By Gyan Pathak
People are being enforced to become participant in zealously pursued digitalization by the government of India, a country where almost 26 percent people are illiterate and 950 million people are digitally illiterate out of the total population of about 1.3 billion. Moreover, we are not protected against cyber risks and potential costs. Cyber insurance is not available, and security level in very distressing.
No comprehensive data is publicly available on cyber risks and potential costs. Moreover, the lack of reporting cyber incidents by affected companies (particularly certain types of cyber incidents have led some to suggest that the publicly available data underestimates the true significance of cyber risk. The Organisation for Economic Co-operation and Development (OECD) has mentioned in its report ‘Enhancing the Role of Insurance in Cyber Risk Management’ that even in the United Kingdom, only 26 percent had reported their most serious breach incident reported to police. The percentage of affected customers is only 8 per cent. Other estimates suggest 60-89 percent incidents are likely to be unreported. The present estimates of losses are obviously far from perfect.
OECD report has used Chief Risk Officers (CRO Forum) which includes only four categories of cyber incidents – data confidentiality breach, system malfunction/issue, data integrity and availability, and malicious activity. They can lead to a number of different types of losses, viz business interruption, interruption of operations, contingent business interruption for non-physical damage, data and software loss, financial theft and fraud, cyber ransom and extortion, intellectual property theft, incident response costs, breach of privacy compensation, network security failure liability, reputational damage excluding legal protection, regulatory and legal defence costs excluding fines and penalties, fines and penalties, communication and media liabilities, legal protection – lawyer fees, assistance coverage – psychological support, products liability, directors and officers liability, technology errors and omissions liability, professional services errors and omissions and professional indemnity liability, environmental damage, physical asset damage, and bodily injury and death such as sensitive data leakage leading to murder or suicide.
Incidents involving the compromise of confidential data (data breaches), are among the most common forms of cyber incidents. Own confidential data, trade secrets, intellectual property, or the third party or customer’s personal information are compromised due to many factors including the unauthorized or improper disposal of records or unauthorized access (network security breach). The release of confidential data through employee error is most common which accounts for 25 per cent of data breaches. Malicious attacks are on the increase aiming at financial gain e.g. the sale of personally-identifiable information or sale and exploitation of trade secrets or political or social motivation such as desire to harm. Third party’s data confidentiality breaches are another type of threat. The data are sold in the black market. Incident of data breach are on the rise even in the United States which reached all time high about 1100 millions in 2016. In Europe, records are increasingly exposed which reached 325 million in 2013 for which data is available. Healthcare, financial services, educational institutions, retail and public sectors are particularly vulnerable. The Cost of Data Breach Study 2017 (based on 419 companies participated in the survey) of the Ponemon Institute estimates the average total cost to a company due to third party data breach at $ 3.62 million globally. Verizon, on large privacy breaches (100 million or more records) puts the figure at average $5 – 15.6 million. The average cost varies significantly across countries, ranging from $1.52 million to $ 1.68 in India and Brazil to $4.31 million in Canada and $7.35 million in the United States.
How much a data confidentiality breach can cost a company may be put here as an example. In fourth quarter of 2013, a major US retailer’s 40 million payment card record along with 70 million other private information such as address and phone number were stolen. In January 2017, the company reported that they incurred a cost of $292 million. In May 2017, they reported that they had to spend 18.5 million only on settlement with numerous US State Attorneys General who had launched investigations into the breach.
On September 2017, Equifax, one of the largest credit reporting bureaus in the United States, reported that the names, addresses, social security numbers, birth dates and some driver licence numbers of 143 million individuals had been breached in addition to credit card numbers for approximately 200000 individuals were accessed. Only in five trading days following the disclosure the company lost $3.5 billion in market value. Other costs incurred by the company are also in hundreds of million. Yahoo, in 2016 reported that they had one billion data breaches in 2013, and 500 million in 2014. In October 2017, Yahoo increased its estimate of the affected users to 3 billion. The company suffered a decline in the acquisition price to the tune of $350 million, and as of March 2017 their direct response cost was $16 million, which is apart from other losses. TalkTalk, Ashley Madison, Anthem, JP Morgen Chase, eBay, Korea Credit Bureau, Sony Play Station Network, Heartland Payment Systems among others have also lost billions of dollar in recent year due to data breaches.
System malfunction issues like denial-of-service (DoS), or distributed denial-of-service (DDoS) attacks were suffered by almost half of all major US corporations in 2015. Cyber attacks targeted at control systems, particularly of critical infrastructure such as electricity networks, water supply, or communication infrastructure has been on the increase, for example, US Industrial Control System Cyber Emergency Response Team reported 308 registered incidents in 2015 as against as against only 138 in 2012. In Europe, a study found that 18 per cent of all data was exfiltrated. Between 2014 and 2017, the number of such mega-attacks (the top 100 global websites) increased by a factor of 7.5. Risk Management Solutions, Inc. and Cambridge Centre for Risk Studies, 2016 put the average cost of such an attack for small to medium businesses at $52000 and for larger businesses at $444000. The average cost per minute of website downtime for 2016 was between $10001 and $20000.
Malware attack can create havoc, such as one on Saudi Aramco on August 15, 2015. The malware ‘timebomb’ deleted data of 75 per cent of the corporate data which led to days without internet and corporate email access. The company never disclosed the actual amount of loss, except they had to hire IT security experts from all over the world in addition to purchase 50000 computers. In May 2017, WannaCry, a ransomware reportedly infected 300000 computers in 150 countries around the world, including at UK National Health Service, the Russian Ministry of Interior, the DeutscheBann railwy and global companies such as Nissan, Renault, and Fed Ex. In June 2017, Petya, NotPetya and GoldenEye created havoc in North America, Asia, Latin America, Akustralia and particularly Europe.
It has been estimated that loss potential of data corruption risks 8 to 26 per cent of global GDP.
Cyber theft or fraud is another risk. Even from the Bank of Bangladesh’s account $101 million were transferred into the account of New York Federal Reserve. Bank cards are created and manipulated to withdraw from ATMs, for example, $45 million was withdrawn using pre-paid travel cards from Indian credit card processors in 2013 while 1.8 billion JPY (Japanese currency) was stolen from Japan based ATMs in Japan on credit card data from customers of South African Bank in 2016. These are but only a few examples. We have an increase of 300 percent in the lost amount between 2015 and December 2016. (IPA Service)