2015 cyber risk and data protection predictions
Businesses in 2015 are expected to experience increasing challenges as they struggle to contend with the burgeoning threat of complex cybercrime. EY analysis has outlined some of the key areas that cyber risks threaten to impact in the coming year, including the difficulties in the insurance sector of underwriting cyber risk, the raft of regulation coming out of both the EU and the UK, the importance of integrated risk functions in firms, and the cyber risk of supply chains moving to the cloud.
Insuring against cyber risk
Cyber risk poses a serious and growing threat to businesses across the UK, and companies are increasingly looking to insurers for protection against financial losses in the face of attacks. Certain sectors already require firms to take out cyber risk under regulatory compliance. However, cybercrime is not a traditional area of risk for insurers, and the burden of underwriting the risk is proving to be very difficult.
Shaun Crawford, Global Head of Insurance at EY, comments: “Cyber risk will certainly be one of the biggest challenges to the insurance market in 2015. Cybercrime is a moving beast, making it impossible to quantify the risks neatly or to calculate them in an informed or consistent manner. With so much unknown, it’s not surprising that premiums are wildly different across the market, and without cross-market stability, the industry will most likely be operating on significant indemnity losses.
“It will no doubt be a matter of time before insurers simply refuse to accept the undefined transfer of risks. But, in the short term, it is likely that they will start to demand evidence of adequate cyber risk controls from businesses that demonstrates they are taking cybercrime seriously and are taking the necessary steps to avoid opening themselves up to attack. This will present a whole new problem of benchmarking what does and does not constitute ‘adequate control’, which could put a spanner in the works, and result in cyber risk effectively being incompatible with the insurance model.”
A raft of EU regulation
The forthcoming EU General Data Protection Regulation (GDPR) poses significant challenges for business - in particular it changes the power to consumers via the ‘Right to be Forgotten’. From a cyber perspective, the GDPR will inevitably increase consumer awareness around the rights of their own data and put pressure on businesses to take more action around data capture and privacy, as well as security.
This will be reinforced further by the sister instrument, the EU Network Information Security Directive, which will introduce mandatory breach reporting. The existing prevalence of news headlines will inevitably increase as companies are forced to openly disclose to their customers that they have endured a cyber-breach.
Mark Brown, Executive Director in EY’s Cyber Security & Resilience Team, says: “Protecting data is no longer enough, data must be actively managed, and the forthcoming EU GDPR recognises this. The EU GDPR will have a major impact on all companies that hold personal data – from Technology, Media and Telecommunications companies, to retailers, e-commerce and consumer-goods companies.
“Many businesses which have never before been regulated in this space before will become inundated with new compliance objectives, leaving current internal systems unable to cope. Although these rules won’t come into full effect until 2017/18, we expect to see businesses starting to address and prioritise what they need to do in order to comply with this new regulation.”
Built-in versus bolt-on risk functions as a priority for firms
Cyber risk functions are a relatively new feature to a growing number of businesses. They are a direct response to the perceived and actual risks that have come with digital working, and are fundamental if companies are serious about integrating the cyber risk agenda into the boardroom.
Cheryl Martin, Partner in Financial Services Cyber and IT Risk at EY, comments: “In the last decade financial services firms in particular have woken up to the dangers that cyber can pose to their business. Many firms have built cyber risk into their business model, but there are still too many which have bolt-on functions that simply cannot be expected to effectively manage the potentially catastrophic risk that cybercrime represents. It is clear that firms need a dedicated risk function, with a direct line into senior management.
Cyber risk in your supply chain – everyone’s moving to the cloud
The move to built-in security is expected to result in a new dynamic for organizations looking to refresh their IT strategy.
Mark Brown comments: “No longer will cloud computing be seen as a ‘risky bet’ or insecure. Indeed, quite the opposite, as cloud service providers have recognised that demonstrable security is key to their business success. We therefore expect a significant increase in organizations moving to cloud computing, but would caution them to ensure that in doing so they balance the economic and technical benefits of such a move.
“Further, the extending of the IT supply chain to cloud service provision will inevitably expand the supply chain, and therefore introduce new risks to be managed; not just in procurement, but ongoing management of cloud service providers. The supply chain is fast becoming the new network perimeter and will represent a key focus for security professionals in 2015.”
•Date: 17th December 2014 • World •Type: Article • Topic: ISM