By now, almost all risk managers have cyber risk on their agenda. Cyberattacks hit the headlines on a seemingly daily basis, and regulation around the world is tightening in an effort to get companies to crack down on their cybersecurity measures.
Protecting data is big business. But there is a major shift going on in the cyber world that is seeing cyber criminals change tack: while they were once stealing data, they are now heading straight for the cash.
“It used to be people stealing data, and then trying to figure out ways to re-sell it. It used to be people doing credit card fraud, and then having to figure out ways to use those credit cards. Now, it’s really shifted to the stealing of actual money. That’s the big shift that we’ve seen,” Darin Bielby, senior managing director at Ankura Consulting, told Corporate Risk and Insurance.
Ankura acquired two business units from global consulting firm Navigant earlier this year, where Bielby was a founder of the cyber practice – which he says is in greater demand than ever.
“The big things we work on are wire fraud, where [cybercriminals] convince the company to wire money to the wrong place – and sometimes the [amounts stolen] are in the millions of dollars. That’s what’s driving the explosion in cyber,” he said.
A new study from Willis Re released this week found that due to high-profile cyberattacks and increasing reliance on technology, cyber-related losses are expected to climb in the next 12 months.
Large cyberattacks, like WannaCry or NotPetya, are also expected to happen more often: more than 60% of respondents to the study said they anticipate these occurring at least once every five years.
A report from cyber insurer Beazley last year, meanwhile, revealed that social engineering attacks on businesses – where a hacker uses deception to manipulate individuals into divulging information or wiring funds, had risen nine-fold in 2017.
Many risk managers are seeing their role and function evolve as the cyber risks threaten to outpace businesses.
“It used to be that risk managers just generally bought insurance, they weren’t really in the C-suite. There has been a big shift that I’ve seen in my time, where you have chief risk officers and really sophisticated risk managers become part of the inner circle of the executive committee, and they are not just buying insurance, they are studying, analyzing, figuring out strategies to mitigate risk,” Bielby said.
“Within cyber, there is more of a push to do table-top exercises and incident response planning. A number of things which will have the risk manager in the room. That’s helpful,” he added.
Amid regulatory pressures, namely the EU General Data Protection Regulation (GDPR) – which affects any company that transacts in Europe and can see companies fined up to 4% of their global annual turnover or €20 million – organizations are increasingly focused on knowing their exposures.
“Each of these things are putting more pressure on data, understanding your data, and being prepared to deal with cyber issues,” Bielby said.
For risk executives though, it can be difficult to get a thorough sense of how good their organization’s defenses are.
“I think the challenging thing you have is that it’s a complex area that’s difficult to understand. If you’re a CEO or risk manager, even if you raise the issue to IT… they have a vested interest in saying they have it covered,” Bielby said.
The reality is that nobody can be totally immune from cyber risk.
“Criminals are stealing hacking tools from the National Security Agency (NSA),” Bielby said. “If they can break into the NSA, if they can get into JP Morgan, if they can get into Equifax, then they can probably get into a $2 million component company or a small charity. If they want to get in, they are good enough and smart enough that they probably can.”