FINEX: Willis Special Report: Fortune 1000 Cyber Disclosure by

download FINEX: Willis Special Report: Fortune 1000 Cyber Disclosure by

of 11

  • date post

    01-Jan-2017
  • Category

    Documents

  • view

    215
  • download

    1

Embed Size (px)

Transcript of FINEX: Willis Special Report: Fortune 1000 Cyber Disclosure by

  • In our recent report examining U.S. public company cyber disclosures,1 we focused on the Fortune 1000. In this special report, we begin a new series that further highlights specific industry groups. In this first offering, we feature the financial institutions sector.

    Financial institutions face unique risks due to the very individual activities they are involved in. The Fortune 1000 range from the largest international retail banks holding huge amounts of personal and financial information to a relatively small mortgage insurer at number 940 on the list, which may not have more than a few million personal records. In this report, we discuss banks, insurance companies and asset managers (or funds).

    Willis found that the financial institution (FI) sector was much more likely than other sectors to disclose types of risks across all categories, with cyber terrorism and regulatory risk identified at greater than double the rate of the Fortune 1000 companies as a whole. This may seem appropriate given the level of regulation of the financial institutions sector and the fact that they are major targets for domestic and foreign political groups or hacktivists.2

    WILLIS SPECIAL REPORT: FORTUNE 1000 CYBER DISCLOSURE BY FINANCIAL INSTITUTIONS

    Financial IndustryFortune 1000

    80%

    90%

    70%

    60%

    50%

    40%

    30%

    20%

    10%

    0

    64%

    80%

    50%

    78%

    49%

    71%

    43%

    68%

    18%

    40%

    17%

    44%

    25%27%22%

    27%22%

    12% 10%4% 4%

    1% 3% 1% 2%4%

    Priva

    cy/Lo

    ss of

    Confi

    denti

    al Da

    ta

    Repu

    tation

    Risk

    Malic

    ious A

    cts

    Liabil

    ity

    Cybe

    r Reg

    ulator

    y Risk

    Cybe

    r Terr

    orism

    Error

    and M

    alfun

    ction

    Busin

    ess I

    nterru

    ption

    Outso

    urced

    Vend

    or Ris

    k

    Loss

    of Int

    ellec

    tual P

    ropert

    y

    Produ

    ct or

    Servi

    ce Fa

    ilure

    Socia

    l Med

    ia Ris

    k

    Actua

    l Cyb

    er Ev

    ents

    REPORTED EXPOSURES F1000 VS FI INDUSTRY

    Hacktivisim is the act of

    hacking, or breaking into

    a computer system for

    a politically or socially

    motivated purpose. The

    individual who performs

    an act of hacktivisim is

    said to be hacktivist.

    http://searchsecurity.techtarget.com/ definition/hacktivism

    http://searchsecurity.techtarget.com/definition/hacktivism

  • Willis North America | Special Report 10/13 2

    THE SECTORS CYBER EXPOSURES

    In the U.S., the banking and financial sector has been designated by the federal government as a critical infrastructure sector because every organization and virtually all individuals are reliant to some degree on financial products. This dependency stretches across a broad array of products, services and institutions, ranging from the largest banks with assets of more than a trillion dollars to the smallest local insurance company or private equity firm.

    The term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

    Executive Order 13636 of February 12, 2013,Improving Critical Infrastructure Cybersecurity

    The financial sector is critically reliant upon technology to keep records, process transactions and facilitate day-to-day activities. It is among the most highly regulated sectors and spends more than most industries, as a percentage of revenue, on information technology (IT) security. However, this does not mean it is less likely to be the victim of an attack. The sector is third among all industries in the number of records lost for all years tracked by Risk Based Security, Inc.3

    DISTRIBUTION OF AFFECTED RECORDS BY SECTOR

    Technology 35.7%

    Retail 15.2%

    Financial 15.1%

    Other 13.5%

    Medical 10.0%

    Business 7.2%

    Government 2.1%

    Education 1.2%

    A successful, widespread attack on the financial industry could reduce confidence in the banking system. One can imagine the worst-case scenario in which financial records cannot be trusted putting institutions in a position where they can no longer verify account balances and trading positions. Such an event could freeze transactions between financial institutions causing a liquidity crisis in the interbank market.

    For insurance companies, the largest fear may be of a massive privacy information breach, which, while not quite as catastrophic to the economy as a whole as the example above, could be devastating to the institution. Companies in the insurance industry hold combinations of personal, health care, credit card and financial data; having a large-scale breach might result in liability losses that would match or surpass the largest impacts we have seen to date.

    Cyber risk in the funds sector is more company-specific, depending on the strategy of the particular institution. Funds that rely on sophisticated algorithms or high speed trading to implement their strategies may be the most exposed. We have already seen failures and losses

  • Willis North America | Special Report 10/13 3

    due to glitches, both at exchanges and at investing institutions, caused by programming and other errors that can result in large losses. One capital markets participant lost its independence (was acquired) because of a loss of confidence brought about by trading anomalies caused by a technology failure.

    EXTENT OF CYBER LOSS

    Most of the institutions in our study were circumspect in their approach to disclosure,with most hesitant to describe their potential cyber risks in the most serious terms. Only 2% of banks described their exposure as critical, and 59% found that the exposure was less than material or serious, with 8% silent as to the possible extent of their cyber loss. Similarly, 8% of insurance companies were silent on their cyber exposure. We expect, as disclosure becomes accepted, that all these companies with large amounts of personal data will be more forthcoming regarding the extent of their cyber risks.

    Silent Would impact or adversely impact operations Significant

    CriticalWould materially or seriously harm operations

    EXTENT OF CYBER RISK FI VS F1000

    17% 41% 4% 36%

    19% 38% 7% 34%

    8% 43% 8% 39%

    5%11% 29% 53%

    2%

    2%

    2%

    3%

    33% 50% 17%

    0% 20% 40% 60% 80% 100%

    F1

    Fortune 1000

    FinancialServices

    FinancialServices

    FinancialServices Funds

    One might expect, due to the number of attacks on financial institutions, especially banks, that they may have a significantly higher sensitivity to cyber attacks and thus be more likely than the average Fortune 1000 company to describe their risk as critical, material or serious. But we found that most FIs disclosed their risk in similar terms or levels as other Fortune 1000 companies.

    We can speculate that, because of the investment in large information technology (IT) security teams (some banks have 300 people or more working on their IT security staff ) and redundancies, banks feel they have invested enough to minimize the possibility that they will be materially affected by a cyber attack. Financial institutions may also believe that they can continue to run their businesses without their systems for a period of time by going to manual backups. After all, many functions of financial institutions, such as payments of insurance premiums or loan payments, do not stop because the institutions systems are down.

    Notably, within the financial institutions sector, it was insurers that reported the highest levels of concern about the risk of a cyber event, with 60% disclosing the risk as critical, serious, material or significant a higher rate than banks or funds. Only 49% of banks and only 17% of funds indicated the same levels of significance.

  • Willis North America | Special Report 10/13 4

    The lower concern at funds companies may be explained by the lower exposure most funds companies have to loss or disclosure of PII (personally identifiable information). Many funds companies hold their accounts in the name of the investment company and do not hold any details of the individuals that are the primary investors, thus significantly lowering any risk of disclosing personal information.

    CYBER LOSS EXPOSURES IDENTIFIED

    Financial institutions lead other industries in the number of exposures identified. Like most of the Fortune 1000, they identify privacy and loss of personal information as the most concerning exposure, with 80% of companies specifically referring to that risk, closely followed by reputation and malicious acts.

    FI INDUSTRY REPORTED EXPOSURES IN ORDER OF OCCURENCE

    No. of Companies Percentage of Companies

    80

    70

    60

    50

    40

    30

    20

    10

    0

    80%

    90%

    70%

    60%

    50%

    40%

    30%

    20%

    10%

    0

    80

    76 74

    67 65

    4238

    26 2621

    4 4 3 2

    78

    7168

    4440

    27 2722

    4 4 3 2

    Repu

    tation

    Risk

    Malic

    ious A

    cts

    Liabil

    ity

    Cybe

    r Reg

    ulator

    y Risk

    Cybe

    r Ter

    rorism

    Error

    and M

    alfun

    ction

    Busin

    ess I

    nterru

    ption

    Outso

    urced

    Vend

    or Ri

    sk

    Loss

    of Int