Why Cyber Insurance Won’t Solve Your Biggest Cyber Problems

Inga Beale, former CEO of Lloyd’s, recently remarked ‘today a company’s most valuable assets are more likely to be stored in the cloud than a warehouse’.

It seems the insurance sector is finally waking up to the fact that intangible assets are the most valuable assets modern companies own – which is something that cybercriminals unfortunately figured out long ago…

Focusing on the Wrong Problems

According to estimates by Cybersecurity Ventures, cybercrime will cost the global economy more than US$6 trillion in 2021, up from $3 trillion in 2015.  However, while most companies now recognise that cyber-crime is a major issue, many senior managers and Boards are focusing their attention on the wrong kinds of cyber damage.

Stepping back for one moment, damage from cyber-crime breaks down into four broad categories:

1. Financial Theft: Manipulation of systems to misdirect funds e.g. an illegal bank transfer
2. Extortion: Withholding access to or damaging systems to extort payments e.g. ransomware
3. Vandalism: Damage to systems or leaking data with no apparent financial motive e.g. the Sony hack
4. Cyber-espionage: Theft of intangible assets to be used or sold

Unfortunately, while most cyber-insurance policies generally cover an organization for theft, extortion and direct loss (such as system repair and downtime) associated with vandalism (1 through 3 of the above list) – many companies do not realise that their cyber insurance policies do very little to mitigate or manage the most catastrophic of all cyber-crime risks: (4) cyber-espionage.

The Danger is Elsewhere

Cyber espionage includes the theft of confidential information such as algorithms, ingredients and formulas, manufacturing trade secrets and processes, product designs, bills of material, customer, supplier and employee data, pricing information and strategic business and financial information. In short, it is about your most valuable assets – your intangible ones.

The scale of intangible asset theft is huge: in 2019, the Commission on the Theft of American Intellectual Property estimated that the theft of American intellectual property by Chinese entities alone currently costs the economy between $225 billion and $600 billion annually. In Singapore, it is estimated that cyber-crime now accounts for 19 percent of the country’s overall crime.

Understand the threat posed

In the “Second Annual Study on the Cybersecurity Risk to Knowledge Assets” released earlier this year by Kilpatrick Townsend & Stockton and the Ponemon Institute, 634 North American companies were surveyed about their approach to cyber risk’s to “knowledge assets”.

The results were stark, highlighting that:

1. Cyber theft is rampant and is an increasing threat:

• 82% (up from 74% in 2016) reported it is likely that their company failed to detect a loss or theft of knowledge assets;
• 65% (up from 60% in 2016) stated it is likely one or more of their company’s knowledge assets are now in the hands of a competitor;
• The average total cost incurred by organizations included in the research due to the loss, misuse or theft of knowledge assets over the past 12 months increased 26 percent from $5.4 million to $6.8 million.
• 84% of respondents stated that the maximum loss their organizations could experience as a result of a material breach of knowledge assets is greater than $100 million (compared to 67% of respondents in 2016).

2. Executives and boards aren’t focused on the issue and its resolution:

• Over 65% rate their approach to the problem as “not effective” and cite lack of in-house expertise (73%) and lack of clear leadership (55%) for this.
• But 50% felt that senior management is more concerned about a data breach involving credit card information or customer information rather than the leakage of knowledge assets.
• Only 35% say their companies’ senior management understands the risk caused by unprotected knowledge assets
• 65% believe that senior management does not make the protection of knowledge assets a priority.
• The board of directors is even worse off: only 31% say the board is made aware of all breaches involving the loss or theft of knowledge assets
• Only 44% indicated that the board asked for assurances that knowledge assets are managed and safeguarded appropriately.

Three Reasons Why Preventing Cyber Espionage Is Critical

Cyber espionage has the potential to cause catastrophic damage than can be far more destructive than financial theft, extortion or vandalism. But while the problem is recognised and there is plenty of evidence around why cyber espionage is a growing issue, many companies are still at a loss regarding what to do.

There are three key ways cyber espionage can damage companies:

1. It directly and systematically degrades the long term competitive edge of a company and transfers it to competitors.

Companies expend substantial resources to develop a competitive edge. However, if a cybercriminal comes along and steals the intangible assets that give the company its advantage, the thief will enjoy the advantage for free (i.e. the victim pays 20% for its advantage, the thief gains 20%, a net 40% shift).

Paying a false invoice of $50,000 (cyber damage type 1) is bad but a 20% net shift in margin in a large company can be catastrophic. According to Kilpatrick et al, the average direct cost to remediate attacks against knowledge assets has risen to $6.8 million (up from 5.4 million 12-months ago) but 84% of respondents said that the real costs for such attacks is more likely to top US$100 million.

2. Over the long term, cyberespionage corrodes the incentive to develop new products.

This point comes back to the age-old adage, ‘why buy the cow if you can get the milk for free’. Today, if someone is able to steal your intangible assets and market them under their own banner, then why would they invest in developing the product or service themselves?

Writing in the Harvard Business Review Erik Meyersson found that even prior to the advent of cyber risk, the theft of intangible assets from West Germany companies by East German interests substantially narrowed the productivity gap between East and West Germany and “was so successful it crowded out standard forms of R&D in the West.”

3. The damage associated with intangible asset theft is frequently uninsurable.

The damage from cyber espionage can potentially run for years and have far-reaching consequences, making it difficult for an insurance provider to identify the quantum of damage (and is thus unable to payout).

Interestingly, insurance is also unlikely to cover indirect loss associated with a hack such as damage to brand reputation (another form of intangible asset). Again this is likely to be because it is difficult (though not impossible) to value the extent of the damage.

This is not to say Boards should not consider taking out insurance against cyber-risk. Cyber risk should absolutely be evaluated and where appropriate insured against as is the case with any risk. However, companies that take out cyber-insurance should carefully check their policies to determine if cyber espionage is really covered and to what extent.

Not Just a Big Company Problem

It’s worth noting here that no company is immune to cyber-crime. At the big end of town, Huawei estimates that it endures around a million cyberattacks per day on its computers and networks; while at the smaller end of town Accenture estimates that forty-three percent of cyberattacks are now aimed at small businesses.

So what can companies do to mitigate risk around cyber espionage?

Beyond having a cybersecurity system in place to prevent, monitor and contain breaches effectively, there are a number of other steps that companies can take to minimize the risk of cyber espionage.

1. Identify your intangible assets

The first step is to identify your intangible assets, along with which of these assets are truly critical and which ones are not. Once you’ve identified which assets drive your competitive edge, you can take steps to ensure that these don’t leak outside of the company and are protected from cyber-attacks.

2. Institute policies and processes

According to the research by Kilpatrick et al, only 14 percent of those companies surveyed restricted access to their knowledge assets, with 61 percent of respondents also stating that third parties have access to their company’s knowledge assets.

With the majority of data breaches resulting from the carelessness of employees or third-parties with access to information, it is important that companies institute policies and processes to proactively identify, protect and monitor access to key trade secrets, know-how and critical confidential information.

3. Educate and create employee awareness about cyber espionage risk

It is also important to educate employees on the importance and value of confidential information as a strategic asset for the company. Ensure employees understand the policies and processes in place and the steps that they can take to minimize the risk of confidential information and knowledge assets leaking or being targeted outside of the organization.

While these steps are relatively simple, they are also effective in mitigating the risk around cyber espionage and the loss of confidential information and other intangible assets when paired with an effective cybersecurity system.

Key take out

Intangible assets now account for 87% of all company value.  They frequently comprise a company’s most valuable assets (would you rather a competitor steals a company car or your customer database?) it is essential that senior managers and Boards of Directors don’t fall into the trap of believing “we have a cyber insurance policy so that’s a tick for cyber.” Companies need to take the risk of theft of their most valuable assets, their intangible assets far more seriously than they have previously.