What is Cybercrime and Cyberterrorism?
Cybercrime includes hacking, theft, cyber stalking, malicious software, child soliciting and abuse, phishing, ransomware, malware, identity theft and scams.
According to the U.S. Federal Bureau of Investigation, Cyber terrorism is a “premeditated, politically motivated attack against information, computer systems, computer programs and data which results in violence against non-combatant targets by subnational groups or clandestine agents”
On 12th May 2017 a Wannacry ransomware outbreak began and eventually spread to more than 150 countries. The ransomware affected older unpatched operating systems including Windows 7. The National Health Service in England was affected with PCs being locked with no access to patient information until a ‘ransom’ was paid. It was reported that applying security patches could have protected against the attack.
How to tackle cybercrime
The FBI does not recommend paying a ransom in exchange for a decryption key. The payment could fund illicit activities and the cybercriminal may not release the key after payment has been made.
While organisations are significantly investing in keeping their firms at bay from cyber criminals, financial investment alone won’t be enough. Effective defence does not end by delegating responsibility to an IT specialist who will use antivirus and anti-spam software, firewalls, intrusions-detection systems (IDSs) and other add-ons to reduce the threats.
The National Cyber Security Centre in the United Kingdom offers 10 steps to cyber security which includes:
- Protecting networks from attack.
- Maintaining awareness of cyber risks, training staff and producing policies for secure use of systems.
- Implementing removable media controls, such as scanning for malware before importing documents.
- Applying security patches and maintaining systems.
- Establishing incident responses and disaster recovery and testing the plans.
- Developing and testing a Business Continuity Plan to deal with a ransomware attack.
UAE on cybercrime
Federal Law No. 5 of 2012 concerning Combating Information Technology Crimes (Cyber Crimes Law 2012) came into effect in December 2012. The law, which builds on the previous Federal Law No. 2 of 2006, is more comprehensive in its nature and scope and covers a range of new offences and higher penalties. The law addresses the increase in cybercrime incidences, defines additional categories of offences and expands on the definition of each crime.
The penalties depend on the type of data obtained and what the criminal did with the data, for example, any person accessing an electronic information system without authorisation to obtain government data or confidential data relating to a financial, commercial or economical facility may receive temporary imprisonment and a fine not less than AED250,000, but not in excess of AED1.5m.
Cyber risk and risk management
Good risk management is about identifying and evaluating risks and implementing measures to treat those risks. It is expected that every business should determine their cyber exposures and be integrated into an organisation’s overall risk exposure and risk appetite. Some risks may not be preventable and cyber insurance may provide a suitable risk transfer mechanism.
Every Risk Management professional within an organisation should have a full understanding of the risk and the practice tools and techniques to mitigate such risks.
Cyber Insurance
Many organisations around the world have suffered a data or cyber security breach. Some are recognised global brands including Equifax which suffered a data breach in September 2017 and Yahoo in October 2013. With an increased media focus on data breaches, large companies face, not only reputational risk but financial and legal risks.
Cyber insurance, also known as cyber liability insurance coverage (CLIC), has been around for many years. With many laws requiring mandatory notifications of breaches, the cost of notifying those who are affected may be expensive.
CLIC is an insurance product designed to protect businesses by offsetting costs involved with recovery after a cyber-related security breach or similar events. There are no standard underwriting policies but the policy may cover costs related to first party liability (e.g. legal fees, investigations related to company related costs) and/or third-party liability (litigation as a result of the event).
According to PwC’s Insurance 2020 & Beyond report it estimates the gross annual premiums of cyber insurance will grow to $7.5bn by 2020 (estimated $2.5bn in 2014). The report also tells us that about one-third of U.S. companies are currently purchasing cyber insurance.
Any organisation that stores and maintains customer information should consider purchasing cyber insurance. With the implementation of the EU’s General Data Protection Regulation (GDPR) demand may increase for cyber insurance along with and a better understanding of whether insurance will cover fines/penalties from regulators.
The Board’s role in managing cyber risks
The Board has a responsibility to its shareholders and there is a clear threat from cyber criminals to reputational, legal and financial risk which must be addressed.
It is important, however, for all board members, regardless of technical background, to participate in ensuring the right policies and practices are in place and followed.
Below are some key areas for Boards to consider:
1. Set the tone from the top, if the Board is taking the threat seriously then this will filter down to employees.
2. Include cyber security on the agenda at Board meetings.
3. Provide annual training to employees about the threats that exist, the tactics cyber criminals use and how to keep data and systems safe.
4. Implement a policy of reporting attacks, data breaches or suspicious activity.
5. Recruit an IT security expert to conduct an audit on an annual basis and present findings to the Board.
Keeping the data secure may seem like a demanding task and incorporating cybersecurity into a Board’s responsibilities so that security is on an equal footing with other crucial corporate governance issues, is a major step towards safeguarding an organisation. No matter how well an organisation is prepared, it cannot fully prevent cyber attacks. What can be done is to have the right plans and systems in place to block attacks and mitigate the effect.
Regulatory Spotlight
According to Aon’s 2018 Cybersecurity Predictions Report, regulators at the international, national and local levels will strictly enforce cybersecurity regulations and increase compliance pressures by introducing new ones. Coordination between financial institutions and various authorities is essential to deal with cyber risk.
In January 2018, the World Bank Group released a paper on Financial Sector’s Cybersecurity Regulations and Supervisions presenting sections on viewpoints on the need for new cybersecurity regulations, coordination between financial sector authorities, internal system and controls, and guidelines for supervisors.
The Future
In the past there has been very serious cybercrime. A catastrophic cyberattack is yet to happen resulting to massive data loss, business interruption or reputational damage.
Products are already available for individuals, families and High Net Worth Individuals covering identify theft, cyber bullying, cyber extortion and system restoration after an attack. However, with an increase in demand and with challenging technologies, new products are designed to meet the requirements of business based on volume of data and supply chains (third parties). Businesses are more vulnerable to cyberattacks because of supply chains. Recently, businesses have extended their CLIC to supply chains.
With the implementation of the EU General Data Protection Regulation (GDPR) and the ever emerging and evolving cyber threats, it is likely that the number of insurance products and players within the market will continue to grow.
In her tour of the region she was looking to help enhance controls and inform leadership of steps to be taken collectively to inhibit bad actors. More specifically to counter Iran’s malign activities in the region and improve AML defenses of companies and governments in relation to such activities.
