In today’s interconnected world, geography offers no protection against the threat of an attack.
State sponsored cyber thieves, criminals, malicious insiders, and political activists constantly attack the digital assets of governments, corporations and individuals across the globe, and no corporation is immune from the inadvertent release of personally identifiable information.
Geography does, however, play a role in organizations’ response to the threats.
Although US and European companies most likely experience a similar number of cyber-attacks, European companies are less likely to report a breach than their US counterparts, which are subject to state breach notification laws.
The European Commission has developed a cybersecurity proposal and is recommending that the EU replace its current “voluntary approach” with a “regulatory approach” to notification and response. The Commission has concluded that the voluntary approach does not provide enough protection and would require companies to conduct risk assessments and report significant network security incidents to cybersecurity authorities.
While this proposal will likely prove controversial, its implementation would alter the cyber litigation landscape in Europe.
Cyber Event Count by Revenue
In years past, cyber threats were frequently thought to be only a large company problem. Theoretically this makes sense since large companies should provide cyber criminals with the biggest paydays.
The challenge for those same criminals is that the larger targets also invest more in cybersecurity and therefore typically have the strongest defenses.
As a result, smaller organizations are targeted with increased frequency as some criminals have altered their strategies from quality to quantity. Cyber-criminals also have realized that smaller companies with fewer defenses can provide back door access to their prime targets – large companies who are customers or business partners.
The chart below illustrates the number of European cyber events by revenue.
European Cyber Cases by Type and Year
Litigation pertaining to cyber security is far less common in Europe than in the US.
This is largely due to the regulatory structure currently in place and the “voluntary approach” to breach notification and reporting. Additionally, European legal systems are generally less plaintiff friendly, making it often more difficult and potentially more expensive to pursue claims in the courts as compared to the United States.
While the number of reported cyber cases is not near the levels experienced in the United States, it has followed a similar trend with the number of cases peaking in 2009 and remaining relatively flat in subsequent years.
Cases by event type
Another similarity with the US is the distribution of cases by event type. ‘Digital Data Breach, Loss, or Theft’ represents the highest percentage of cases in Europe followed by ‘System/Network Security Violation or Disruption’ as illustrated in the chart below.
Advisen Defines:
Digital Data Breach, Loss or Theft as a Digital breach, distribution, loss, disposal, or theft of personal confidential information, either intentionally or by mistake, in such a way to enable the information to be used or misused by another.
System/Network Security Violation or Disruption unauthorized use of or access to a computer or network, or interference with the operation of same, including virus, worm, malware, digital denial of service (DDOS), etc.
Over the past couple of years, as a percentage of total events, ‘Digital Data Breach, Loss, or Theft’ has declined while ‘System/Network security Violation or Disruption’ has risen. In fact, as a percentage of total events, 2013 saw the most system/network security violation or disruption events since 2006. This too is similar to the United States.
As previously discussed, cyber-crime does not discriminate based on geographical boundaries and therefore trends based on the type of events tend to be global in nature.
Type of events by year
Not long ago, cyber-risks were simply considered a nuisance for the majority of European organizations.
This perception appears to be changing as many of these same organizations now recognize they pose a significant threat to their business and society as a whole. While it is increasingly realized that cybersecurity is a problem that requires a regulatory response, finding consensus on what that response should be will likely prove challenging. When consensus on the issue has been reached, however, the implications on European cyber landscape will be great.
Josh is an Editor at Advisen in the Research & Editorial division. He is the lead editor responsible for several of Advisen’s Front Page News editions and he also originates custom research on behalf of Advisen’s largest insurance company clients. Contact Josh at [email protected].
