Hacking and phishing top cyber concerns, survey finds

The threat of a hacking event remains the cyber threat of greatest concern to risk managers across Asia-Pacific according to a recent survey conducted by StrategicRISK.

Members of StrategicRISK’s Asia-Pacific advisory board, which consists of more than 150 senior risk and insurance managers, were asked to rank nine different cyber threats by their likelihood to occur in the next 12-months and the financial impact if they were to impact. 

The survey was conducted in the first two weeks of September 2017.

To identify the cyber threats of highest concern (that is, those most likely to occur and with the highest financial impact), a combined average score was calculated for both likelihood and financial impact for each threat and ranked in order of size. The higher the score, the more likely a threat is to occur and have a high financial impact.  This resulted in a cyber threat ranking as follows:

1. Hacking event
2. Phishing attack
3. Malware
4. Social engineering of employee
5. Data theft by disgruntled employee
6. Accidental data mishandling
7. Ransonware
8. IoT leaks sensitive data
9. DDoS

Franck Baron, group general manager for risk management and insurance at International SOS and chairman of PARIMA, said of the survey results: “This is an accurate reflection of the fact that organisations and risk professionals are becoming very much aware of the ‘intangibilisation’ of their business models and other assets, such as reputation.

“This requires a significant shift and re-allocating of focus and resources to cyber, data privacy and intangible assets-related exposures.”

Baron said there is a huge challenge for risk managers to establish very strong internal partnerships with their CIO and CISO, and continue to raise awareness to their boards about this new intangible world.

“This is challenging too in terms of developing new risk prevention and mitigation protocols to tackle such risks and set up proper risk financing facilities.

“Most of our organisations have been very strong and immune to crime-related threats but cyber is creating an even stronger weakness which has put them back to square one,” added Baron.

Peter Jackson, director of multi national clients at Lockton Wattana Thailand, said StrategicRISK’s research is a good snapshot of how risk managers perceive cyber risk.

“An additional factor is scale. Each one of these cyber risks can be small scale or so big it threatens the very existence of the organisation.

“Evidence suggests that companies significantly under estimate recovery times and recovery costs from cyber attacks. My guess is most respondents won’t have experienced a major attack and won’t know from first-hand experience the time and cost needed to recover.

“Companies that suffered from the WannaCry attack found it wasn’t easy or straightforward to get back to normal even when the ransom had been paid,” added Jackson.

Andrew Mahony, regional director, Asia Aon, said risk and insurance managers are wise to recognise the extremely high likelihood of organisations being affected by phishing attacks.

“Threat intelligence suggests that there has been a dramatic increase in spear phishing attempts, with malicious emails comprising almost 1% of email traffic. 

“Although in some cases, the financial impact of a spear phishing attack may be contained, it is important to recognise that a spear phishing email is typically the opening into an organisation which gives rise to a ‘hacking event’, which is reasonably regarded as having a very high financial impact.”

Mahony said this year’s major cyber events, WannaCry and NotPetya, were global ransomware attacks, but the amount paid in extortion payments were limited.

“Loss suffered by companies affected were much greater, with wide ranging estimates starting in the hundreds of millions of dollars up to US$4 billion globally, expected to primarily be business interruption loss,” he said.

“Ultimately, the results of the survey indicate strong cyber risk awareness among risk and insurance managers, which is consistent with our client conversations across Asia. Therefore, there should be a continued need to understand how these cyber events can cause distinct and significant financial losses for each organisation,” added Mahony.