The Cyber Exposure Index of South Africa was launched in October this 2017. Despite the feelings the publication raised, cyber exposure is a real thing and a phenomenon that is everyone’s problem, whether it is denied or not.
The maturity of cyber security varies by country and company, and those who were the first to deny any problems exist might be surprised that the world is moving forward really fast: reporting cyber exposure will become mandatory by law in the US in January 2018. The EU is following the same track; Singapore is accelerating a data breach notification framework; and other jurisdictions, like the UK, Australia and New Zealand, are also looking to introduce mandatory notification.
For years, there have been discussions about notifying private citizens if their data have been exposed, and the US was the first to adopt that practice. So it is no surprise that the US is the first to widen that scope, not just making cyber-exposure notifications mandatory but also allowing credit rating agencies and insurance companies to assess publicly listed companies based on their cyber exposure from data made public by hackers.
When it comes to individuals, mandatory reporting includes any unwanted publication of passport numbers, other government-issued ID numbers, any information covered by health regulation, biometric data and an email address, in combination with a password or security question that permits access to the account, health insurance policy information, certificate numbers or subscriber ID numbers in combination with an identifier. That only names a few.
When we talk about the investor perspective, it will be any information that might affect the stock price, such as internal emails, business plans, passwords or hacking attempts – the very same information that was measured in the Cyber Exposure Index.
What is now reported is relative ranking in the world—whether you belong, for example, to the top 25% of the most exposed companies. What is changing, though, starting with the US, is that the details are also becoming public: the exact number of passwords that have been leaked or how many internal emails were posted on hacker sites.
The findings in the Cyber Exposure Index are just the beginning. They are factual findings, not estimations, but the scope is still quite limited. During the first launches, we cover only sensitive and confidential internal documents, exposed credentials and hacker group activity against the company. Every organization has more exposure than the index shows, as it is the minimum and a starting point. When we include, for example, financial information, black market activity, internal breaches, supply chains and cloud providers, the number of findings skyrockets.
So what did we find in the study and what did we learn?
First of all, this topic is emotionally very sensitive for some people, as all new things are. Change is scary. Obviously, the main reason behind this reaction is the fear that these things have not been looked after, and this works as a wake-up call.
Second, the data show very clearly that cyber exposure is every industry’s problem. As every business relies on computers at some level, there is no industry that can dismiss this phenomenon.
Third, bigger size doesn’t mean automatically bigger exposure. Drivers for cyber exposure can be split into two main factors: internal security controls, such as ICT security measures, and how well the staff and stakeholders are trained to handle data and cope with cyber threats, such as phishing and malicious websites.
What does the future look like?
The numbers are on the rise, and as breach notification becomes mandatory, cyber exposure monitoring also becomes part of an organization’s day-to-day life. Globally, insurance companies are starting to assess companies based not just on their internal efforts but also on staff awareness and the size of the overall cyber footprint and cyber exposure. Once adequate measures have been implemented and cyber exposure is continuously monitored, there is a good opportunity to transfer some of the risk to cyber insurance.
Camargue proudly continues to work with our long-standing risk management partners, Magix Security, to provide our clients with the specialised skill sets they need to manage their unique cyber risks. Magix Security also collaborate with Kinkayo, and we thank Mikko for his contribution and insights following the Kinkayo Cyber Exposure Index report.
Cyber Exposure Index is published twice a year and can be found at www.cyberexposureindex.com