Cyber Risks and Intellectual Property

In my last blog I outlined the first of the National Institute of Standards and Technology (NIST) framework functions: Identify, which is described by NIST as follows – “Develop the organizational understanding to manage cyber security risk to systems, assets, data, and capabilities.”

There are all kinds of angles that the Identify function looks at. Intellectual Property (IP) from an insurers’ perspective, for example. It’s possible that the cyber risk is going to impact the actuarial equations and approaches that an insurance company undertakes. It may be an insurers’ claims processing procedures.

The Head of a Claims department, for example would likely not want a potential claimant to know that claims under a certain value are going to be automatically approved. The loss - or leakage - of this data could be costly, particularly if there is a chance that some policyholders/claimants use the information to commit fraudulent acts as a result, for example.

So that kind of IP loss is a major risk that all companies need to think about. It’s often not the first exposure on their risk radar. In my experience, organisations typically think about email risks and the possibility that their client or their insureds’ data could go missing, particularly if they are a life insurance company.

Also, consumer-based products like automobile insurance, for example, can be identified as another risk. Where insurers collect a lot of data about an individual that information is actually private personal data that falls under the remit of the UK’s Data Protection Act. Therefore organisations have to identity data that they need to protect for regulatory reasons.

CIO’s and the C-suite need to identify that information fast but these days the process of identification can be many fold. There might be other processes that organisations are going through that identify their critical systems and data. Performing a business impact analysis, for example, may lead an organisation to identify the systems and the data that the company considers to be critical to the ongoing running of that organisation. Most companies will accept email being down for an hour but email being down for a month? That is at a completely different end of the scale. In most organisations if email is down for a day they wonder how they can continue!

The other thing to understand about organisational resiliency, which forms part of cyber security, is understanding what your assets are and also the times of year that are important. So around the time of an insurer’s Solvency II reporting, for example, other systems are going to be more important than in the middle of August when many underwriters are likely away on holiday.
So identify the assets, make sure you are considering the risks that you are facing. Is hacking your primary concern? Are you the type of organisation that is attracting hacktivists with an agenda? Are you a company that is attracting the attention of a nation state for example? Are you holding information that a nation state might want to obtain for whatever reason?

In my next blog I will look at ethical consumerism and the risk presented by modern-day “hacktivists.”