08 Nov Ongoing failure to safeguard against cyber threats could cost UAE businesses millions, warns global insurer AIG
Many UAE companies remain critically vulnerable to cyber-attacks because of a failure to maintain basic cyber-hygiene practices, according to Alexander Blom, head of Broker and Client Management at AIG MEA (Middle East and Africa).
Since May this year, local companies which do business in Europe also face the added threat of falling foul of the General Data Protection Regulation (GDPR) if their cyber-security is not compliant, which could lead to significant fines.
AIG has seen a doubling of cyber insurance queries and purchases in the UAE in the past two years, while across the EMEA region it saw as many claims notifications in 2017 as in the previous four years combined – receiving the equivalent of one claim per working day. While market awareness of cyber threats is improving, the company’s experts still frequently come across businesses with poor governance and controls in place.
This adds weight to evidence that the UAE ranks highly for cyber-attack exposureat a time when the proliferation of attack- and vulnerability-exploitation tools have helped create an ecosystem that is catering to both petty criminals and organised crime entities. AIG’s claims reveal ransomeware to be the biggest single threat, followed by phishing, data leakage and hacking.
Alexander says: “Cyber-attackers today have a very low entry barrier into this ‘market’, because the tools needed to cause maximum disruption are readily available and do not require in-depth technical knowledge. In addition, data vulnerabilities can now be exploited at an incredibly fast pace – what once might have taken months can now be achieved in a matter of hours.
“In the context of this cyber environment, it is vital that businesses comply with data protection rules. Not only will this minimise the risk of attack, it will also safeguard them against the impact of the European Union’s GDPR regulations. If applicable UAE companies suffer a data breach and are found not to be compliant with the regulation, they could face a fine of €20 million or 4% of their total worldwide annual turnover.”
AIG held a briefing for leading UAE businesses, providing practical information about managing cyber risk and best practice when responding to cyber incidents. Organised by AIG, the event was jointly-hosted by an expert panel of industry experts from KPMG, NYA and Norton Rose Fulbright.
To meet demand from businesses in the UAE, AIG has developed CyberEdge – a policy which can assist with the financial and reputational ramifications that can result from a data breach and minimise business disruption.
AIG has also shared the following five key cyber-risk management strategies businesses in the UAE should adopt to help reduce the threat:
1) The final responsibility for all cyber risks resides with the business executives and the board, and yet far too often this layer of management is the least knowledgeable. AIG addresses this, in a collaboration with the Internet Security Alliance, in its directors’ handbook for cyber risks (http://isalliance.org/isa-publications/cyber-risk-oversight-handbook/).
2) Cyber-risks are business risks. It is therefore recommended that companies have a clearly identified Chief Information Security Officer with sufficient budget and personnel to accomplish the job, and ideally with a direct reporting line to the CEO and/or active membership in the executive team.
3) More than 80% of all threats in cyber space can be mitigated by doing a few things “right”. Good cyber hygiene, i.e. a timely patching, close control over user accesses, asset control, etc, prevent enterprises from becoming a random victim of widespread attacks coming from the internet.
4) Attackers are always at the forefront of finding new ways to achieve their objective, i.e. breaking into organizations. It is therefore key that enterprises react and adapt quickly to new threats. Here, individual excellence in security operations, as well as the collaboration with peers, NGOs and GOs is an important success factor.
5) Cyber-risks, like all business-related risks, need to be analysed in the context of the actual business. It is key to understand the impact a cyber incident can have on the value generation of the business, i.e. business interruption or denial of service attack, and what costs are associated with a data breach. Additionally, the impact to the reputation or stolen information, in the case of industrial espionage, are important cyber risks. AIG supports its clients in quantifying their cyber risks as part of the AIG Cyber Underwriting Model.
For more information about AIG and its CyberEdge policy, visit:https://www.aig.ae/business/product-categories/financial-lines/cyberedge.