Awareness of cyber risk and management especially in the financial and medical-data sectors is so recent that much of the information that forms the basis of analysis is not derived from an extensive literature review but recent reports, newspapers, specialist cyber-risk companies and financial service associations including their briefing meetings and conferences. Experts from East Asia, Western and Eastern Europe and the US are also a unique and fresh source of information as they have been involved first-hand or in studies related to cyber risk.

As mentioned, the financial sector has been reluctant to divulge the extent of how much fraud and business interruption it has experienced because of fear of losing customer confidence and trust. Yet, the extent of this due to hacking is phenomenally high.

The Financial Times ² noted that in summer 2014 JPMorgan Chase experienced a cyber attack compromising the personal account data of 76 million domestic users and roughly 2 million businesses. It was such a severe hacking that JPMorgan Chase doubled its spending on cyber defence.

The same article further reported that a leading bank in the UK was found to have 22 critical flaws, which could have given unhindered access to customer accounts. One of the major vulnerabilities would allow a hacker to take a user’s identity and break in through the front door using ‘cross site request forgery’ by circumventing the bank’s security procedures. The bank would see a normal transaction while the customer would be totally unaware of any malicious interference. Bronzeye, a cyber security company, had warned the Financial Conduct Authority of this loophole in July 2014. This flaw involved a hitherto unidentified problem of a two-step verification process of the bank in which customers received changing codes by mobile phone used in tandem with their passwords.

The changing mobile-phone code used for financial transactions is very popular in Eastern Europe where the Russian cyber security firm Kaspersky found that 100 mainly Eastern European banks had been subject to such attacks because of this cyber flaw, which could have lost the banks up to US$1 billion. It seems that such cyber-risk threat and attack is the tip of the iceberg in global financial sectors.

The insurance industry has only recently realised the importance of its role in managing the threat and attack of cyber risk. In a report published in March 2015 entitled ‘UK cyber security: the role of insurance in managing and mitigating the risk’,³ former MP Francis Maude notes in the Foreword that 81 per cent of large businesses and 60 per cent of small businesses were the target of cyber attacks last year and the number of such cyber attacks has doubled since 2013. He highlights several important points concerning cyber risk and the need for more comprehensive insurance to deal with it. One is the need to value more accurately the cost of cyber risk and the real value of losses because of it. For years my books⁴ have been arguing for a process of valuation of intellectual property intangible assets. In this report the first category requiring cyber-risk insurance protection is intellectual property. The ongoing problem with intellectual property is that although it is a lucrative target for global government and other business-derived hacking in particular, companies underestimate the value of their intellectual property and overestimate the coverage of their insurance policies. The above-mentioned report reflects the same problems that intellectual property insurance has faced over the years in that only 2 per cent of companies hold full cyber-risk insurance. This lack of take up of intellectual property insurance is as remarkable as the lack of demand for full cyber-risk insurance despite the growing amount of high-cost litigation in intellectual property and the increasing amount of high-value loss due to catastrophic single or multiple event cyber attack. The other salient point made in this report is that because most businesses do not fully understand cyber risk they have not put into place accountability or management structures to mitigate such cyber risk. In this book we will not only explain all manner of cyber risk but also how to manage it.

As we will discuss in this book, banks and particularly insurance companies cannot understand the amount of loss from cyber attack they are able to withstand because they are often unaware of the amount or variety of data they hold and therefore cannot understand the value of it and what value it can accrue to hackers. This is especially true in the City of London where many insurance companies still have paper archives and do not know the value of this information let alone what they hold in great volume in their internet-based records. I have been an observer of this after working for many years in the City of London.

This report chronicles many of the loss categories that businesses face and require insurance cover for.⁵ They include: intellectual property theft; business interruption; data and software loss; cyber extortion; cyber crime/fraud; breach of privacy; information technology (IT) network failures; reputational risk/attack; damage to physical property; death and bodily injury; incident investigation; and response loss. Therefore referring to cyber risk in the financial sector as cyber crime shows an inadequacy of definition. Cyber threat and attack, which comprise the two main aspects of cyber risk, can cover all the above and more types of risk.

In this book we explore how as volumes of personal-data retention grow in banking and insurance coupled with the insurance sector becoming more integrally involved with providing coverage for cyber threat and attack, the more these sectors will become direct targets themselves of these attacks. This means that methods of risk management will need to change and grow with the cyber-risk threat and adapt to it. This has not occurred to date to any significant degree.

Insurance companies, in fact, while not being completely sure of the nature of the data they currently hold, are requesting even more data concerning their clients’ health records. The Medical Protection Society, for example, which represents 290,000 medical professionals, said it discovered a sharp rise in concerns about data requests by insurers, with about 2,300 calls from doctors over the past year on the subject.

The more healthcare relies on advances in high technology the greater the opportunities for hackers to steal and misuse medical information. Perry Hutton, a regional director of network security company Fortinet Africa, noted that the black-market value for healthcare personal patient data is 20 times higher than credit-card details stolen from mainly data lists of retail outlets. Cyber criminals are also aware that algorithms used in the credit-card financial industry make risk managers much more aware quickly of unusual activity taking place, which can be investigated immediately often through automated systems. The insurance sector of the financial services holds the majority of healthcare details for medical insurance but is less protected than banking with fewer internal risk-management strategies. He further adds that it can take up to a year for patients to realise that their personal healthcare information has been breached.

A recent study by Gemalto, a digital security company in the US, found that no other industry experienced so many data breaches as the healthcare sector with 391 incidents recorded for the year 2014. This accounted for one-quarter of all breaches for the year. In real terms this means healthcare organisations last year had 29.4 million data records compromised in these attacks, and the average records lost per breach for the healthcare industry was 75,152, up from 49,000 in 2013.

Gemalto listed that among the top data breaches in the healthcare sector in 2014 in relation to identity theft were the Korean Medical Association, with 17 million records; Community Health Systems, with 4.5 million records; and the State of Texas Department of Health and Human Services, with 2 million records exposed to identity theft.⁷

Data breaches in relation to medical records are growing steadily, especially in the US where healthcare and pharmaceuticals are big business. In 2011 and 2012 there were 458 big breaches of health data in total involving 14.7 million people, according to the federal Department of Health and Human Services. In 2013 and 2014, there were 528 involving 19 million people. A rough breakdown of stolen data showed that 10 per cent of breaches stem from hacking, while approximately half are physical thefts of records or computers. The rest are either inadvertent losses, disclosures without official authorisation or improper disposals of medical-record information.

As mentioned above it can often be the employees of a company who are the ones stealing internal company data. For example, in November 2013, an employee at US-based UPMC McKeesport was caught rifling through the electronic health records of 1,279 patients. Subsequently, the errant employee was dismissed, and hospital staff were retrained.

UPMC devised a management solution by programming its computer systems to monitor employee interest in patient health records, Therefore, if normal patterns of employees looking at medical records changes dramatically, perhaps rising, computers alert the employers about such unusual activity that often leads to evidence of hacking.

However, as data is spread further afield, managing cyber risk becomes more complicated. UPMC’s security personnel are stretched as data are sent out to centres where clinicians can have access to the data through smartphones and tablets, which can be more easily accessed by hackers. To deal with hackers creating ever more sophisticated imitations of UPMC’s web pages to ‘phish’ passwords from employees or even patients who use the online patient portal, the company uses fake phishing to test whether employees are careless with passwords.⁸

In March 2015 80 million p...