The digitised world is growing at a phenomenal pace. In three years from now more than half the global population will be online. Businesses are embracing the digital era out of necessity as the Internet of Things drives entrepreneurship. Information is now stored digitally and with the rapid increase and sophistication of IT and network infrastructure comes an increase in sophisticated digital criminals. The world is experiencing a dramatic rise in cybercrime. Malware and ransomware are now concepts that businesses need to understand as cybercriminals attack their digital infrastructure. The rise of cybercrime has been astonishing. The cost of data breaches around the world is expected to rise to $2.1 trillion in two years’ time. That’s a staggering four times more than the cost of global data breaches two years ago. Businesses need to embrace new technologies and understand they’re exposing themselves to new risks. The question is how to guard against data breaches, how to mitigate damages, how to manage cyber risk. The world is changing at a bewildering pace due to rapid digitisation and urgent solutions are needed to ensure that businesses are cyber resilient. Aon Risk Solutions can provide many of the solutions for a company battling to keep afloat in this technologically charged business environment. David O’Sullivan spoke to Kerry Curtin, Manager: Financial Institutions and Professional Risks at Aon South Africa about cybercrime, cyber risks, cyber vulnerability, cyber security and the new must-have for any responsible business – cyber insurance.
Kerry, I was looking at some information, which said that according to the 2015 Security Summit that was held in Joburg, South Africa’s the third-worst in the world when it comes to cybercrime attacks, do you agree with that?
Yes, I do agree with that. That would be our experience when talking to clients, definitely and the reason that we do not realise how bad cybercrime is in South Africa, is quite simply because at this point, companies don’t have to report if they’ve had a cyber breach.
Are people keeping cybercrime quiet?
Yes, very quiet because of the associated reputational damage.
What’s at stake when somebody is subject to cybercrime?
When a company is hacked a lot of information would be stolen and that information is then sold out on what they call ‘the dark web’, which is the part of the internet that we don’t really have access to where the criminals operate. All that information goes out onto the dark web for sale to cybercriminals. Cybercriminals then use that information either to scam medical aid companies or hospitals, or to create identity theft, use all your information to buy houses and run up massive amounts of expenses in an individual’s name, so that’s the first thing. You as the company have the responsibility to look after your customers and your employee’s information, and if you don’t and that information is breached, that company then is liable to make good of all those damages suffered by the third parties, the individuals.
The second point is we have a thing called cyber extortion and that is where people insert ransomware into your computer systems. What the ransomware then does is it literally deny you access and shuts down your computer systems and you cannot trade. You’ll then get a funny little message saying, “Pay us 10 000 in Bitcoin”, which is an untraceable currency, “And we will then extend you the keys to un-encrypt your data”. Those are just two things. Now when your system is down following a ransomware attack, if you’re not trading you’re losing money, but there’s also a potential loss of business revenue following from a cyber-attack.
I have never heard of this issue of ransomware?
Yes, ransomware. It’s kind of like a virus that comes into your computer system either by way of an email, with a strange link on it and staff not being aware of it will click on the link and then the ransomware encrypts your entire system. Alternatively, via an input stick, a memory stick or something like that. A company could also face huge costs arising from property damage following a network security breach. What I mean is a lot of manufacturing and engineering and utility companies all today are networked through industrial control systems and these systems then monitor and control all the industrial processes.
If those industrial control processes are hacked or sabotaged, that could then lead to first, property damage to actual physical property. There are two examples of that already having happened. The recent one was in 2014, there was an attack on a German steel mill and that attack disrupted control systems in such a way that it prevented a blast furnace from being shut down, so you can imagine the kind of property damage that can arise from such an attack.
This comes at huge costs. When we look at research, it’s predicting that because we’ve got this rapid digitisation of consumer’s lives, the cost of data breaches could reach $2.1 trillion globally by 2019, that’s in two years’ time.
Yes, it’s mind blowing.
Is it right to say that’s up four times on two years ago?
Correct, on the forecast two years ago, it’s four times up.
How should a company start mitigating the risks?
Well, Aon can really assist companies because Aon has spent a lot of money investing in cyber and cyber security and what we like to do is we don’t just want to say to our clients, “Buy insurance”. What we are saying to our clients is, “Let’s have an integrated approach. We want to manage and mitigate your risk of cyber threat and once we’ve managed and mitigated your threat, then we’ll look at transferring the residual risk to an insurance company in the form of an insurance policy”. So, how do companies do that? What we are saying is, “Identify your critical assets, and actually know what your most critical asset is”. You’d be surprised at how many companies just have no idea how many data records they have or what they have control of, so that’s the first thing, identification.
— KPMG South Africa (@KPMG_SA) February 7, 2017
Is this then finding out where the data is stored, how it flows across the organisation, and who has access to it?
Yes, but before you even do that you need to know what data you have. I’ll give you an example. When a client completes a proposal form, we ask them to tell us how many data records they have, do they have less than 5,000 data records. Data records would be, for example, my name and identity number, my banking details, my sexual orientation, all those kinds of things are data records. Many companies are not even able to say, “We have fewer than 5,000 data records or more than 25,000 data records”. They actually have no idea where to start. That is the first step, find out what are your critical assets, and how much data do you have. Once you’ve done that, then we can conduct a comprehensive risk assessment to enable us to find vulnerabilities and assess their cyber preparedness.
Now is that something that you would do in conjunction with the client.
We do that in conjunction with the client, yes.
Explain to me how that works, how do you do that risk assessment?
We have a number of simplistic tools. Our first tool is the Aon Diagnostic Tool, which is a web-based tool. The client just clicks on a link and has to complete a survey. The survey takes about 15 minutes to complete and it asks clients pointed questions over five different areas. Number one is, what is your business profile, number two, what kind of hardware are you using, number three, what kind of software platforms are you using, number four, what’s your data policy within the company, what are your compliance procedures in terms of data protection within your company and then the fifth step would be looking at their exposure to cyber risk.
The minute the client has completed that assessment, they automatically get access to a report which then ranks their cyber risk, are you a low to medium risk, are you a high risk, where are your areas of concern. That’s the first thing Aon can do for clients and that we do free of charge, that is just the service that we give to our client base and our potential clients.
Right, once you have that information, obviously it depends on what information is coming back to you, what’s the next step?
We then analyse the results of the Diagnostic Tool. We like to then set up an appointment with the client, speak through all the issues that have been highlighted in the Diagnostic Tool and then link that into a discussion. Now where are you in terms of your approach to cyber governance, what are you doing, do you have a process in place to educate your employees, what are your provisional crisis plans, all those kinds of things. Once we go through all of that then we can start talking. So we have a really holistic approach to cyber governance, your defences are sharp; now what we can do is look at your residual cyber risk and now let’s go and buy an insurance policy.
At the same time you would want to prevent cyber-attacks on a company. It’s all very well for them to be insured should an attack take place, but in much the same way as you would install cameras and electric fences and alarm systems, you will want to put up some kind of barriers to cybercriminals, does Aon assist in that?
No, we do not, that is not our field of expertise, but what we can do is recommend certain professionals in that field to assist clients.
However, you would want clients to keep their defences sharp, wouldn’t you?
Correct, all companies should have active firewalls in place, they should have active virus scanning programme software in place. Aside from that there are other techniques just to ensure that applications, networks, etcetera are not vulnerable.
For you to provide cyber insurance to a company you will want to be convinced that they are aware of what data could be stolen and how vulnerable they are to a breach before you’re going to do a proper risk assessment aren’t you?
Very much so, because it would be very dangerous for any client or any company to believe, okay, I have an insurance policy, so I don’t have to worry about cyber security because that approach then forgets the legislation regarding cyber security around the world and in South Africa. The legislation in South Africa, what everybody refers to as POPI (the Protection of Personal Information Act), although that bill wasn’t active I think in 2014, the actual sections that deal with cyber protocols for processing and storage of information have yet to be made effective.
However, the Data Regulator was appointed in December 2016, a lady by the name of Advocate Pansy Tlakula and we expect that those sections of the legislation to be implemented and made available in May 2017. Once that legislation is implemented, clients have a year to become compliant with that legislation and if they’re not and something happens, they are then liable to quite large fines from the data regulator.
That will have an impact on their insurance, surely.
Yes, it will have an impact on their insurance and that’s the beauty about a cyber policy, because a cyber policy would then also pay for the costs of the defence against the Data Regulator, plus the cyber policy would pay any fine imposed by the Data Regulator, which is quite a massive thing in an insurance environment.
— KPMG South Africa (@KPMG_SA) February 7, 2017
I’m trying to get my head around the impact of the different regulatory environments, I’m aware of the EU General Data Protection Regulation, which comes into effect in 2018. The fact that it has EU at the start of its name (the European Union), South African businesses might say, “Well, I don’t have to think about that”, but it’s more all-encompassing, isn’t it?
Yes, what that EU regulation is going to be doing, is regulating all information, all trading in a cyber environment in the whole of Europe. For example, a South African company may well have a branch in Europe, we may have clients in Europe, and the minute we are trading in Europe we would then be subject to those regulations.
Can Aon assist clients in understanding the regulatory environments?
Yes, Aon are having a global cyber conference next week, and that is one of the items on the agenda. We are looking at a solution to give our clients to help them comply with that legislation, whether they’re based in Europe, Mexico, or in South Africa.
Are South African businesses savvy about cybercrime and the need for cyber insurance?
No, unfortunately not. There’s a huge sense of complacency in the sense that our data protection legislation is not enacted, so we’re okay. We’re only going to have a problem when that legislation is enacted. What they don’t realise is that cybercriminals are not waiting for legislations, they’re already on a process of becoming far more professional and hacking more and more organisations. What is very interesting is, in our experience it is the smaller clients that are being hit the most.
Nigerian cybercrime crooks caught in South Africa, convicted by US court https://t.co/IuycCA6ZcG
— MyBroadband (@mybroadband) February 8, 2017
Is there a reason for that?
I would imagine that they’re seen as soft targets, their cyber security is not as rigorous as the larger corporate organisations would be.
For any company, any director listening to this, or reading this, thinking, “We’re not up to speed”, what’s their first step? Is it completing the Cyber Diagnostic Tool that Aon offers and taking it forward from there?
Yes, that’s what we would recommend.
Then you have the Aon Cyber Risk Data Regulator advocate team, my kids would call it ‘Ghostbusters’.
Yes, then the Aon Risk Team would come in and discuss the results of that report with them and assist them identifying their risks, identifying their exposures, giving them advice on how to mitigate.
Where’s the best place people can start, a website address, what do you recommend?
It’s actually a link. The link to our tool is www.aoncyberdiagnostics.com.