Cyber in CMT—Protecting Yourself and Your CustomersPrincipal, Communications, Media & Technology at Oliver Wyman Communications, Media & Technology, U.S. Practice Leader at Marsh Research Analyst at Asia Pacific Risk Center
Owing to rapid digitization, the communications, media and technology (CMT) industry, including the telecommunications sector, is exposed to a broad set of cybersecurity threats. According to the latest Marsh-Microsoft Global Cyber Risk Perception Survey, 13.5 percent of CMT companies reported that they have been a victim of cyberattacks in the past 12 months. Institutions in this space possess critical infrastructure and often act as conduits for critical information and transaction flows—for themselves and also for other sectors.
Furthermore, technology is outpacing the ability of CMT companies to manage, respond to and recover from cyberattacks. By way of example, CMT companies were found to be more confident of understanding and mitigating cyber risks than other industries on average. However, when it comes to recovering from cyber incidents, the CMT industry is just as insecure as others.
Therefore, it is imperative for this sector to understand the threats, the sources and the impact of cyber incidents and to develop a holistic approach toward cyber to future-proof its underlying infrastructure, operations and, ultimately, customer information.
Participants in the latest Marsh-Microsoft Global Cyber Risk Perception Survey were asked about their perceptions on cyber loss scenarios that would have the highest impact. Respondents highlighted business interruption and reputational damage as the top-two loss scenarios with the biggest impact.
Exhibit 1: Top Cyber Loss Scenarios with the Largest Perceived Potential Impact
Business interruption was highlighted as the greatest cyber risk in the CMT industry (77 percent), similar to other industries. Communications service providers usually have tight service-level agreements and are expected to supply high performance and uninterrupted levels of service to meet customer demands. Unsurprisingly, compromised connectivity or a “failure to perform” could lead to grave disruption, ripple effects and severe loss events.
Along with business interruption, reputational damage is perceived to be extremely harmful to the long-term health of the CMT industry (77 percent, significantly higher than the cross-industry average of 59 percent). For the CMT industry, and particularly in the telecommunications sector, customers, investors and government are likely to evaluate the track record of potential providers as they become more conscious of security.
Multidimensional Threat Sources and Impacts
The increasingly complex business models of CMT companies, along with the potential for cyber events to impact the customers they serve, underscore the industry’s vulnerability to human-induced threats. Players in the CMT industry flagged financially motivated threat actors (33 percent) and human error and “rogue” employees together (33 percent) as their biggest threat concerns. These are difficult to predict and anticipate, and their impact can be detrimental. Threat concerns stem from a range of factors, including but not limited to the prospect of financial gains and coercion and deliberate data manipulation or mere carelessness.
Consequently, the perceived financial impact of a cyber breach for the CMT industry is one of the highest among industries. More than 80 percent of the CMT companies expect direct losses of more than $1 million per incident, compared to health care (75 percent), energy (76 percent) and financial institutions (77 percent).
A Holistic Approach Is Needed
Companies in the CMT industry have already embarked on various strategic initiatives to improve cybersecurity. For example, in the case of telecom operators, the initiatives range from use of artificial intelligence and machine learning technologies, to procurement of cybersecurity insurance, focus on internal governance (via appointment of CISOs) and external collaborations around best-practice sharing, among others.
An all-encompassing data and cyber-risk strategy is founded upon a thorough assessment of risk, a defined risk appetite and a quantification of risk exposure. This risk-management strategy should then drive the right governance, identify threats and corrective actions, and quantify the amount of investment necessary to close gaps and vulnerabilities.
As part of expectations from management, shareholders, regulators, and ratings agencies, industry-specific mechanisms should be designed to safeguard against incidents as well as implement an up-to-date, proven cyber-incident playbook in case of breaches. Most CMT companies are still putting more emphasis on prevention or preparedness and do not focus sufficiently on detection and response.
Exhibit 2: Five Key Functions of the Cybersecurity Framework and Recommended Actions
Prepare and Prevent
A strong internal risk diagnostic, as a start, is required to assess a company’s cyber risks vis-à-vis industry peers. According to the Marsh-Microsoft Global Cyber Risk Perception Survey, 42 percent of CMT companies still haven’t conducted a cybersecurity gap assessment in the past two years. CMT companies need to identify, define and map the specific cyber threats to their tangible and intangible assets.
Educate your workforce and build a cyber-secure culture to combat increasingly complex and frequent cyberattacks. In 2017 alone, for instance, human error was found to increase cloud-related cyberattacks by 424 percent globally, and inadvertent activity, such as misconfigured cloud infrastructure, was responsible for almost three out of four compromised records. Given the volume and velocity of data within the CMT industry, training of all employees—not just cyber specialists—on handling customer data and policies associated with sensitive data security is key.
Expansion of the cybersecurity program should be a priority given the proliferation of the Internet of Things, mobile devices with access to corporate networks, and increasing digitization of physical networks in the CMT industry. Companies should emphasize proven cybersecurity hygiene practices, which are missing for half of the CMT companies at present. CMT respondents admit to not having hardware encryption (42 percent) and multi-factor authentication for corporate networks (44 percent).
Detect and Respond
Embed cyber in enterprise risk-management plans. IT departments are the primary owners and decision-makers for cyber-risk management across the CMT industry globally. In taking a more proactive approach to enhance cybersecurity, organizations are encouraged to better understand the return on risk through quantification and to build in-house capabilities across multiple interconnected functional areas aligned with their cyber strategy. Moving toward a more risk-driven perception will mean making cyber-risk management a top-down company-wide responsibility that distributes across departments.
Underpinning advanced data resilience frameworks is a strong detection mechanism. Almost two-thirds of CMT companies have not developed a cyber-incident response plan yet. Most alarmingly, 32 percent of CMT respondents claim that their companies lack the expertise to develop one, while only 33 percent are confident that their companies’ cybersecurity and firewalls are adequate.
Explore a comprehensive set of risk-transfer solutions. Given the complexity of cyber risks for CMT companies, only a portion purchase stand-alone cyber insurance. Historically, most of them have been required to purchase technology errors and omissions policies, which contain some amount of cyber coverages. However, as the severity of cyber events increases, and as they seek to protect massive research and development investments, CMT companies are looking at a range of risk-transfer solutions. From adding more stand-alone cyber insurance, to exploring more complex solutions—such as integrated risk, alternative risk capital, parametric risk solutions, and captives—there is recognition that, despite their best efforts, there will be loss events to finance.
Exhibit 3: Current State of Cyber-Risk Insurance in the CMT Industry
Call to Action
Companies need to carefully consider the overall approach to security to achieve the right balance between security and flexibility of use. Only with a stronger position in cyber-risk management and with cyber embedded into their business cases can CMT companies potentially differentiate themselves and bring greater value to their customers and clients.