Magazine

Read the latest edition of AIR and MEIR as an Interactive e-book

Mar 2024

Checking cyber risks

Source: Middle East Insurance Review | Jul 2017

As cyber attacks increase in both number and intensity, it is imperative for organisations to understand the evolving nature of the threats they now face and formulate a coherent defence plan to keep these risks in check.
By Cynthia Ang
 
 
The business environment today is continuing to change rapidly, and technology is becoming one of the key disruptors in the way company will run and exist in the future. Technological innovations such as the IoT, mobile devices, cloud computing, drones and artificial intelligence have created a platform of opportunities for businesses in the Middle East to thrive and expand. 
 
   At the same time, more and more governments in the Middle East are also embracing the trend and aim to maximise their digital economic output as they seek to reduce their dependency on oil-generated revenues and to diversify their economies to promote sustainable growth. 
 
   Collectively, a unified digital market across the Middle East, with 160 million potential digital users by 2025, could contribute up to almost 4% annually in GDP worth around US$95 billion, according to a McKinsey report, “Digital Middle East: Transforming the region into a leading digital economy”.
 
Mounting threat
However, the rapid adoption of digitisation in the Middle East, home to almost half of global oil reserves and much of its natural gas, has also made the region an attractive target for array cyber criminals. 
 
   According to the latest “2017 FM Global Resilience Index”, the Middle East has emerged as the most vulnerable region to cyber attacks and associated risks. 
 
   The report, which ranked 130 countries based on their enterprise resilience to disruptive events, shows four Middle East countries – Bahrain, Qatar, Saudi Arabia and the UAE – ranking lowest in the index for inherent cyber risk. 
 
   These oil-rich countries have high internet penetration, but suffer from equally high cyber risks because of lesser emphasis on their cyber security industries, the report said. 
 
   Another report by cyber security firm FireEye said that energy, government and financial services sectors were the most targeted verticals in the Middle East in the first half of 2016. These included oil production facilities and industrial control systems (energy); foreign and defence ministries (government); retail banks, investment banks and sovereign wealth funds (financial services).
 
Staggering losses
Globally, cyber attacks caused an estimated economic losses of over $450 billion in 2016 and the figure is expected to reach as high as $6 trillion by 2021. In the Middle East, the losses are estimated at more than $1 billion a year. 
 
   The staggering losses reflected the inability of organisations to assess and mitigate cyber risks across the evolving IT landscape. One notable trend in the past year was the emergence of ransomware as one of the most dangerous cyber threats facing both organisations and consumers today. 
 
   Two massive global ransomware attacks this year – Petya in late June and WannaCry in mid-May – infected networks and caused major disruptions across the globe. 
 
   Dubbed by risk modeller RMS as “arguably the first-ever cyber-catastrophe”, WannaCry affected more than 230,000 computers in over 150 countries and caused an estimated $4 billion in damage, with the UK’s National Health Service (NHS), global shipper FedEx, car manufacturers Nissan and Renault and German state railways among those hardest hit. 
 
   In the Middle East, WannaCry infected computers in the UAE, Saudi Arabia, Qatar, Egypt, Jordan and Iran, although organisations which had been attacked were not identified and no major losses were reported, according to Kaspersky Lab.
 
   Although the Middle East was not spared from the impact of WannaCry, evidence indicate that the region was not hit as hard some other parts of the world, said Mr Wael Fattouh, PwC Middle East Partner, Risk Assurance Services. 
Some analysts have pointed to the timing of the attack being a factor in the reduced impact (the attack initially hit during a weekend in the Middle East), while others have suggested that many affected organisations simply did not report the incident to reduce impact on public image, he added. 
 
Growing demand for insurance
With the increased demand for digital services in most markets in the Middle East, governments and businesses are both adopting digital innovations to seamlessly connect with their customers on online platforms, said Mr Brendan McDonald, Senior Vice President – Liabilities, Oman Insurance Company. 
 
   But he warned that such digital initiatives come with their share of cyber risk, and the market has recently witnessed its own share of cyber incidents. 
 
   As a consquence of this increased exposure, the Middle East cyber insurance market has grown in recent years. “However, the take-up in the region has been slower than anticipated. But with cyber risk programmes increasingly being flagged at the C-suite levels, discussions on cyber insurance should gain further momentum,” Mr McDonald said.
 
   Companies are now taking out insurance on their systems and data just like they would on physical assets, said Mr Fattouh, noting that the increasing number of cyber threats and the potentially devastating impact an incident can have on an organisation are the main drivers behind this increased demand. 
 
   “Insurance companies are not only looking at the value of the data, they are also evaluating the impact a breach can have on the flow of the business or the reputation of the organisation,” he added. 
 
   For underwriters, insuring cyber risk involves compiling in-depth information on their customers to determine their exposure to cyber attacks, according to a Lloyd’s report, “Closing the gap: Insuring your business against evolving cyber threats”. 
 
   This information includes the size and type of business, as well as more complex detail, including the volume of sensitive data held and the value of that data, the different security protocols the company observes, the potential motivations for attack, the geographies the company operates in, the vulnerability of the supply chain and profiles of the executive team.
 
Managing the risks
To enhance their cyber resilience, it is critical for organisations to transform their business strategies and implement policies that integrate cyber security to mitigate the threat impacts. But the enforcement of cyber risk management practices and procedures in the Middle East vary considerably from one organisation to the next, as with other regions. 
 
   “With board members and key decision makers increasing their focus on the business implications of an absent cyber protection plan, many have taken action and invested in technology, training, contingency planning and insurance solutions. This approach has not, however, been adopted universally yet and many organisations may still find themselves vulnerable to a cyber attack and ill-prepared for the aftermath,” Mr McDonald observed. 
 
   In terms of preparedness against cyber attacks, Mr Fattouh noted that some organisations and sectors such as banking are way ahead of others, while other entities have a lot of ground to cover. “However, the one thing that is clear is that everyone is paying a lot more attention to cyber risk than any time before. This increased focus and awareness has positively impacted the level of maturity across all sectors. There is still a long road ahead, but we believe the region is moving in the right direction.”
 
   Mr McDonald said most entities are mindful of cyber threats posed by hacking/malware for example, and are also aware of the various solutions available to mitigate these. “Unfortunately, human error can often result in a cyber incident, even with the most robust of defenses. Thus, organisations also need to invest in training teams on how to recognise and defuse cyber threats.” 
 
   One of the risks usually overlooked by many organisations in the region is third party (for example, vendor) risks, Mr Fattouh said. In today’s connected and integrated business environment, risks are transferred across company boundaries. “If your vendors are not managing their risks appropriately, then that can in most cases increase your own risks and expose you to significant risks that can critically impact you.”
 
   In the absence of strong regulatory requirements on service providers and vendors in many sectors, “it is essential that you understand what steps your business partners are taking to protect their systems and data. It is also your right to be aware of how well they manage their cyber risks and the plans in place to deal with incidents, because their incident can quickly become yours”, he said.
 
SMEs – the weakest link? 
While there are increased efforts among companies to boost awareness and encourage better cyber risk protection, it is worth noting that a large proportion of companies in the Middle East are SMEs or family-owned businesses.
 
   Often deemed as the weakest link in cyber security, SMEs are easy targets due to the underestimation of their risk level, and this is not helped by the fact that they generally lack the technical knowledge and expertise to defend themselves against cyber attacks.
 
   Indeed, some SMEs have underestimated their exposure to a cyber attack or the impact that one could have on their business operation and the costs associated with resolving issues and returning to business as usual, Mr McDonald noted. 
   
   Many SMEs often may not have the right level of resources to allocate to cyber security and, as a result, may leave themselves exposed, he said. 
 
   “Recent events have, however, shown that vulnerability to a cyber attack is not restricted to the SME segment, as was highlighted by the recent global WannaCry incident. This particular ransomware impacted many multinational organisations,” he added.
 
   Disagreeing that SMEs are the weakest link, Mr Fattouh said the region has highly educated and very capable SMEs, both locals and expats. “The main challenge that SMEs face is the difficulty of leveraging cyber security effectively. However, they are moving in the right direction, and we do see an opportunity to develop the level of people’s awareness and maturity in the security culture of the employees within those organisations,” he said.
 
Action plan
As cyber crimes evolve and related incidents become more frequent, it is a matter of “when” and not “if” an organisation gets affected, Mr McDonald said. 
 
   It is important to have “a sound contingency plan” that will allow the organisations to limit the potential damage and return to business as quickly as possible, controlling any ensuing losses. 
 
   High profile cases such as WannaCry and Petya serve as timely reminders of the vulnerability of many organisations – large or small – regardless of their locations. Citing the WannaCry attack as a wake-up call to the businesses in the region, Mr Fattouh said: “Whatever the reasons, the reduced impact of WannaCry does not mean we are safe, there will be more attacks, and there is still much to be done when it comes to the level of maturity and resilience of the cyber security in the Middle East.”
 
   Agreeing, Mr McDonald said the “impact of cyber risks on a business of any size should not be underestimated, and cyber security needs to be given the same level of priority as other factors fundamental to the continued operation of a business. Organisations need to take a proactive approach to their cyber security risk management which should focus on both prevention and recovery”. 
 
   While cyber insurance is an integral component of any cyber risk management programme, it is only one piece of the puzzle protecting an organisation from cyber security risks, Mr McDonald said. “The appropriate cyber security tools that advocate prevention, a trained team aware of and alert to cyber threats, along with the right contingency plan, will go a long way in staying cyber safe,” he said. 
 
   Concurring, Mr Fattouh advised: “Invest in your people and in changing the security culture of your organisation, because that is the best investment you can make to protect yourself.” 
 
   With the threat from cyber criminals not expected to disappear anytime soon, promoting a culture of collective responsibility for cyber security will help to keep organisations stay safe in cyberspace. M 
 
| Print
CAPTCHA image
Enter the code shown above in the box below.

Note that your comment may be edited or removed in the future, and that your comment may appear alongside the original article on websites other than this one.

 

Recent Comments

There are no comments submitted yet. Do you have an interesting opinion? Then be the first to post a comment.