Across the globe, our teams have observed these new cyber trends emerging over the past year, with many emerging over the past six months. These trends represent new developments in the cyber risk and security landscape and may have significant implications for both companies and consumers. Today, many cyber risks have become systemic. Such large-scale, rapid-fire attacks spread from one country to another. The globally disruptive cyber-threats of 2017 unite businesses and individuals around the world in a common endeavor to stay secure.
From helping companies adopt some of the world’s leading best practices for cybersecurity to consulting individuals on how to help protect their identities in the aftermath of large-scale data breaches, AIG can deliver unique perspectives that stem from our longstanding experience as a global leader in cyber insurance. As cyber risks around the world become increasingly interconnected, AIG can help its clients develop global cyber risk solutions and can deliver, through collaborative partnerships, the meaningful risk insights that enable stronger and safer outcomes.
1. EU Regulations May Expand Cyber Awareness and Liabilities
Europe’s new laws to protect consumers’ data, the EU General Data Protection Regulation (GDPR), will take effect in May 2018, introducing fines for companies who fail to adequately secure the personal data of EU citizens. The GDPR will also require companies using EU citizens’ personal data to alert the EU within 72 hours of experiencing a data breach.i These regulations can “raise awareness in the public” and “could help companies better protect themselves,” says Tracie Grella, AIG’s Global Head of Cyber. Companies can “see what is happening with others” and “learn from mistakes.” “They can learn from the trends that we’re seeing,” Grella explains, highlighting the summer 2017 ransomware attacks which spread across industries to affect companies which may not have anticipated they were at risk.
The GDPR may also increase cyber liabilities on a global scale. “Cyberattacks can cause multiple jurisdiction issues for a company,” says Cynthia Sze, Head of Financial Lines at AIG Hong Kong. She cites the example of a Hong Kong-based multinational digital toy company which needed to engage authorities in more than 10 different countries following a data breach. When the GDPR takes effect in 2018, this legislation may affect businesses across the globe. For example, a Hong Kong hotel chain handling the personal information of EU citizens may become liable to the EU in a cyberattack. “Organizations need to consider if they have enough support in the locations where they have operations and exposure,” Sze says.
What to know about the GDPR if you’re conducting business in the EU. Becomes effective May 2018. Fines companies that fail to secure personal data of EU citizens. Increases cyber liabilities on a global scale. Helps companies protect themselves and learn from mistakes. Designed to raise public awareness of cybersecurity. Dictates that companies must alert EU within 72 hours of data breach.
2. UK Taking Steps to Improve Cybersecurity of Healthcare
Government is taking steps to improve cybersecurity in healthcare in the UK. UK hospitals will receive £21 million to bolster cybersecurity in the aftermath of the WannaCry ransomware attack, which disabled the National Health Service’s IT systems.ii The ransomware attack affected 3,000 computers at UK hospitals, locked up patients’ data in England and Scotland, and disrupted hundreds of medical procedures and appointments in May 2017.iii Fortunately, due to strong business continuity plans, hospitals were able to reschedule appointments to mitigate risks to patient safety.
A 2016 study by the Ponemon Institute found that more regulated industries such as healthcare experience the most costly data breaches, as fines combine with higher-than-average rates of lost business and customers.iv As data sharing becomes a larger part of medical research and patient care around the world, healthcare organizations must properly protect patients’ data from breaches in order to continue to earn clients’ trust.
Careful planning, clear communication, and transparency in the aftermath of an attack can help healthcare organizations mitigate cyber risks. Tracie Grella, AIG’s Global Head of Cyber, emphasizes the importance of creating a strong incident response plan. That plan should involve “how you’re going to work with an external PR firm and what type of communication you’re going to have, what type of resources you’re going to give to your consumers so that they can get information on the incident,” says Grella. Patients may need to be redirected to other hospitals, and so it is vital to “make sure that communication is as smooth as possible.”
3. Middle East Needs New Cybersecurity Solutions
Interest in cyber insurance may be growing in the Middle East, as the region becomes a target for costly cyberattacks. With wealth arising from the oil industry and with high internet connectivity, Middle Eastern countries may experience large losses from cyberattacks due to a lesser focus on cybersecurity in the region. A 2016 PwC report notes that businesses in the Middle East lost more in cyberattacks than businesses in any other region of the world: 56% of businesses in the Middle East lost more than $500,000 from a cyberattack, compared with 33% of businesses globally.v
One reason for the elevated cyber risks in the region may be a lack of cybersecurity education for companies and consumers. According to PwC, businesses in the Middle East rank in the top 10 worldwide for investment in cybersecurity technology, yet in the bottom 50 for cybersecurity training. The Middle East Insurance Review points to the need for “bespoke risk consulting services” in the region since “prevention is…better than cure.”vi
Tracie Grella, AIG’s Global Head of Cyber, emphasizes the importance of education in strengthening the often-overlooked “human element” of cybersecurity. “How are you protecting yourself from the insider threat and making sure that you’re training your employees so that they can identify potential cyber risks and cyberattacks?” asks Grella. “Employees can be the best line of defense for an organization,” she says, “but they have to be very well trained so that they don’t let an adversary into the system,” she says.
“It’s really creating a culture of cybersecurity awareness and maturity within an organization and making sure that you’re managing cybersecurity on an enterprise-wide basis. It’s not just an IT issue, but it’s an issue that goes across human resources, the business end of the company, finance, legal, and technology, and compliance,” she says.
4. Revised South African Cybersecurity Bill Paves Way for International Collaboration
South Africa has submitted a revision of its 2015 draft legislation on cybersecurity to its parliament. The revised bill takes into account criticism of the 2015 plan, which some South African and international groups had argued would introduce limits on free speech online and upset existing balances of copyright law. The revised bill, proposed to parliament in February 2017, removes the critiqued sections on online personal expression and copyright infringement. However, the legislation does propose criminalizing “data messages” that are “inherently false,” as well as those “aimed at causing mental, psychological, physical, or economic harm.” For example, the bill would restrict online messages that incite damage to property.vii
Like the 2015 draft, the 2017 version establishes South African jurisdiction over cybercrimes carried out within the country or by South African citizens, as well as over cybercrimes which originate in other countries and produce effects within South Africa. While today this approach is traditional for countries defining their jurisdiction over cybercrime, the challenge for countries now is “establishing effective law enforcement cooperation across borders…a struggle even for the United States and other developed countries.” viii
The 2017 legislation paves the way for South Africa to participate in international cooperation on cybersecurity by putting into place double criminality laws and by creating an ‘always-on’ point of contact for notifications of cyberattacks, as well as by allowing South African officials to request new types of data from other nations. These changes are consistent with the central global agreement for cooperation on cybersecurity, the Budapest Convention on Cybercrime. Although South Africa has not yet signed the Budapest agreement, increasing consistency with its global standards could help South Africa become “a regional hub for cooperation” on cybersecurity.ix
South African consumers show a strong interest in cybersecurity, according to AIG research. In 2016, South African consumer insurance brokers ranked cybersecurity as an area where consumers demonstrate high levels of concern, preparedness, and likelihood to take action, relative to other risk areas including the impact of globalization, civil unrest, and market instability.
i Lord, Nate. “What is GDPR (General Data Protection Regulation)? Understanding and Complying with GDPR Data Protection Requirements.” DataInsider, 27 Jul. 2017. https://digitalguardian.com/blog/what-gdpr-general-data-protection-regulation-understanding-and-complying-gdpr-data-protection. Accessed 24 Oct. 2017.
ii Campbell, Denis. “Hospitals to receive £21M to increase cybersecurity at major trauma centres.” The Guardian, 12 Jul. 2017. https://www.theguardian.com/society/2017/jul/12/hospitals-to-receive-21m-to-increase-cybersecurity-at-major-trauma-centres. Accessed 19 Sept. 2017.
iii “3,000 Computers Infected and 441 Lancashire NHS Appointments Disrupted by Cyber Criminal Attack.” Lancashire Post, 24 Jul. 2017. http://www.lep.co.uk/news/crime/3-000-computers-infected-and-441-lancashire-nhs-appointments-disrupted-by-cyber-criminal-attack-1-8665821. Accessed 24 Oct. 2017.
iv “2016 Cost of Data Breach Study: Global Analysis.” The Ponemon Institute, Jun. 2016. https://www-01.ibm.com/marketing/iwm/dre/signup?source=mrs-form-1995&S_PKG=ov49542&ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US&&cm_mc_uid=53978029475614943467355&cm_mc_sid_50200000=1508882428&cm_mc_sid_52640000=1508882428. Accessed 24 Oct. 2017.
v “Cyber risk insurance: No longer a luxury purchase.” Middle East Insurance Review, 1 Jul. 2017. http://www.meinsurancereview.com/Magazine/ReadMagazineArticle/aid/39615/Cyber-risk-insurance-No-longer-a-luxury-purchase. Accessed Aug. 2017.
vii Fidler, Mailyn. “South Africa Introduces Revised Cybercrime Legislation, Acknowledging Criticism.” Council on Foreign Relations, 7 Mar. 2017. https://www.cfr.org/blog/south-africa-introduces-revised-cybercrime-legislation-acknowledging-criticism. Accessed 19 Sept. 2017.