Some 37% of delegates at the Strategic Risk Forum in Singapore said this was the biggest concern, followed by an increased reliance of the business on data and technology

Strategic Risk Forum 2016

The loss of customer data is the main cyber risk facing most companies, but keeping their IT systems up to date would be the first step in mitigating the risk.

When asked what cyber risk they are most worried about, the majority of delegates (37%) at the 2016 Strategic Risk Forum in Singapore, cited the loss of customer data.

According to David Siah, country manager, Singapore at Trend Micro, this is not surprising.

“Some customer records are more expensive on the black market than credit card data, because credit cards can be disabled, but a personal record follows you for life. A key example would be a medical record. Once a hacker gains access to that information, they can use it for a lot of other purposes throughout a person’s lifetime,” he explained.

Willis Towers Watson Singapore Finex leader Frances Fu concurred.

“We have a lot of dialogue with customers about cyber insurance – whether it covers regulatory fines, crisis management, forensic costs and so on, especially when personal identifiable information of their customers is compromised,” she said.

Fu added that cyber insurance does not just cover the costs incurred as a result of the privacy breach, but can also cover the first party and third party losses.

Another type of cyber attack on the rise in recent years is ransomware, where cyber criminals encrypt data and ask for money to decrypt the data.

Siah said: “If you receive an encryption notice on a critical business file, do you pay the ransom or not? Many people do pay … so that’s why ransomware has become a very big problem.”

He said that most breaches happen because the company has not updated their systems and software, leaving the backdoor open to hackers.

“Client data is inevitably one of the most important aspects of [our] business,” Barclays vice president UK, Europe & APAC, group insurance and group risk Geetha Kanagasingam said.

“For cyber risks Barclays groups its control requirements under four key categories. These are attacks on us, attacks on our customers’, attacks on the availability of our services and attacks on critical banking structure. There is no appetite for control gaps rated as critical.”

When asked about how best to manage cyber risk, Kanagasingam said: “To implement a robust IT security and cyber risk prevention programme. A chief information security officer should be appointed to be the risk owner who comes up with the policies, the procedures and the programmes, working with the relevant stakeholders within the business. Risk managers ought to work closely with the first line of defense that includes the CIO, CTO, COO etc – to provide inputs and possible solutions from a risk and insurance perspective as part of a holistic risk management strategy creating a second line of defence in preventing and/or mitigating losses.”

Christophe Durand, head of cyber strategy at Interpol, said corporates should make intrusion detection their top priority.

“We all know now that it is impossible to get a 100% secure information system, so we should consider the fact that the enemy is within your information system, so you have to monitor the behaviour of your system in order to identify what is going on in your system.”