Cyber Security: Global Risk and Rising Complexity

Multinationals are fighting a battle on two fronts when it comes to cyber security as they seek to fend off new, emerging security threats and also comply with evolving global regulations.

These emerging security threats include the risk of attacks by insiders threatened by the economic downturn and new tactics — such as “spear phishing” and “malware” — being used by criminals on the outside to gain unauthorized access to computer networks.

Global regulatory compliance, meanwhile, is a chief concern for many companies as they navigate the various international laws and standards concerning cyber security.

With security and regulatory risks extending beyond the United States to their foreign operations, multinationals need to take additional actions to make sure their operations are well protected and compliant.

Cyber Crime a Growing Problem

Cyber crime is not going away. As the world becomes ever more interconnected and dependent on networks, laptops and personal handheld devices, the opportunities are just too great. The personal information stored on such devices — credit card information, drivers’ licenses and Social Security numbers — is at high risk and is often targeted by criminals because of the price it can bring on the black market.

The numbers paint a disconcerting picture. Data breaches increased dramatically in 2008. Breaches reported to the Identity Theft Resource Center in 2008 were up 47 percent over the previous year. Internet-based crime complaints jumped 33 percent in 2008, according to the Internet Crime and Complaint Center, and the total reported dollar loss was $265 million, up about 11 percent from 2007. These complaints included a wide variety of cyber crime matters from online fraud, to computer intrusions, economic espionage, identity theft and other matters.

Although these are U.S. statistics, Internet-based crimes can happen anywhere in the world. Because the Internet is global, the risk is global. Networks are vulnerable to breaches no matter where in the world they may be. Laptops, flash drives and other handheld devices, meanwhile, are easily lost and misplaced, creating vulnerability for multinationals seeking to protect sensitive private data.

Emerging Cyber Threats

Each year brings its own set of risks and challenges. One risk that bears watching is the threat posed by company insiders, either former or current employees, who understand a company’s inner workings and may be able to exploit that knowledge to gain unauthorized access to valuable confidential information.

Theft by insiders appears to be a growing problem. Insider theft accounted for nearly 16 percent of security breaches in 2008, more than double the level from the previous year, according to the Identity Theft Resource Center.

In addition to the risk posed by insiders, companies are also faced with the task of trying to stay ahead of the bad guys from the outside, who are constantly looking for ways to get around corporate defenses.

One of the latest tricks is known as “spear phishing,” a term for a highly targeted phishing attack. “Spear phishers” will craft their e-mails using information they’ve found on other Web sites, blogs or social networking sites to make them seem more legitimate. These e-mails are often directed to individuals within corporations and can be sophisticated enough to trick employees into clicking on a link or providing critical information about the company or its computer system.

Another concern is the growing use of “malware,” which is used to infiltrate or damage computer systems without the company’s knowledge. Malicious code activity grew at a record pace in 2008, primarily targeting confidential information of computer users, according to a Symantec Internet Security Threat Report issued in April.

Regulatory Compliance

Keeping networks and the data stored on them safe from security threats is just one of the challenges facing multinationals. Compliance with the various laws and regulations concerning data and network security is another.

In the 6th Annual Global Security Survey of financial institutions issued by Deloitte Touche Tohmatsu in 2009, respondents identified security regulatory compliance as their top priority, reflecting their struggle with the right way to handle the multiple legal and regulatory requirements as well as those of auditors. As security breach notification laws and other cyber security initiatives proliferate, often imposing the potential for fines, lawsuits and negative publicity, it’s understandable that this is a concern for the survey’s respondents and most likely other firms.

Companies conducting business in the United States must manage myriad changing regulations. As of December 2008, 44 states, the District of Columbia, Puerto Rico and the Virgin Islands had enacted legislation requiring notification of security breaches involving personal information, according to the National Conference of State Legislatures. These notification laws typically require companies to immediately disclose breaches of personal information to customers, usually in writing. The costs involved with notifying customers about breaches can be substantial. The average cost of a data breach has risen to $202 per customer record in 2008 from $197 in 2007, according to Ponemon Institute’s Fourth Annual Cost of Data Breach Study issued in January.

In addition to the various notification laws, certain types of companies in the United States are also expected to comply with laws such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA), which require companies to protect consumer’s personal information.

There is also a growing trend toward the enactment of comprehensive privacy and data protection acts around the world. Over 40 countries and jurisdictions have or are in the process of enacting such laws.

In the European Union, companies are required to comply with EU Data Protection Directive of 1995. In Asia, the Asia-Pacific Economic Cooperation continues its work on a Privacy Framework, building on the 1980 Organization of Economic Cooperation and Development Privacy Guidelines.

Other initiatives are also under consideration in the United States. The Cybersecurity Act of 2009, introduced in the Senate in April, would give the federal government power to set and enforce security standards for private industry for the first time. The bill would require the National Institute of Standards and Technology to establish “measurable and auditable cybersecurity standards” that would apply to private companies as well as the government. It also calls for the appointment of a cybersecurity “czar” who would have authority to shut down computer networks if a cyber attack were underway.

Risk Management

By making their operations in the U.S. and abroad more secure, companies will also go a long way toward being more compliant. Companies that are harder targets for cyber attacks are less likely to experience a loss.

By taking the appropriate measures to mitigate their security risk, multinational organizations will also put themselves in a stronger position when it comes to negotiating insurance coverage as well. Insurance is available to help protect against first party losses stemming from theft of money or other assets as a result of a breach of network security. It also can help defray notification costs, legal defense costs and crisis management expenses.

With “malware,” “spear phishing,” and the threat of insider attacks on the rise, companies face significant challenges protecting their operations in the United States and in other parts of the world. Multinational firms that keep networks secure and work to comply with regulatory standards may benefit from lower losses, fewer lawsuits, fines and penalties, and a greater number of insurers willing to provide needed insurance protection.

Ellis is a senior vice president of Chubb & Son and manager of Multinational Risk Group – Global Accounts. Tracey Vispoli, vice president, global financial fidelity manager, also contributed to this article.