CLOSE LOOK
Cyber security - what’s the big story?

In the digital age, the data belonging to a company or government body counts among their most highly valued assets. It is also of great value to cyber criminals, either for their own use or to sell on elsewhere. The pace of digital transformation has left the systems and infrastructure of corporations and nation states vulnerable to attack. Cyber security aims both to detect attacks and to protect critical data. We zoom in on this very 21st century phenomenon.

In 2021, a poll by AXA revealed US risk experts view cyber risk as their biggest single concern. The US is indeed the main target, enduring 65,000 attacks in 2020, with Europe the next in line. Major actors can be state sponsored or ideological, looking to cause disruption and even terror. Or they could just be in it for the money. As seen last year, targets can be very specific, like the shutdown of the Colonial Pipeline supplying fuel to the US East Coast. Or have no boundaries, like the global outage of Facebook.

The sums involved can be trivial or fairly weighty, such as the $4.4 million demanded by Russia-based ransomware group DarkSide to turn the Colonial Pipeline back on. The ransom was demanded in cryptocurrency, the means often favoured by cyber criminals. Although $2.3 million was later recovered, when the FBI gained access to the hackers’ virtual wallets via the blockchain. Meanwhile, the cost of cyber security to corporations alone was estimated to have hit $150 billion in 2021.

There’s an old saying: ‘It takes a thief to catch a thief’. And for cyber security the hackers themselves are in high demand, giving expert advice as to the best means of defence. For them, this is not a pitched battle, but a chess game, where critical data must be protected like the king. Their priority for an entity is to identify this data and its exact location. And then to confirm the identity of all who have access to strategic systems and ensure their moves towards this location are restricted.

Some cyber-crime victims feel security breaches should be covered up, as revealing chinks in their armour. But cyber security agencies advocate sharing reports, to prevent the same attack recurring. Even fines for those who don’t comply. The Biden administration recommends a ‘zero trust’ relationship with the digital supply chain to protect data. For investors, there are proposals that a cyber attack should be flagged as a ‘material’ financial event. The insurance industry is struggling to price the risk of large-scale events and, as with terrorism or floods, a government backstop might soon be required.