资源描述
Table of Contents 2020 Cyber Security Risk Report Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Message from the CEO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Solving the Cyber Puzzle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 1 . The Puzzle: Intellectual Property . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 2 . The Puzzle: Mergers and Acquisitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 3 . The Puzzle: Retirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1013 4 . The Puzzle: Executives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1417 5 . The Puzzle: Computer Crime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1821 6 . The Puzzle: The Corporation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2225 Putting it All Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2627 Contributors and Contacts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 1 FOREWORD years of Cyber Solutions in Message from the CEO This year, Aon will celebrate 20 years of delivering Cyber Solutions to clients . In 2000, the newly formed Aon Technology and Telecommunications Group issued the first insurance policy that covered cyber exposures as part of an Errors and Omissions placement . That same year, Stroz Friedberg was founded . Today, we are united as Aon s Cyber Solutions and our greatest advantage is the ability to leverage our experience to benefit the needs of our clients . From Risk Transfer, Quantification, Cyber Risk Consulting, Incident Response, Digital Forensics, Investigations and Intelligence, and eDiscoverywe have worked and solved some of the world s most difficult challenges . Our experience and proven ability to exceed clients expectations continue to set us apart in an increasingly crowded field of competitors . There are no other firms that bring our holistic suite of solutions to market and can demonstrate the continuity of performance across these disciplines like we can at Aon s Cyber Solutions . Many firms can only promise the potential to do what we have already done . As we reflect upon this significant milestone, it is the perfect time to share our 2020 Cyber Security Risk Report: Solving the Cyber Puzzle: The Unexpected Ways Cyber Risk Impacts Your Business . This year s Report demonstrates the breadth and depth of our collective understanding of cyber risk across Aon . In it, we focus on the unexpected ways that cyber risk impacts clients, in six less-appreciated areas: Intellectual Property, Mergers and Acquisitions, Retirement, Executives, Computer Crime and The Corporation . Our experience allows us to see the entire puzzle and how the pieces fit together . As such, part of the Report provides a playbook for each highlighted risk to help organizations “solve” the ever-more- complex puzzle that is cyber risk . As outlined in our recent white paper, The Cyber Loop: Managing Cyber Risk Requires a Circular Strategy, there is nothing linear about cyber security . Solving the cyber puzzle requires a tactical mix of technology, people and process in the form of assessment, quantification, insurance and incident response readiness . Regardless of where your organization is in its digital journey, the Cyber Loop can help insulate your company from a variety of cyber risks . And importantly, it acknowledges that cyber risk is an enterprise risk, not solely a technology concern . Companies have a duty to understand that corporate riskand the threat to business continuity and customer datais at stake . Every business has a cyber story . We look forward to continuing the story with you for another 20 years as your chosen cyber security partner . We remain committed to helping organizations uncover and quantify cyber risks, protect critical assets and recover from cyber incidents . Jason Hogg CEO Aon s Cyber SolutionsTheft, misappropriation or infringement of intellectual property (IP)assets that lack physical substance such as patents, trademarks, copyrights, data rights and trade secrets poses a significant and growing risk to your organization. From 2005 to 2018, the value of intangible assets held by the five largest companies by market cap increased from $9 . 28 trillion to $25 . 03 trillion . IP is core to innovation and business growth, and with cyber incidents targeting IP on the rise, the danger shows no sign of stopping . In its 2017 Update to the Report on the Theft of Intellectual Property, the IP Commission organizes the cost of American IP theft into three categories counterfeit or pirated tangible goods, software piracy and trade secret theftand estimates the annual cost to be more than $225 billion, and possibly as high as $600 billion . Baker McKenzie suggests this to be a $1 trillion a year problem . The threat comes from several different actors, including current and former employees, the organization s supply chain, third- party vendors and state-sponsored cyber criminals or hackers . 2 Intellectual property losses are often complex; IP is often more difficult to value and insure when compared to traditional property losses, for example . Costs associated with IP litigation, damages and theft can be devastating . Despite the importance of IP to an organization, and the percentage contribution of IP to the total assets on the balance sheet, physical assets, in the form of property, plant and equipment, have much more coverage by insurance (60% versus 16%) . 3 A key concern is the theft of trade secrets, which according to the U . S . Chamber of Commerce is valued in excess of $5 trillion . Trade secrets are defined differently around the world, but broadly, according to the World Intellectual Property Organization (WIPO),4 trade secrets include “any confidential business information that provides an enterprise a competitive edge . ” In December 2019, the federal government brought criminal charges against two former technology company employees accused of stealing trade secrets . In its request to monitor the location of the suspected perpetrators, the prosecution expressed “deep concerns” that the former employees would try to flee the U . S . One worked on a secretive self-driving car program and allegedly took files related to the project before disclosing his intent to work for a foreign competitor . The second purportedly took more than 2,000 files containing “manuals, schematics, diagrams and photographs of computer screens showing pages in secure databases,” with intent to share . 5 Another notable case is the theft and subsequent copying of an Australian metal detector company s product designs when a hacker broke into an employee s laptop via a hotel WIFI connection during a business trip to China . The company was forced to slash prices to compete with counterfeits and spent considerable sums on private investigators . As a result, its net profit fell to A$9 . 2 million ($9 . 76 million i ) from A$45 million ($43 . 9 million ii ) just a year earlier . 6 With this backdrop, it makes sense that nearly half of 400 senior executives report that trade secrets are more important than patents and trademarks . However, less than one-third of companies have taken basic measures to protect trade secrets,7 even when it is estimated that the value of trade secret theft represents one to three percent of U . S . gross domestic product (GDP) . 8 Now in 2020, the significance and protection of IP need to be placed at the core . IP theft is estimated to be a $1 trillion a year problem . e Puzzle: Intellectual Property 2 2020 Cyber Security Risk Report 3 1 RISK Intellectual Property THE PUZZLE Less than 1/3 of companies protect trade secrets. i. June 30, 2014 Exchange rate: 1 1.0604, exchangerate ii. June 30, 2013 Exchange rate: 1 1.0956, exchangerate CYBER RISKS Intellectual Property | Mergers and Acquisitions | Retirement | Executives | Computer Crime | The Corporation Although Intellectual Property strategy, valuation and protection are issues for a board of directors to consider, IP protection resides in and across the remit of many corporate stakeholders including innovation officers, CTOs, heads of IP and human resources. 9 Organizations should allocate appropriate resources to the strategy, valuation and protection of IP based on a cost-benefit analysis . An important step in solving the IP puzzle is for organizations to identify critical assets, sometimes referred to as “crown jewels,” to understand what Intellectual Property the company holds and where it sits across the organization s operating environment . Is the data stored on a network server, in cloud storage, on an employee s personal device or a third-party vendor system? What, exactly, is the essence of the Intellectual Property? Once identified, assets can be tagged, classified and protectedboth physically and digitally . The use of advanced control technologies and processes should be contemplated, including encryption, access controls, monitoring and logging technologies . These controls should be augmented by a robust employee training program . People are often the weakest link in an organization and IP is vulnerable to human error or carelessness . Training that addresses how IP can be unintentionally exposed is vital . Quantifying the value of IP is an important step on the way to evaluating risk appetite and then insuring the value of the IP that could be compromised . Harvard Business Review reports that intangible assets make up 80% of the value of S 77% of high-net-worth individuals rank cyber risk as their number one concern and 75% of wealth advisors have been the target of cyberattacks . 26 Hackers are also motivated by the gain of strategic advantage and espionage makes up one quarter of C-level breaches . 27 There are many underlying reasons for mounting executive risk . An increasing volume of cyber threats target executives due to their prominence in the media . Additionally, insufficient awareness and training programs related to cybercrime and frequent travel may increase risks for executives . It s not that the C-suite doesnt understand the gravity of cyber risk; 98% of these executives see cyber security as a key business driver, and many have some management responsibility for security . 28 It s the sophistication of the opponent, and the sheer rise in attack attempts that makes C-level executives more vulnerable, and makes solving this puzzle so complicated . CYBER RISKS Intellectual Property | Mergers and Acquisitions | Retirement | Executives | Computer Crime | The Corporation | 4 RISK Executives THE PUZZLE C-level executives are 12x more likely to be pursued16 2020 Cyber Security Risk Report 17 RISK Executive vulnerability assessment is a necessity and must consider not only areas of potential corporate compromise, but also personal and family member compromise. Organizations need to begin securing the executive team outside of its physical and digital walls . The personal vulnerability of key executives is an increasing target of opportunity for threat actors . Once compromised personally, the executive may be leveraged or extorted to act on behalf of the attacker or even unknowingly carry the cyber threat into the organization . The open and dark web are prime resources to evaluate an executive s security risk posture . Once the risk is gauged, mitigation steps can be taken . Such mitigation actions can include hardening of security weaknesses, a focus on information governance and data protection, training on phishing and social engineering techniques, direction on how to lessen open source exposure, as well as knowledge- sharing of emerging fraud schemes . Incorporation of security technology is also valuable for executives and their family members, such as identity theft monitoring, use of secure VPNs and password manager tools . However, as with any form of technology solution, it is only useful if implemented . Insurance is also available to help executives mitigate the impact of identity theft, business email compromise (BEC) losses and ransomware attacks . While cyber insurance is available to protect the corporation against liability and financial loss arising out of a breach of corporate networks, executives may want to add a layer of personal cyber insurance protection outside the corporate veil . This coverage is available at many corporations as an executive or employee benefit . Personal cyber security insurance coverage continues to be an evolving area that companies should contemplate for their board, executives and employees . Executives TH E PLAYBOOK e Puzzle: Executives 4 CYBER RISKS Intellectual Property | Mergers and Acquisitions | Retirement | Executives | Computer Crime | The Corporation | Organizations need to secure the executive team outside of physical and digital walls18 2020 Cyber Security Risk Report 19 e Puzzle: Computer Crime Cybercrime is on the rise globally. Statistics gathered by the FBIs Internet Crime Complaint Center (IC3) for 2018 show Internet-enabled theft, fraud and exploitation remain pervasive and were responsible for $2.7 billion in financial losses in 2018. In the U . S . , victims in the state of California lost more than $450 million through cybercrime . 29 For the small business, the risk is just as great with losses totaling almost twice as much per scheme as their larger counterparts . 30 The median duration of a fraud scheme is 16 months . The longer a fraud lasts, the greater the financial loss . Business Email Compromise (BEC) and Email Account Compromise (EAC), embezzlement, financial statement fraud and allegations of bribery and corruption: the misconduct of just one individual can cause vast reputational and monetary damage . The 2016 Bangladesh Bank cyber heist pulled $81 million from accounts in just hours, not by stealing logins but by sabotaging the international money transfer system used to move currency . BEC and EAC crime are growing at an alarming rate . BEC targets businesses that often work with suppliers or vendors, while the EAC variation targets individuals who regularly perform wire transfer payments . BEC/ EAC is estimated to target 6,000 victims monthly and has reportedly caused more than $12 billion in international and U . S . losses in less than five years . 31 Individuals and businesses alike are at risk for falling victim, with scammers becoming more sophisticated in soc
展开阅读全文