Cyber Risk Definition

What is cyber risk?

The term “cyber risk” relates to a loss due to either technical infrastructure (eg servers, databases) or the use of technology inside an organisation. This loss can take many forms, from a hacker draining a bank account to an employee accidentally exposing private data to site visitors.

Receive a business insurance quote

What are the different definitions of cyber risk?

While cyber risk exists in an almost limitless number of forms, it can be categorised broadly into four types, based upon intent and where the risk originates:

  • Internal and malicious. This is generally a deliberate act of sabotage or theft by someone inside the company. It could be a disgruntled employee deleting or stealing data from the central system, or purposely installing viruses on company machines.
  • Internal and unintentional. This stems from an employee making a mistake. Even the most well-intentioned and knowledgeable employee could accidentally disable a firewall or internal back-up system.
  • External and malicious. A deliberate attack by someone outside the organisation, and the kind taken the most seriously. This could be infiltration of your databases by a criminal outfit or a denial of service attack by hackers to overload and shut down critical equipment.
  • External and unintentional. An accidental impact on your systems. A software error or natural disaster might affect system availability.

What are the biggest threats when it comes to cyber risk?

We’ve defined cyber risk, but let’s go a step further and run through what these risks actually are. Here are some of the most dangerous threats out there:

1. Ransomware

Ransomware is a computer program planted in a company’s computer system and effectively blocks the company from accessing it. The perpetrators then demand a ransom to restore access to the data.

Ransom is a growing threat to both individuals and businesses in Australia, especially with ransomware kits becoming increasingly available on the darknet.

Cybercriminals usually demand payment via cryptocurrency, which is difficult to trace. They also keep the ransom amounts affordable so the victim is more likely to pay rather than go through the expense of having the ransomware removed. However, even if a company pays the ransom, there is no guarantee that their data will be unlocked.

2. Credential-harvesting malware

Credential-harvesting malware is a growing threat in the financial sector. This cybercrime targets smartphones and the data we store on them. This data includes:

  1. Financial information which criminals can use to commit fraud
  2. Personal information that they can use to commit identity theft

Two examples of credential-harvesting malware that have had a significant impact in Australia are Gozi and Mazar. Gozi is a well-known and widely distributed banking Trojan that has been a threat for several years now. Mazar is a type of credential-harvesting malware that affects Android devices and spreads via unsolicited SMS messages and pop-up downloads.

3. Social engineering

Social engineering occurs when cybercriminals grab sensitive information from companies by posing as representatives of legitimate organisations i.e the companies bank. Cybercriminals will typically make these requests using an email that contains official letterhead to help make the email appear legitimate.

Social engineering campaigns in Australia are very sophisticated, sometimes employing bogus phone calls as well as emails to give a sense of legitimacy. Cybercriminals target individuals as well as businesses, particularly those with limited knowledge of computers and social engineering.

4. Threats associated with outsourcing and supply chain

Companies that use outsourced providers are vulnerable because they often give these providers extensive access to the company’s networks and data. For example, the government may rely on a research firm to handle the publics data.

If a cybercriminal can compromise a service provider, they can potentially gain access to the data of some or all of that provider’s customers.

In the case of government customers, this could not only financially compromise people, but could also have serious security implications as well.

5. Personally identifiable information

Basic information such as a person’s name, address and birth date can be enough to commit identity theft. This is personally identifiable information.

Personally identifiable information is often held in large data warehouses by government and businesses. This data is valuable to cybercriminals as it can be used for fraud, identity theft and even ransom demands.

6. Malicious use of leaked tools

Due to cybercriminals maliciously sharing tools designed for network exploitation, the number of successful attacks on Australian businesses is likely to continue to grow. Other less skilful criminals use these tools to attack targets they have previously been unable to access.

As long as there is a dark web and skilled cybercriminals intent on malicious activity, these types of tools will always be available. The only protection that businesses have against them is to regularly upgrade their software and implement all security patches in an effort to try and stay one step ahead.

What are the consequences of cyber attacks?

As mentioned above, there are endless kinds of cyber attacks with a huge number of possible outcomes. Some of the consequences of cyber attacks are:

  • Loss of important or confidential data
  • Loss of customers due to data breach or negative media attention
  • Loss of share value
  • Business interruption
  • Property damage
  • Theft
  • Regulatory fines
  • Extortion and blackmail
  • Breach of contract
  • Product recall
  • Network security liability

Who is responsible for managing cyber risk in a business?

Businesses often place the responsibility of cyber security entirely onto the shoulders of IT staff and select management figures. However, given the interconnectivity of the digital world, even personal failures staff members outside of technical employees and management can cause company-wide consequences.

For example: If an employee forgets to log out of a system, for instance, it can leave it wide open to data theft.

1. Technical personnel and managers 2. Other staff
The list of people responsible for data security is long, and may include the following technical personnel:
  • Chief information officer (CIO) and information security officer (CISO)
  • Chief technical officer (CTO)
  • Chief risk officer (CRO)
  • IT and cyber security staff
Outside of technical staff, responsibility could extend to:
  • Executive/senior management
  • Board of directors
  • Major shareholders and investors
  • Business partners
  • GRC professionals
  • Legal counsels
  • Product management/engineering
  • Other users of the system (general employees)

What is 'cyber risk appetite'

When assessing cyber risk and making decisions about cybersecurity, it’s important to understand that risk can never be fully eliminated, only reduced. Therefore, a company defining its cybersecurity policy needs to define its cyber risk appetite: how much risk the company is willing to tolerate, and how much the organisation is willing to spend to manage that risk.

There are several key questions to help an organisation’s important stakeholders determine their cyber risk appetite:

  • What losses would be catastrophic?
  • What can we live without and for how long?
  • What information cannot be allowed to be made public or stolen?
  • What could cause harm to employees, customers, and partners?

Cyber risk is already an immense concern, with the global cyber risk insurance market standing at around $2 billion in premiums. Already, cyber crime costs the global economy $445 billion per year. As our technology and lives become more and more interconnected, this figure is expected to grow in the future.

How might cyber risk change in coming years? Here are five of the most important future trends:

Top 5 trends

  1. The cyber insurance market could be worth over $20 billion by the year 2025.
  2. Liability and data protection are the biggest concerns right now, but business interruption cover will be increasingly sought over the next decade.
  3. Businesses will be increasingly exposed to supply chain risk. This includes digital and electronic interruptions of partners, contractors and other supply chain components.
  4. More sectors and institutions will seek cover for cyber risk, including transport, energy, utility, telecommunications and financial institutions.
  5. Catastrophic cyber loss is more and more likely. Governments and insurers themselves will need to work together to protect infrastructure.

Did you know that business insurance can cover cyber risk?

Modern business insurance policies offer options for to cover cyber liability. Find out more by speaking to a broker.

Speak to a qualified broker about business insurance

If you are ready to speak with a consultant about different business insurance options available, simply enter your details in the form. Keep reading if you want to learn more about the different types of cover available.
FBI Lender Logos

Receive a quote for specialised cyber insurance

Details Features
CyberCare Insurance
CyberCare Insurance
CyberCare covers cyber attacks and there are four levels of cover to choose: Basic, Plus, Premium and Max.
  • Coverage limit up to $2,000,000
  • Network Interruption and Cyber Deception
  • Data Recovery and Data Extortion
  • Information security and privacy liability
Go to site More info
Edmund Cyber Insurance
Edmund Cyber Insurance
Edmund Insurance covers the modern cyber risks that traditional insurance does not.
  • Dedicated Cyber Insurance
  • Third Party Liability
  • Business Interruption Loss
  • 24/7 Emergency Response
Go to site More info
Was this content helpful to you? No  Yes

Related Posts

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms of Use, Disclaimer & Privacy Policy and Privacy & Cookies Policy.
Ask a question
Go to site