Unreported Cybersecurity incidents! A new report from MarkMonitor says 65% of victims choose not to report the incident to authorities.
Regretfully, more and more people and companies fall victim to cyberfraud, but at the same time, Unreported Cybersecurity events are very common. Why are people and enterprises not reporting cyber security events?
A quick review of large-scale data breaches in 2015 results in the exposure of approximately 429 million personal records. These estimates are low because of unreported cybersecurity data breaches. In fact, the “real number” of exposed personal records is estimated to exceed more than 500 Million.
In the past, unreported cyber security attacks were due to the expected reputational harm, but now, how the underreporting of cyber incidents impacts cyber security and cyber insurance is just starting to be discussed.
Many people believe that disclosing cybersecurity incidents can be detrimental to the person disclosing it. As an example, Target’s CEO resigned in 2014 after it suffered its historic data breach. The CEO of the adult website, Ashley Madison, was forced into early retirement after his company was hacked and breached the personal information of its users. In short, the CEO is blamed and fired after a data breach! So, CEOs won’t encourage reporting cyber security incidents…
There is evidence that shows unreported cyber security events…
The report, “How Many Cyber-Heists go unreported?” published in IT-Online, provides further evidence that many cyber security incidents are not being reported. There is no transparency; few cyber heists are reported. Only the biggest data breaches capture enough attention to make headlines.
The report published is based on statements taken from cyber security specialists that financial institutions “do not want to let the public know about any security breaches” because “[i]t can have a profound impact on their reputations.” The report finds “there is little information for cyber journalists to work with to adequately report on these occurrences.” Without having information concerning breaches and the current methods used by hackers, the report concludes that cyber security measures are stunted when cyber security professionals cannot study the hackers’ methods.
The recent Symantec report, Internet Security Report 2016,
The fact that companies are increasingly choosing to hold back critical details after a breach is a disturbing trend. Transparency is critical to security. While numerous data sharing, initiatives are underway in the security industry, helping us all improve our security products and postures, some of this data is getting harder to collect. Other reports concerning the underreporting cyber security incidents indicate that many may be deliberately withheld from the public:
…just under a fifth (19%) said they do have [formal processes in place to notify data protection authorities (within 72 hours) and the public] but deliberately avoid telling their customers. This percentage grows in industries such as financial services (22%), large businesses (33%), and construction and engineering companies (50%).
Unreported Cybersecurity incidents effect cyber insurance costs
Underreporting cyber security incidents makes determining the value of cyber insurance difficult for both insurers and insureds.
From an insurers’ standpoint, it’s hard to offer a useful cyber insurance product if there is a lack of information concerning the number of breaches, a number of victims, hackers’ successes/failures, type of targets and methods to attack those targets. Insurers also cannot properly assess their risk related to cyber insurance products without proper data. When only large cyber security, incidents are reported, insurers cannot determine what types of businesses are being targeted by hackers and adjust the premium per that risk.
From an insured’s standpoint, they may question the need for cyber insurance or may get less coverage than what is recommended if the company is considering not reporting the cyber incident in the first place. The value of cyber insurance may be undercut if a company enters the cyber insurance market while knowing that it will most likely not make a claim on its cyber insurance policy even if it has a breach merely to avoid negative publicity or reputational harm.
New research from MarkMonitor®, 45% Percent of Consumers Have Been a Victim of Cybercrime. One in six consumers globally lost money with 20% of victims losing more than $1,300. 65% chose not to report the incident to authorities.
Of the cyber crimes carried out, false requests to reset social media account passwords was the most common fraud, then, emails impersonating legitimate companies attempting to solicit personal information (17%).