Cybercrime in Latin America
Business is booming!
In mid-July, the host of a popular Brazilian television show, reportedly was the victim of a hacker who stole thousands of Brazilian Reals from her bank account. She’s not alone. As we come to rely on technology in virtually all aspects of our lives, criminals are continually on the lookout for new opportunities to steal our money, intellectual property or identities. And cybercrime knows no borders; every device connected to the Internet is a potential entry point.
In recent years, Internet use has grown faster in Latin America than in any other region in the world. And as Internet use has grown across the region, so has cybercrime; Latin America has seen significant increases in data breaches, banking Trojans, mobile malware, and other online threats. According to a recent survey by Grant Thornton, 11 percent of the businesses in Latin America were hit by a cyber-attack in the past 12 months.
Cybercrime is especially common in Brazil, to the point that it has been described as “at the epicenter of a global cybercrime wave.” The country now ranks second, behind Russia, as the source for online banking fraud and financial malware. The number of cyber-attacks in Brazil grew by 197 percent in 2014 and online banking fraud increased by 40 percent. It has also been reported that about USD 3.75 billion has been hacked since 2012 from a popular payment method used throughout Brazil.
Cyber-attacks are a particular risk for small- and medium-sized companies. In Brazil, for example, a recent study showed that close to two-thirds of the cyber-attacks were directed at small companies. While small businesses may not offer a big payday for cyber attackers, they often are not well protected – given a choice between “big and difficult” and “small and easy,” many cyber criminals are attracted to the latter opportunity. This is especially challenging for small businesses in the current economic climate where spending on “non-core” activities, like cyber security, has to be managed extremely carefully.
Other countries in the region have also experienced significant cyber-attacks. Criminals in Mexico, for example, were apparently the first to discover how to reverse-engineer ATM software and create an interface that allows them to interact with the machine; in effect, to get a machine to discharge all of its cash. Businesses and consumers throughout the region have also witnessed a surge in ransom ware attacks where criminals seize a user’s data, encrypt it, and then demand a payment to decrypt it. The most prominent ransomware in use currently is not possible to break. In the past, collecting the ransom and avoiding detection was the hard part. Today, with online currencies like Bitcoin, this is no longer a problem.
How companies can minimize the risk
Almost all businesses that rely on the Internet in some fashion are vulnerable to a cyberattack, and the list of threats is long: malware to steal sensitive or confidential information; ransomware attacks; social media scams; banking Trojans and heists. However, there are a number of prudent steps companies can take to lessen their vulnerability to a cyber-attack. First and foremost is to recognize that cybersecurity is not an IT issue, it’s a management problem. All employees using a device connected to the Internet should recognize that they bear some responsibility for keeping the company secure. Training is also important, including training in incident response.
Companies that rely heavily on the Internet should periodically map their vulnerabilities and define their tolerance for cyber risk. Finally, companies should consider how they could respond in the event of a cyber-attack. While the threat may seem remote, having a contingency plan in place, “just in case,” can greatly minimize the financial and reputational costs of a cyber-attack.
Insurance solutions can help companies manage and mitigate cyber risks
Although cybercrime is a relatively new phenomenon, insurers in Latin America have developed a range of coverages to help companies manage and mitigate this risk. These policies typically cover data breaches involving financial, customer, employee or other proprietary data as well as any type of cyber-attack that disrupts a company’s operations.
Even though the threat is fairly new, cyber insurance is quickly becoming quite sophisticated. In many cases the policies also cover: business interruption expenses; data recovery costs; cyber extortion demands; and defense costs, including any penalties or fines that are assessed. In addition, cyber insurance often extends to outsourced providers, including cloud providers, and to both online and offline content. And when an attack occurs, the coverage typically includes access to leading firms that specialize in neutralizing the breach, and helping the company navigate what is often a very delicate situation.
Cybercrime is obviously a particular concern to technology companies providing IT products and services. Products manufacturers and software developers have to ensure their solutions are not vulnerable to cyber-attacks. And service providers have to ensure that their solutions don’t compromise a client’s proprietary data, including intellectual property. For businesses involved in these areas, cyber insurance can also include product liability and professional indemnity coverage that covers legal costs incurred in defending a claim, as well as any damages that are awarded.
Many government agencies and private companies across Latin America are taking concrete steps to combat cybercrime. Solutions to protect data networks and servers continue to become more sophisticated and harder to breach. Cybersecurity resources are being enriched; more than 200 cybersecurity specialists will be contracted with, for example, to protect public and private sites during the upcoming 2016 Olympics. Still, the surge in cybercrime is not expected to abate – even as defenses are strengthened, criminals will still find ways to exploit vulnerabilities residing in obscure corners of the Internet. With this type of ongoing risk, companies should take some prudent, common sense precautions to minimize the threat, and consider the option of transferring some of this risk via insurance.
First published in Latam Insurance Review in February 2016.