IoT and Cyber Risk: Establishing Communication between the CISO and the Risk Manager

Lex Baugh, CEO at North America General Insurance AIG, kicked off the session by reminding the audience how things were in 1997 when the first cyber insurance policy was issued.

Back then, just 39 percent of American homes had personal computers. It was ten years before the first iPhone came to market. Since then, day-to-day life and business operations have changed exponentially. So cyber risk did. 

Today's real risk exposure shifted and it is found everywhere. It is, for example, in "vehicles with autonomous features, with software that updates overnight that may no longer be a consumer product when they are always connected to the factory," said AIG's Lex Baugh.

"Similarly, risk shifts when gas turbines are sensored to the point where we can actually create a digital twin of that gas turbine and we can    remotely control it from an industrial control platform." 

"Cyber risk is abound."

"Airplanes pilot themselves. By the way, they're doing a pretty good job of it. The last mile delivery has been optimized. Fleets run simply on telematics. Supply chain is automated. Buildings and homes tell us when there is a flood. Travelers rely on digital wallets. University students interpret ethics as machine learning interns. And temp staff agencies use wearables to prevent worker injuries. Cyber risk is abound." said Lex Baugh. 

Today, 89 percent of enterprises have plans to adopt or have already adopted a digital-first business strategy to improve process efficiencies and meet and exceed customer expectations. It has been estimated than by 2020, 83 percent of enterprise workloads will be in the cloud, rather than on-premises. 

IoT adoption and cyber attacks 

The global broad adoption of the Internet of Things (IoT) devices at both consumer and enterprise levels has, undoubtely, improved safety, efficiency, and convenience. "However, basic security is not often a feature of these devices," Lex Baugh said.  

"Basic security is not often a feature of these devices."

From smart home devices such as the popular digital voice assistants to manufacturing applications such as sensors that constantly monitor the status of assembly lines, both consumers and enterprises are getting more and more into smart living.

Yes, security and privacy is still a concern. "Security and privacy continue to be a barrier in product adoption," said Kathy Sheehan, EVP of Consumer Life at GfK at a previous panel discussion at CES 2019.   

By 2020, research firm Gartner estimates there will be 20.4 billion IoT devices --not including smartphones, tablets, and computers-- and they will operate on their own without much involvement or oversight by humans. 

A common concern rises, however, from the knowledge that despite IoT devices improve daily life and business operations they introduce new security risks. To this, we have to add the lack of skillful security experts who can keep up with fighting security breaches. 

"Nearly 75 percent of all IoT devices are susceptible to hacking. At the same time, cyber attacks are on the rise."

According to AIG, many manufacturers overlook even basic security features, such as unique passwords shipping with devices. This is because getting products to market quickly at lower-cost becomes the priority. 

A high profile study by Hewlett Packard found 25 vulnerabilities, including weak passwords and weak protection software in each of 10 common consumer smart devices. The study concluded that nearly 75 percent of all IoT devices are susceptible to hacking.

"At the same time, cyber attacks are on the rise," Lex Baugh said.   

Moreover, many IoT users either don't know that they can make devices more secure, ignore the fact that they can get hacked, or simply don't bother to learn about basic security measures they can take to protect their devices and data. 

According to a recent survey of CIOs and other decision makers, in the United Kingdom, 47 percent of users don't change default passwords in IoT devices linked to their networks. Consequently, these devices become an easy access point for cyber criminals looking to infiltrate or attack a computer system. 

Cyber risk represents one of the top threads facing eneterprises today

• Many devices lack basic security 

• 61 percent of small/medium businesses experienced a cyber attack in 2017 - that's the ones we know about 

• 82 percent predict unsecured IoT devices will cause a data breach 

• Less than half of IT security practitioners believe they can protect their organizations 

"Cyber defense is a team sport."

As cyber crime continues to rise, Chief Information Security Officers and Risk Managers must start conversation and collaboration. The partnership bewteen the Chief Information Security Officer (CISO) and the risk manager has become paramount. "Cyber defense is a team sport," said Lex Baugh.

To help with that, the panel introduced and discussed questions for risk managers to ask CISOs and questions for CISOs to ask risk managers. 

Questions for Risk Managers to ask CISOs

• What are our unique vulnerabilities? 

• How do we currently protect ourselves? 

• What could our vulnerabilities cost us? 

Questions for CISOs to ask Risk Managers 

• Why should we consider cyber insurance?

• What does cyber insurance cover?

• How is the legal landscape shifting the IoT? 

A conversation between the CISO and the Risk Manager can help the CISO stay at the front of the changing landscape. 

Not only CISOs and Risk Managers should get involved in the cybersecurity conversation. There are also questions for other business leaders that must be addressed: 

Qustions for other business leaders 

• Would we pay a cyber ransom? 

• What will it cost the business if the network is down for 1 day, two days, or more?

• How will our system alert us to a threat?

• What reporting requirements apply?  

• Do we have safe and secure backups? 

• What is the process for assessing the state of the breach and its impact?

• Under what cyber attack circumstances would we disconnect out servers from the networs? 

• Who are our third parties? What are each party's notification responsibilities in the event of a breach? What service level do we expect from them? 

• What is out liability in the given scenario? 

• Do we contact law enforcement? If not, why not? 

• Can IT guarantee that if some systems are down, backups are safe and secure? Have we tested them or can we test them in a safe environment before restoring? 

• If the scenario is multi-national, are we aware of foreign rules and regulations, and are we prepared to comply?

Who should discuss a comprehensive cybersecurity incident response plan: 

In summary, the Internet of Things is creating increasing risks for enterprises. To ensure that organizations are protected from cyber attacks the collaboration between the CISO and the Risk Manager is paramount and well as the discussion with other business leaders from across the company. 

[see-also]

Preventing cyber attacks is key. If a cyber attack occurs regardless, responding as quickly as possible is paramount. In case a cyber attack does occur, the goal is to achieve restoration in a timely manner in order to minimize long-term fallout. 

These topics and more are part of AIG's new whitepaper Getting Hacked: IoT and Beyond, which is part of Risk and Innovation, a series on cybersecurity available to enterprise security leaders.