2017 saw an ongoing evolution of the cyber threat, most notably with two global ransomware attacks. 2018 looks set to be more of the same, but don’t rule out further surprises as cyber criminals and state-backed hackers continue to adapt and expand their activities.
In our final issue of Cyber Decoder for 2017, we give our thoughts on the trends to watch for in 2018 focusing on three key areas: Data protection laws; the ever-changing cyber threat; and the growing cyber insurance market.
HIGHER STAKES FOR DATA BREACHES
In May the European Union will implement the General Data Protection Regulation (GDPR), a milestone for the region’s data protection and privacy landscape. The rules will harmonise data protection laws across the EU, increasing the rights of data owners, regulatory powers and requirements on companies.
From May, organisations that process the data of EU citizens (whether based in the EU or not) will need to have certain processes in place to protect personal data, and will potentially be required to notify the regulator and data owners of a data breach within 72 hours of its discovery.
Failure to meet obligations under the GDPR could lead to hefty fines of up to 4% of a company’s global annual revenue or Euro 20 million (GBP 17.75 million). A recent survey found that more than half of UK companies may not have the means to meet the cost of paying regulatory fines under the GDPR. Surveys in 2017 have consistently shown that the majority of companies are not confident that they will be fully compliant with the GDPR by the May deadline. A survey by Varonis Systems found that 57% of IT professionals polled are still concerned about compliance with just six months to go. Forester goes further and predicts that as many as 80% of firms will not be compliant in time.
The GDPR also increases rights for data users – such as the right to be forgotten – which will prove challenging for organisations to implement, especially with regards to legacy data. The new regulations are also expected to make it easier for data owners to seek compensation following a data breach, while collective actions for data breaches are gaining momentum.
European countries are not alone in introducing tougher data protection laws. Data breach notification laws have been in place in the US for a number of years, and have driven higher costs for data breaches, as well as high levels of cyber insurance penetration. Australia and Canada are following suit and will introduce mandatory data breach notification requirements in 2018.
The effect of these laws will be an increase in the number of data breaches notified to regulators and data owners. If they follow the experience of the US, the financial cost of a data breach – and the reputational risks of getting it wrong – will rise.
It remains uncertain exactly how national regulators will use their new powers and the extent of fines levied. Over the course of 2018 we will begin to see how regulators and courts interpret new data protection laws like the GDPR.
It is safe to say that data privacy will become a more significant exposure for organisations moving forward, and it is a risk that will need to be continually assessed and managed.
CYBER THREATS CONTINUE TO EVOLVE
In all likelihood cyber threats will continue to evolve in 2018, increasing demand for cyber security resources and cyber insurance.
The past year has seen a further broadening of cyber risk as cyber criminals and state-backed hackers find more and more ways to steal data, extort money or generally disrupt business.
A recent report from Ponemon Institute and Accenture found that an organisation suffers on average 130 security breaches each year, a 27.4% increase on the previous year’s survey findings. Each breach costs on average USD 2.4 million to resolve.
The use of social engineering and spear phishing to perpetrate fraud and crime has been a growing problem. Some 2.9 million UK companies, for example, were affected by cyber crime in 2016 at a total cost of GBP 29.1 billion, with phishing the most common type of attack while ransomware was reported to be the most expensive.
Ransomware dominated the headlines in 2017 following WannaCry and NotPetya in the summer, which drummed home the potential for large business interruption losses from a cyber attack. According to Cyber Security Ventures, the costs of global ransomware attacks exceeded USD 5 billion in 2017.
The success of both these forms of attack in 2017 means they are unlikely to fade in 2018. In fact they may get worse as targeting becomes more sophisticated and as they are applied to new areas and targets.
The Internet of Things (IoT) cyber security is likely to come into sharper focus in 2018, as the proliferation of connected devices with weak security adds further ammunition to hackers. Some cyber security analysts see IoT as one of the biggest cyber security threats and challenges to business in coming years.
IoT cyber security is complex, and many products do not have cyber security routinely built in by manufacturers. As the number of IoT devices increases exponentially, so does the risk. The Dyn attack in 2016 used a botnet army of IoT devices to disrupt traffic and bring down sites like Netflix and Twitter.
Cyber security experts also expect more to come from Shadow Brokers, the hacker group that leaked the National Security Agency exploits behind WannaCry. The group has said that it will release a new suite of exploits and hacking tools soon, which will make malware even harder to fight.
Events like WannaCry could become the new normal, so basic cyber hygiene – including regular patch management and backups - will be more crucial than ever. The fear of catastrophic cyber events can help drive investment in cyber security - Gartner reports that cyber security spending will reach USD 86.4 billion by the end of 2017 – but it is important that firms also remember the basics.
CYBER INSURANCE MARKET TO GROW AND EVOLVE
Interest in cyber insurance continues to grow with tougher data protection laws and with increasing awareness of cyber risk at boardroom level. Two hugely disruptive global ransomware events in 2017, as well as several large data breaches and a catastrophic IT outage for one major airline, struck a note with many boards, which are increasingly coming to realise the potential disruption and financial costs of a major cyber incident.
Interest in cyber insurance has also been building ahead of the General Data Protection Regulation (GDPR), which is expected to increase the stakes for data breaches in Europe, as well as board level awareness for cyber security and privacy liabilities.
With the implementation of the GDPR we have seen a marked increase in European companies purchasing cyber insurance for the first time, while those that already have standalone cyber insurance are increasing limits to allow for an expected increased exposure under the new rules.
The implementation of the GDPR is also accelerating the trend towards contractual requirements for cyber security and insurance as part of procurement. Organisations are looking to pass on their data and cyber liabilities, as well as mitigate cyber related business interruption in their supply chains.
Despite increasing exposures, insurers continue to demonstrate an appetite for cyber risk and see cyber as a future growth opportunity. The market remains highly competitive, with continued softening of cyber insurance premium rates, higher limits and broader cover, especially for cyber-related business interruption.
The buyer’s market for cyber insurance should persist into 2018. However, large catastrophe losses in the wider insurance market in 2017 could take some of the heat out of the cyber insurance market in 2018 if insurers allocate capital to more attractive lines of business where rates are increasing.
Another factor that is likely to play to the cyber insurance market is an increased focus on cyber exposures within the insurance market.
During 2017, UK regulator the Financial Conduct Authority (FCA) called on insurers to address so-called silent cyber exposures – cyber exposures in traditional insurance lines, where policies do not explicitly include or exclude cyber risk.
Coupled with insurers increasing focus on catastrophe exposures and concerns following recent cyber incidents, 2018 is likely to see an increase in cyber exclusions in property and casualty lines. This in turn should support the continued shift towards covering cyber risk through standalone and specific cyber insurance products.
Download Cyber Decoder
For further information, please contact FLG@jltasia.com