Chubb SG Sme Cyber Preparedness Report
Chubb SG Sme Cyber Preparedness Report
Chubb SG Sme Cyber Preparedness Report
1
Contents
Digital disasters 4
2
Introduction
There has never been a time when with organisations of all sizes, making
companies and organisations have their ability to protect themselves from
been more at risk of having their data cyber risks essential.
made public or stolen, be it through a
deliberate cyber attack from an external In August and September 2018, the
or internal party, or as a result of system world’s largest publicly traded property
or human error. and casualty insurer Chubb, partnered
with YouGov to conduct a survey among
Small and medium enterprises (SMEs) 300 SMEs in Singapore to gauge their
are at the heart of Singapore’s economy attitude to cyber risks. We specifically
says the Singapore Government. wanted to know how vulnerable they
Employing less than 200 people, they believe they are; how they protect
make up 99% of enterprises, employ themselves and prepare for potential
two thirds of the workforce, and account risks; and, if exposed, how they react.
for around half of Singapore’s GDP 1 .
The results of our survey reveal a
Clearly, SMEs are a hugely important significant gap between the hard
part of the economy. They are deeply reality of cyber risk and how well small
interconnected with consumers and companies are prepared to deal with it.
1
https://www.singstat.gov.sg/~/media/Files/visualising_data/infographics/economy/singapore-economy22032018.pdf
3
Digital disasters
2017 saw two major global cyber events However, it is not just data breaches,
that affected many industries across but data exposure which organisations
multiple countries. These events pushed need to heed – when data is stored and
cyber resilience up the agenda of defended improperly, it can be accessed
governments and corporations alike. by anyone with even basic skills.
In May, the WannaCry virus struck first In Singapore, hotel chain Shangri-La
in Europe before spreading across the International Hotel had to tell more than
globe. The virus was indiscriminate. 4,300 of its rewards club members to
It crippled SMEs as well as major change their passwords following a data
companies, infecting more than 300,000 breach in 2018. The hotel said illegal
systems across 150 countries in a matter access to its mobile app gave hackers
of days. This was followed by the more access to Golden Circle members’
sinister malware, NotPetya, that brought names, membership numbers, log-
several U.S. government departments in e-mail addresses, membership
and major companies to a halt, costing levels, number of points and upgrade
billions of dollars in damage and lost conditions 2 .
revenue. These attacks highlighted our
unpreparedness to deal with cyber
incidents, and our dependency on SingHealth, Singapore’s largest
technology to conduct commerce. health group also experienced a
serious cyber attack in 2018. Personal
and healthcare information of
1.5 million people, around one-fifth of
Singapore’s population, were leaked -
including that of Prime Minister
Lee Hsien Loong 3 .
2
https://www.straitstimes.com/tech/details-of-shangri-la-hotel-club-members-exposed-in-data-leak
3
https://www.straitstimes.com/singapore/personal-info-of-15m-singhealth-patients-including-pm-lee-stolen-in-singapores-most
4
Are larger companies more vulnerable to cyber risk? Hint: No
With the news headlines focusing In fact, smaller companies face a far
on incidents taking place in large bigger risk exposure. Large businesses
corporations and within governments, spend enormous sums of money on
it could be easy to conclude that smaller corporate cyber security to institute
companies are relatively incident-free. sophisticated defences. SMEs face many
According to our research, nearly two of the same threats. However, most do
thirds of respondents in Singapore (63%) not have the means to make anywhere “Some SMEs believe they
believe they are in a better position than near the investment required to are too small to be targeted
their larger competitors. implement comprehensive protection, by cyber criminals or any
leaving significant risk uncovered.
However, nothing could be further from
internal issues will not greatly
the truth. As a result, it is becoming increasingly impact them. In effect, they
likely that if an SME has a security think they are “too small to
Our research shows that the majority weakness, it will be targeted sooner fail”. However, every report,
of small businesses in Singapore (56%) rather than later. This is why, for cyber
have experienced a cyber error or cyber criminals, these businesses are the
survey or set of statistics
attack in the past 12 months. proverbial “low-hanging fruit”. Not only on cyber events tell us that
are they easy targets, they also offer a all businesses are exposed,
substantial cumulative payoff. In fact, whether big or small. ”
SMEs, with their low or no investment
in cyber security measures, are actually
the ideal, and subsequently the most Andrew Taylor
common target for online crimes. Cyber Underwriting Manager,
Chubb Asia Pacific
63% 56%
5
Case Study:
Hackers steal online retailer’s data
Retail US$200,000
Industry Claim Amount
US$35 million
Annual Revenue
6
6
SMEs score ‘own goals’
While small businesses are hugely at These findings do not in any way reduce
risk from external cyber attacks, our the impact of external attacks but
research shows that the majority of data demonstrate that companies need to
loss incidents actually occur because of ensure their houses are in order at the
system breakdowns or human error. same time as guarding against outside
predators.
“Chubb’s claims data shows
clearly that the majority of
cyber or data issues have
The top three cyber incidents caused by internal factors among the companies
we surveyed were:
internal causes. Over the
past 20 years of underwriting
• Business interruption from system malfunction 22% cyber insurance, it’s become
• Business interruption or data loss through human error, such as a lost clear to me that cyber risk is
or stolen memory device or employees unintentionally exposing their
company data to risk 20%
an enterprise-wide issue, it’s
• Data loss through a system malfunction or technical fault 16% not just about technology.
Good cyber mitigation
strategies include strong
governance processes, vendor
Chart 3: Cyber incidents experienced by SMEs in the past 12 months management and employee
education.”
Incidents %
Business interruption from system malfunction, technical fault 22% Andrew Taylor
Business interruption due to reliance on a third party service provider that Cyber Underwriting Manager,
has suffered downtime 20%
Chubb Asia Pacific
Business interruption or data loss through human error, such as a lost or stolen
memory device or employees unintentionally exposing their company data to risk 20%
Don’t know 3%
7
Case Study:
Stolen laptop results in invasion of privacy
Industrial US$325,000
Industry Claim Amount
US$20 million
Annual Revenue
8
Confidence – or over-confidence – in managing a cyber issue
Our research reveals that the vast Perhaps the reason for these seemingly
majority of SMEs are confident in their conflicting results lies in the fact
ability to overcome a breach following there is disagreement on where the
a cyber attack. In Singapore, 72% of the responsibility for cyber risk should rest.
respondents believe they can overcome Respondents to our survey were fairly
a cyber event and more than half (55%) equally divided – 40% believe the Head
believe they can contain a breach within of IT or the Chief Information Officer “Cyber risk is an enterprise
12 hours. At the same time, following a should be responsible, while 38% believe risk and not a risk that sits in
breach, 62% said that an incident made this role belongs to the Chief Executive. just one business unit or cost
them realise they are more vulnerable
than they had previously thought and Chubb’s view is that cyber security
centre. To manage the risk,
59% believe a similar incident is less is everyone’s responsibility, but it there should be enterprise-
likely to occur in the future. should be led by someone who has the wide controls, and this needs
authority to effect change. boardroom or business owner
This presents us with a dilemma. While
we see a high level of confidence among
oversight.
SMEs, the survey also revealed results
which seem to contradict this. Cyber risk is an important
part of a board officer’s
Chart 4: SMEs are generally unaware of the risks they face
fiduciary duties.”
66% believe they are not aware of all the cyber threats they face. Andrew Taylor
Cyber Underwriting Manager,
Chubb Asia Pacific
58% are not confident that all their employees who
have access to sensitive data are fully aware of their
data privacy responsibilities.
44% 22%
9
Case Study:
Ransomware hides personal information theft
Retail US$105,000
Industry Claim Amount
US$150 million
Annual Revenue
10
10
Data - a need for protection
4
https://sso.agc.gov.sg/Act/PDPA2012
5
https://www.channelnewsasia.com/news/singapore/singapore-to-pump-in-s-30m-for-new-regional-cybersecurity
-10735308
6
Businesses in Singapore can refer to the Cyber Security Agency of Singapore website for more information on
Cyber Security Act: https://www.csa.gov.sg/legislation/cybersecurity-act
11
11
Biggest concerns of SMEs following a cyber incident
SMEs are certainly aware of the impact The very foundation of SMEs is more
of a cyber incident on their business. at risk when it comes to cyber security
From our research, we found that the incidents than larger organisations
biggest concern to SMEs following a because they have limited resources
cyber incident is their relationship with to respond and recover. The business
customers (65%). This is closely followed interruption and financial impact
by concerns about their revenue and can be catastrophic. The risk to the
sales (62%), their public reputation (59%) overall business is what Chubb calls the
and the sheer cost of the incident (59%). ‘Domino Effect.’
65% 62%
Relationship with Revenue and sales
customers
59% 59%
Public reputation Cost of the incident
31%
Had notified the
parties impacted
following a cyber
incident
12
The catastrophic domino effect on small businesses
When attacks involve stolen personal The last possible outcome is that SMEs
information such as credit card numbers, may be sued for liability when an attack
a downward spiral of negative press impacts customers, vendors, suppliers, or
and shaken customer confidence can others. These lawsuits are often extremely
lead to crippling brand damage and costly and time consuming to defend and
further customer attrition can become that’s another way that a cyber attack can
stampede-like. become an endgame event.
13
13
Case Study:
Business email compromise and stolen customer data
US$25 million
Annual Revenue
The business email inbox of a The attackers used the Office 365
partner in a mid-sized professional access to delete emails and further
service firm was compromised compromise the partner’s LinkedIn
when the partner fell victim to account, perpetuating the phishing
a phishing attack. The partner scam and information harvesting
unwittingly provided his Office from the partner’s Linkedin
365 log-in details to the attacker. followers.
These details were then used to log
into his Office 365 account from an Privacy lawyers, PR consultants and
international location. The attackers computers forensics experts were
had full access to the partner’s required to assist, stop and mitigate
contacts, business attachments, the damage caused.
confidential client information
and calendar. The information
the attackers compromised also
included European client data.
14
The role of insurance
15%
Yes, we purchased before
70%
9%
No, we did not purchase any
Yes, we purchased after
6%
Don’t know
15
15
How SMEs can protect themselves from cyber risks
17
About this research
This report has been produced by Chubb in collaboration with YouGov. It is based
on a survey of 1,000 respondents from Small and Medium Enterprises (SMEs) in
three markets; 400 from Australia, and 300 each from Hong Kong and Singapore.
For more information about Chubb’s Cyber Enterprise Risk Management (ERM)
policy, please contact us at [email protected]
18
19
19
About Chubb in Singapore Contact Us
Chubb. Insured.
TM
Important Notes:
This brochure is intended to provide only a general description of the products and associated services offered by
Chubb. Any advice in this brochure is general only and does not take into account a potential purchaser’s objectives,
financial situation or needs, or the prevailing laws and regulations in the relevant jurisdictions. The information
contained herein is not intended to explain or broaden coverage afforded under any policy or product offered by
Chubb. Please review the full terms, conditions and exclusions of the relevant policy(ies) as well as the relevant
Product Disclosure Statement or the QFE Disclosure Statement (where applicable) and consider whether the advice
is right for you. Coverages are underwritten by one or more Chubb companies. Not all coverages are available in all
countries. Coverages are subject to licensing requirements and sanctions restrictions. This document is neither an
offer nor a solicitation of insurance or reinsurance products. Potential purchasers should contact their local broker
or agent for advice.
20 © 2018 Chubb. Chubb® logo and Chubb. Insured.TM are protected trademarks of Chubb Limited.
12/2018