Considering entire cyber safety infrastructure is key to addressing risk

Collaboration at both country and corporation levels is critically important to address an ever-evolving cyber risk which, coupled with today’s interconnected infrastructure, can have potentially catastrophic ramifications, Carol Kreiling, vice president of Swiss Re (pictured), suggested Tuesday during a presentation in Toronto.

“How do we prevent a system intrusion or a data breach?” Kreiling asked those assembled for the joint conference of the Canadian Insurance Claims Managers Association and the Ontario chapter of the Canadian Independent Adjusters’ Association. “One of the focuses that we have to think about is the entire cyber safety infrastructure within corporations and governments, she said, adding that cyber is “such an international exposure.”

Citing a recent report from the World Economic Forum – the focus of which was cyber issues – Kreiling said the group considered various ways of modelling cyber risk. Identifying key parts of models that can be used to protect infrastructure, she reported, some of the desirable attributes are applicability, precision, timeliness, scope, and how the decision-making process is made.

“Obviously, if everyone is collecting their own data and no one is talking, that’s going to be a problem,” she told attendees. “We have to have governments working together with this issue and we have to have corporations working together with this issue,” Kreiling emphasized.

Energy is one sector that clearly demonstrates how a targeted attack could have company, national or even global ramifications. “If you look at the oil industry and the energy sector, a cyber attack against them could be absolutely catastrophic.” Statistics show “40% of the cyber attacks against the United States infrastructure is targeted at the energy sector and projections are that by 2018, the costs of those kinds of data breaches is going to reach US$1.87 billion,” Kreiling reported.

Citing the August 2012 Shamoon virus attack against Saudi Aramco – Saudi Arabia’s national petroleum and natural gas company – she told attendees that although the incident did not receive a lot of press coverage, hackers destroyed 85% of the hardware on 30,000 computers at the company.

“Could you imagine what would have happened had that attack been more widespread and had it totally devastated the company?” Kreiling asked. “It wouldn’t have just impacted and destroyed a company. It could have had severe devastating effects on the country of Saudi Arabia.”

What if the attack had resulted in a fire or an explosion at the refinery? “Can you imagine the devastation? That would be Deepwater Horizon to the nth degree.”

With energy, the potential trickle-down effects are real, Kreiling argued. “What would we do without that energy? It would have a devastating impact on the world economy, there’s no doubt about that.”

Kreiling cited another World Economic Forum report, this one on the technological risk landscape and issued in 2013. “At the very top, among five areas that they targeted as most important, is critical systems failure,” she said.

And among the things that could cause critical system failures are cyber attacks, which the forum noted includes state-sponsored, state-affiliated terrorism.

Overall, Kreiling told conference attendees that “there was a 48% increase in data breaches last year than the year before.”

Citing former FBI director Robert Mueller, she said there are two kinds of corporations: those that have been hacked and those that will be. “In fact, he said that those kinds of corporations are converging into another scary category: corporations that have been hacked and know it; and corporations that have been hacked and don’t know it,” Kreiling reported.

Whether cyber attacks are state-sponsored, state-affiliated terrorism, the work of organized criminals or the result of efforts by disgruntled employees, she emphasized that they all demand attention and consideration.

“When you start looking at these three profiles – and I’m sure there are more out there – you have to make sure you look at it from a different perspective and that is that there are all kinds of different levels of sophistication,” she said.

“What is their tactic? What is their motivation? Why are they doing this? Are they stealing your information in order to sell it on the black market? Or are they wanting to be destructive?” she asked. “As good as the good guys are, the bad guys try to stay one step ahead,” she said.

Although insurance may apply in many situations, Kreiling noted that there are still questions revolving around what coverage is needed and whether or not the coverage selected will be sufficient should something occur.

“Sometimes technology can exceed the pace of insurance products. It takes us a little while to really understand a risk, study a risk and then develop a product and issue that product to protect people,” she told those assembled at the conference. “The bad guys, they’re just coming along without any delay.”

That being the case, companies need to focus on the issue and “devote enough resources to it. And what countries need to do is to make sure that they realize that their cyber infrastructure is a national strategic asset.”