good cyber security insurance solution will
cover first-party losses and direct costs. Extended protection likely to cover
third-party liabilities, regulatory fines, and cyber extortion fees, as well as provide support for recovery and business restoration costs.
K E Y B E N E F I T
Estimations on costs savings do not include impact of additional investments made in technology, staff, and insurance costs. Cost savings are subjected to change based on several factors, e.g.: maturity of incident response plan, severity of the cyber attack and the causes of loss, breadth of risk coverage purchased for insurable protection and others
This refers to savings on costs that can be achieved on average by Australian businesses on deployment of a robust and effective incident response plan with adequate cyber insurance protection. A comprehensive identification and assessment of risk exposure will drive lower cost of recovery, legal fees and investigation services, thanks to cyber insurance.
Cyber insurance should be more than just protection from liabilities but a protection against all true losses in managing and recovering from cyber incidents.”
Michael AranetaAssociate Vice PresidentIDC Financial Insights Asia/Pacific
KEY ACTIONS FOR CONTINUOUS REVIEW
PRE-CYBER INCIDENT POST-CYBER INCIDENTDURING CYBER INCIDENT
IDC InfoBrief: Managing Escalating Cyber Risks in Australia: The Bigger Role of Cyber Insurance6 Sponsored by
Cyber Insurance Primed for an Upsurge
Source:1 IDC Research & estimates IDC Research & Survey, 20172 Australian Cybersecurity skills shortage study 2016, Australian Information Security Association
T O P I N D U S T R I E S Expected to lead take-up of
cyber insurance in 2018 and 2019
***Still strong growth expected in industries like financial services, but growth will come from a higher base. Higher
than average growth in industries like manufacturing, transport and logistics expected in 2018.
IT services Energy Communications
Lack of historical data on cyber risks lead to inadequacy in risk mapping, and therefore low coverage.
Poor assessment of actual threat makes it difficult to quantify aggregated risk volumes.
Diverse methodologies adopted by insurers; customers’ confusion due to lack of clarity leads them to underinsurance.
Nearly 80% of Australian security decision makers believe that there is a shortage of qualified cyber security workers.2
In-house skills shortage leads to narrowly scoped insurance policies with only identifiable losses covered.
Commoditisation undermines the utility of cyber protection.
Coverage will increase as businesses fully realise the extent of risks
in their increasingly digital businesses.
6 C H A L L E N G E S T O I N S U R E R S I N A U S T R A L I A
Retail Health Education
R E S O L V E B U S I N E S S C H A L L E N G E S
I N C R E A S E D C O V E R A G E
A comprehensive cyber insurance solution will help resolve key challenges of the business:
inadequate insurance coverage and low maturity in cyber incident management.
G R O W T H O F C Y B E R I N S U R A N C E
45%
32%Worldwide
50 02015-2020
CAGR1
Australia
IDC InfoBrief: Managing Escalating Cyber Risks in Australia: The Bigger Role of Cyber Insurance 7Sponsored by
DXC delivers a comprehensive set of security and risk management solutions and services to help customers secure their digital transformation, accelerate new opportunities and create competitive advantage. With dedicated security professionals and experience managing transformations for some of the largest businesses, DXC has a deep understanding of the security challenges and threats specific industries face.
Covering More: DXC and Its Cyber Insurance Proposition
ASSESS
PREVENT DETECT
INVESTIGATE & RECOVER
PRE-CYBER INCIDENT
DURINGCYBER INCIDENT
POST-CYBER INCIDENT
DXC assesses current state of readiness and ability to withstand cyber attacks.
Allows insurance companies to obtain evidence concerning security best practices adopted by policyholder.
Provides much-needed information on threat intelligence.
Provides a platform for insurance companies to gain real-time access to risk incident data.
Data on cyber risks leads to improved risk mapping.
DXC Technology offers a complete array of Security Consulting and Managed Security Services for traditional data centre, endpoint, identity and network management, as well as additional platforms including cloud, mobility, and big data.
This helps businesses focus on compliance, enterprise risk management and global threat intelligence, rather than simply reacting to the latest security metrics.
DXC designs, implements and tests incident response and remediation plans.
In the case of an incident, DXC’s Security Incident Management team will identify cause of the security incident, and provide coordination activities to reduce impact of incident to the affected environment.
DXC’s Incident Management, Incident Handling and Incident Response Services help companies quickly return to business normalcy.
Investigation of nature and cause of cyber security breach, including forensic investigation if required.
Deployment of network of specialist investigation and support suppliers, including crisis management and legal teams.
Assessment, validation and settlement of costs involved in responding to an incident.
INCIDENT RESPONSE & SUPPORT
SETTLE COSTS
Global, end-to-end reach DXC Technology serves as a trusted advisor with full-service security capabilities to deliver integrated solutions to all industries. DXC’s global presence includes 4,000+ security professionals serving more than 70% of the top 100 companies in the Fortune 500.
Technology independence DXC advice and solutions are vendor-agnostic. As a security services provider and prime security integrator, DXC provides a clear path to industry best practice across all security technology controls.
Deep security expertise From assessment services, through security architecture, design and implementation, to remote management and monitoring of customers’ environments, DXC helps customers solve their complex security challenges across all domains.
Leading technology DXC offers a deep partner ecosystem bringing best technologies in tandem with world-class security services to provide robust security protection.
IDC InfoBrief: Managing Escalating Cyber Risks in Australia: The Bigger Role of Cyber Insurance8 Sponsored by
C Y B E R R E A D I N E S S
An organisation’s best response helps in all aspects of cyber risk management: from planning to recovery. While there is a growing focus on prevention and detection, it is equally, if not more, important to be ready to respond when cyber incidents inevitably strike.
Cyber insurance allows businesses to cope with the costs in managing a cyber incident, and dealing with post-incident effects quickly and efficiently.
A key question for every organisation is, therefore, not simply what will allow them to respond quickly but what will make it easier for them to respond.
Part of the arsenal of any organisation’s best response includes cyber insurance, of course, as well as specialists who can guide businesses in restoration and recovery. These will strengthen not only the defence posture of the organisation but also its capacity to respond.
Getting Prepared for the Inevitable Risks
Learn more about cyber security insurance
www.dxc.technology/insurance
