MANAGING RISK IN THE DIGITAL AGE

May 2011Arthur J. Gallagher International

P a g e | 2

Contents

Threat of Attack 4

Cyber crime 7

The cost of cyber threat 10

Digital Vulnerability of Financial Systems 12

Reputational risks in the digital age 15

Best Practice 17

Conclusion 18

P a g e | 4

Threat Of Attack

Advances in telecommunications and

information technology have made a

significant contribution to the

development of the global economy and

productivity of most industries. Digital

technologies in the workplace have

delivered numerous benefits, including

cost efficiency, rapid information sharing,

multi-tasking and personal performance.

These compelling business advantages,

coupled with falling hardware and

software prices, led to the widespread

adoption of IT across the business

landscape. This has however, made many

organisations overly-reliant on their digital

infrastructures, which in turn has created

new vulnerabilities and increased

operational risks. Many companies are

now susceptible to the threat of attack.

According to the UK‟s recent Cyber

Security Research Institute (CSRI) survey

conducted on 200 IT executives, fewer

than a half of respondents stated that

their systems had never been a subject to

an intrusion or a cyber attack in 2010. In

2011 the number had increased to 80

percent, with nearly two-thirds admitting

they had found evidence of malware each

month1.

As corporations and public bodies begin

to understand the nature of these threats,

there is a general agreement that any plan

1 Financial Times – Electricity grid vulnerable to

cyber attacks, April 19, 2011

to counter these challenges should be

based on an understanding of the

following issues:

Cyber security - the body of technologies,

processes and practices designed to

protect networks, computers,

programmes and data from attack

Digital data protection – activity to all

electronic data is safe from unauthorised

access

Online durability of financial processes –

an IT system‟s resistance to cyber attacks

Sustainability of reputation in the digital

environment – cyber attacks can damage

corporate reputation, decrease business

productivity and influence consumer

confidence

Governments are acting unilaterally to

address the issue and also recognise that

the global nature of the threat will require

a combined international effort if it is to

be addressed effectively.

In October 2010 the UK Government

published the National Security Strategy,

which placed attacks in cyber space

among the top threats to Britain -

together with international terrorism,

military crises or natural hazards such as

the „flu pandemic2.

As a response to this greater level of risk,

2 The Daily Telegraph – Terrorism and cyber

attacks: the risks that Britain faces, October 18,

2010

P a g e | 5

the UK Government is preparing a

National Cyber Security Programme

(NCSP), planned to be implemented over

the next four years. Costing £650m, the

scheme is set to protect the UK‟s critical

infrastructure, Government networks and

services3.

While all business sectors are at risk from

cyber crime or malicious attacks on their

digital business infrastructure, certain

industries remain more at risk than

others. A study conducted by the UK

Government in February 2011 suggests

that so far pharmaceutical,

biotechnological, electronic, chemical and

IT sectors have been affected the most4.

The same study suggests that British

economy is losing £27bn a year from

cyber crime with £21bn lost by UK

business5.

All indicators suggest that the rate of

cyber crime will rise in the immediate

future and that the criminals will become

more sophisticated in the methods they

adopt. In this context, ignoring the threat

or failing to understand the nature of the

risk is no longer an option for any

business or public entity.

3 Evening Standard – Privatised utility

companies exposed to cyber attacks, April 19,

2011

4 The Times – Cyber crime costing UK £27bn

a year, February 18, 2011

5 Financial Times – Wake up to £17bn cyber

crime, business told, February 17, 2011

P a g e | 7

Cyber Crime

“Cyber crime became a widespread and

profitable business, with hundreds of

thousands of individuals involved”, notes

Eugene Kaspersky, the founder and CEO

of Kaspersky Lab, who predicts that by

2020, cyber crime will divide into two

types of activities. The first type will be

focused on business with commercial

espionage, database theft and online

smears intended to undermine corporate

reputation. The second type will target

areas of everyday life such as transport

and telecommunication networks.

Hacking into such systems and stealing

information, making free use of them and

the removal or change of customers‟

activity data will be the main focus of the

new generation of hackers6.

One of the most notorious pieces of

malware to emerge in recent years is the

Stuxnet worm which attacked five

industrial facilities in Iran over 10 months

between June 2009 and April 2010.

Stuxnet is targeted at industrial control

devices and is able to destroy physical

property.

According to two separate reports

published by the US Center of

International and Strategic Studies (CISS)

and the UK‟s Cyber Security Research

Institute (CSRI), the equipment used to

control critical national infrastructures

6 Kaspersky Lab - What will cyber crime look like in 2020?

http://www.kaspersky.co.uk/news?id=207576285

(CNI) in UK and USA is not advanced

enough to be able to deal with modern

cyber threats. Lagging behind the IT world

(some 10-15 years behind modern IT

systems) and connected to the Internet,

both CNI systems remain a very easy

target.

Although the UK Government has already

allocated another £650m to manage cyber

issues as well as improve CNI, one of the

experts quoted in the CSRI report,

clarifies: “The pot of money that the

Government has allocated to this is not

big enough to protect its own critical

infrastructure let alone research the

national critical national infrastructure to

find out what needs to be done.” As

regards Government security reviews, the

UK was placed at the bottom, with the

lowest level of cyber security checks7,

while China and Japan received one of the

highest scores for technology security

reviews8.

7 Evening Standard – Privatised utility companies exposed

to cyber attacks, April 19, 2011

8 Financial Times – Electricity grid vulnerable to cyber

attacks, April 19, 2011

P a g e | 8

Fact: Only 47% of British

people use passwords on

their mobile devices

A botnet is another class of malware

which can infect mobile and Internet-

enabled devices. Mobile devices such as

smartphones allow users to send and

receive email, exchange files and access

corporate information while on the move.

Such devices have been a boost to

personal productivity, but when this

access to

data beyond

the safety of

a corporate

firewall is

combined with users‟ unawareness of

potential security risks, mobile devices

become vulnerable to security breaches.

Only 47 percent of UK mobile Internet

users set a password on their devices to

prevent unauthorised access in case they

are stolen9.

As the adoption rate for smartphones

grows, so does the interest from cyber

criminals. According to a recent report by

McAfee, the IT security group, the

amount of malicious software in

circulation designed specifically to target

mobile devices rose by 46 percent in

201010. In early 2011, Kaspersky Lab

reported that it had identified 154

different mobile malware families with

1,046 different strains and variants11. The

9 Kaspersky Lab - European Users Mobile Behaviour and

Awareness of Mobile Threats

http://www.kaspersky.co.uk/news?id=207576289

10 Financial Times – Threat of mobile cyber crime on the

increase, February 8, 2011

11 Kaspersky Lab - Sensitive corporate information is

growth of this type of threat and the

inherent vulnerability of mobile devices

means that risk managers face serious

problems of corporate data protection

and cyber risk mitigation.

One of the most serious threats large

companies are facing, particularly in the

financial services

sector, are cyber

criminals illegally

accessing client

databases that

contain financial

details, personal information such as

addresses, social security numbers and

even medical data. All these data types are

considered highly valuable on the black

market. Some cyber thieves use malware

to log every key stroke (keylogging), some

capture screenshots when victims use

banking websites, others download

malicious codes, or let hackers remotely

access desktop operating system while

users enter online banking webpages or

corporate payment applications. Both

approaches result in confidential

information, such as passwords and PINs,

being sent back to the criminal network.

Armed with this information, the cyber

criminal is then able to steal money or

sensitive corporate data.

increasingly at risk from mobile malware

http://www.kaspersky.co.uk/news?id=207576290

P a g e | 10

The Cost Of Cyber Threat

Digital information is easy to store,

communicate and also to leak12.

Intellectual property theft is the most

costly cyber threat in the UK. It accounts

for some £9.2bn of losses annually13.

Cyber espionage and online data theft is a

significant concern for risk managers.

“Industrial cyber espionage is one of the

biggest problems faced by many

countries”, says Melissa Hathaway, former

US intelligence official and the leader of a

digital security review set up by President

Barack Obama14.

In December 2009 malware called Aurora

infected dozens of large companies

around the globe, including Google and

Adobe. According to Google the attack,

which originated from China, allowed

hackers to steal intellectual property such

as the mail accounts of human rights

activists.

Ray Barlow, who leads Arthur J.

Gallagher‟s Cyber Risk Unit, believes that

one of the critical risks facing the UK is

cyber attack against large utility

12 The Economist - The leaky corporation, February 24,

2011

http://www.economist.com/node/18226961?story_id=1822

6961&fsrc=rss

13 The Wall Street Journal – Cyber crime Costs Mount in

U.K., February 17, 2011

http://online.wsj.com/article/SB1000142405274870356160

4576150353058208060.html?mod=googlenews_wsj

14 Financial Times – Industrial espionage: Data out of the

door, February 1, 2011

companies; a Stuxnet type virus for

example, could cripple the NHS, or cause

a Fukushima – style meltdown in a nuclear

reactor. “An electronic bomb is as

effective as an explosive bomb and more

readily deployable”, notes Barlow.

"The recent PlayStation data

theft is not just a nightmare for

Sony, but also worrying news

for the millions of people who

use the network. Once again

users will have their confidence

shaken by a major company

losing their personal

information.”

Ray Barlow, Gallagher London

P a g e | 12

Digital Vulnerability Of Financial Systems

General Sir David Richards, head of UK

Armed Forces, observes “The UK‟s trade

is now so dominated by financial services

that nowadays the Internet seems to be as

vital as shipping routes were a century

ago”15. Businesses rely heavily on the

Internet when managing their payments

and other financial activities. In the

wholesale capital markets, the speed of

trading, clearing and settlement depends

on online systems. Small time delays

unnoticed by the human eye can lead to

huge losses for the company. For this

reason, businesses operate on automated

or algorithmic trading within set

parameters in order to react immediately

to the rapid changes within target

markets.

Online transactions accounted for over

30 percent of all trades executed in crude

oil in the fourth quarter of 2010, and a

similar proportion of completed trades in

energy and agricultural contracts such as

corn16. While this level of automation

brings speed of execution, it also means

that companies can suffer from cyber

attacks where intrusion into the trading

platform can corrupt the algorithms and

lead to incorrect orders being placed and

further losses being generated.

15 The Times – UK vulnerable to cyber attack, warns

defence chief, January 31, 2011

16 Commodities Now - Algos transform the ecology of

commodity markets, March 7, 2011

http://www.commodities-now.com/reports/general/5296-

algos-transform-the-ecology-of-commodity-markets.html

Case Study: London Stock Exchange

(LSE)

At the beginning of 2011, the LSE faced a

number of cyber-related problems. On

February 25th, the LSE suffered from

technical issues which caused trading to

overrun by 43 seconds, with incorrectly

displayed prices. This was related to

“gateways” that connect investors to the

main trading system where the FIX

Protocol failed to display correctly on

broker screens17. As a result, all orders

were put into an auction and trading

resumed with four hours delay. According

to Reuters, the LSE‟s trading volume on

the day of glitch was down 37 percent to

£3.3bn at the close, while the daily total

for all UK platforms was a third lower at

£6bn. The event was also negatively

perceived on other platforms. Chi-X

Europe's trading was down 20 percent at

€1.6bn and Bats was down 21 percent on

the daily average for the previous five

days, at €600m at the close of normal

trading. Only three days later, the LSE

faced another problem - users of various

web browsers were warned that the

organisation‟s website contained

malware18. The LSE explained the

17 The Times - Glitch halts LSE trading as Dubai woes

trigger sell-off, November 27, 2009

http://business.timesonline.co.uk/tol/business/industry_sec

tors/banking_and_finance/article6934205.ece

18 City AM - Virus hits LSE website after trading glitch,

February 28, 2011 http://www.cityam.com/news-and-

analysis/virus-hits-lse-website-after-trading-glitch

P a g e | 13

problem as being a third party website

advert. The advert contained a virus,

which activated itself if stock exchange

users clicked on it and followed the link.

These examples show that the

unpredictable nature of the digital

environment can be a threat not only to a

particular business but also to the whole

financial system. But as Ray Barlow notes,

“The enemy is often within an

organisation itself. One of the biggest

concerns for Risk Managers is the threat

of the disaffected employee, who has

access to passwords and procedures, and

is often able to by-pass rudimentary

checks and balances.”

P a g e | 15

Reputational Risks In The Digital Age

The digital age has brought not only

technical risks to companies but also

created additional threats for business

reputation. The popularity of social

networks (Facebook has more than 500m

users; Twitter more than 200m) and

simplicity of sharing information via

wireless laptops and portable devices has

become a risk factor for many companies.

The uncontrollable and unpredictable

nature of digital communications can

significantly damage the image of an

organisation and create unwarranted

attention.

The example of BP‟s oil spill in the Gulf of

Mexico in 2010 demonstrated how

powerful online engagement can be.

According to media analyst BrandsEye, in

just one day the environmental disaster

caused by BP was mentioned online

12,426 times in the English language

alone.19 “Interestingly, while the attack on

BP is predominately being driven through

Twitter, with 55 percent of all mentions

originating from the social networking

site, it is also taking place elsewhere on

the web and has been a popular topic on

thousands of blogs. This indicates that the

issue is far bigger than the usual consumer

complaints posted on Twitter”, noted

Greg Schneider, reputation analyst for

BrandsEye. Additionally, a survey

conducted by East Mailing Research

19 Bizcommunity.com - BP fiasco lessons: surviving an

online reputation crisis, July 7, 2010 http://www.biz-

community.com/Article/196/18/49744.html

(EMR) showed that negative publicity had

a direct impact on BP‟s profits within the

first three months, with the company's

share price losing over half of its value

between April and June in 2010 by

dropping from 655.40p to 319.36p20.

20 EMR - BP‟s reputation following the Deepwater

Horizon oil spill, July 21 2010

http://www.emrrecruitment.co.uk/bp-s-reputation-

following-the-deepwater-horizon-oil-spill-21-july-2010

P a g e | 17

Best Practice

Professional advice

Risk managers should consider

professional advice at all stages of

business planning and during a project‟s

implementation. Support from

experienced professionals and companies

can significantly reduce the risk of cyber

threats as well as prepare adequate

responses.

Protection

Companies should apply all necessary

technological and legal measures to

mitigate cyber risks. It can be the

integration of an early warning system,

better intelligence on what attacks could

happen, more reliable protection with

updated software, the ability to predict

what potential threats could look like and

the ability to clean up after the attack21.

To avoid the consequences of cyber

espionage, businesses should be equipped

with patents and licenses for all inventions

and unique developments they possess.

Additionally, Business Interruption cover

and the use of shadow servers should be

investigated.

Trusted computing

Leading commentator David Lacey

predicts in his IT Security Blog that 2011

will be revolutionary for information

security and risk management. The

21 BBC - The world of cyber threats, February 16, 2011

http://www.bbc.co.uk/blogs/thereporters/maggieshiels/20

11/02/the_next_uber_cyber_threat.html

revolution is likely to last for the next ten

years with more security technologies

emerging22. Lacey considers trusted

computing technology, as one of the top

innovations providing low cost hardware

security. Trusted Performance Model

chips (TPM chips) are now present in

hundreds of millions of laptops and

servers worldwide23. TPM chips are

produced by The Trusted Computing

Group (TCG), a not-for-profit industry

standards organisation concentrating on

developing, defining and promoting open

standards for trusted computing24. Many

laptops are being shipped with self-

encrypting drives, however not all

customers seem to be aware of that.

Lacey is convinced that trusted computing

is going to revolutionise the way many

people think about the IT security25.

22 Computerweekly.com – David Lacey‟s IT Security Blog

– Security forecasts for 2011, January 2, 2011

23 Computerweekly.com – David Lacey‟s IT Security Blog

– Hardware Security hits the road, August 25, 2010

24 The Trusted Computing Group (TCG),

http://www.trustedcomputinggroup.org/about_tcg

25 Computerweekly.com – David Lacey‟s IT Security Blog

– Let‟s ditch best practices, January 12, 2011

P a g e | 18

Conclusion

According to the report Managing Digital Risk issued by Lloyd‟s of London in 2010, risk

managers should become far more involved in their company‟s IT governance and

information security, by setting up working groups, that should include all important

stakeholders such as technology experts, legal representatives and business advisors.

Multiple partnerships can ensure better security and more tailored risk response26.

The consequences of cyber attacks can be disastrous to business - damaging reputation,

decreasing business productivity and denting consumer confidence. Many current insurance

policies should be reviewed, as most of them will not cover digital risk and focus only on

tangible hazards such as fire or equipment damage. “It is always worth checking what types

of digital risk covers are available on the market and keeping such protections up to date,”

advises Ray Barlow. “All organisations should develop their risk management strategies

constantly, in response to emerging cyber threats – and in an increasingly volatile world, a

secure IT infrastructure and appropriate risk management are the first lines of defence.”

For further information, please contact Ray_Barlow@ajg.com

26 Lloyd‟s 360 Risk Insight – Managing Digital Risk, Trends, issues and implications for business (2010)

http://www.lloyds.com/News-and-Insight/360-Risk-Insight

Managing risk in the digital ageArthur J. Gallagher International

The information set out in this article has been prepared for information purposes only by Arthur J. Gallagher (UK) Limited and has not been independently verified and does not purport to be comprehensive. The information is intended solely to convey general information about risks in a digital age. The content of the information is not intended to constitute, and should not be relied upon as, legal or professional advice. No representation or warranty, express or implied, is or will be made and no responsibility or liability is or will be accepted by Arthur J. Gallagher (UK) Limited or by any of its respective officers, employees or agents in relation to the accuracy, completeness or up to date nature of the information set out in this article.The information is not intended to replace any and all analyses and/or investigations that a third party might consider necessary in managing its risks. To the extent the information expresses an opinion, the reader acknowledges that any such opinion is an expression of Arthur J. Gallagher (UK) Limited only, and is not a statement of fact. The reader is advised to review the information in conjunction with an appropriate qualified person(s) before any use is made of the information.

Copyright © Arthur J. Gallagher (UK) Limited, 2011