New threats such as “cyber hurricanes”, increasing reputational risk and tougher data rules mean businesses and risk experts are more concerned than ever.
Production of a vital vaccine is disrupted, leading to fears of a drug shortage. One of the world’s busiest “smart” ports is brought to a standstill, leaving containers stranded. Recent events show how vulnerable businesses are to an ever-evolving cyber threat and its impact on the balance sheet – an estimated $275m1 in insured losses alone from the vaccine incident and a potential $300m2 hit for a shipping company from the terminal incident, and others, are among reported losses from the June 2017 Petya ransomware attack. Economic losses from the WannaCry attack a month earlier could eventually hit $8bn, according to cyber risk analytics and modeling firm, Cyence Risk Analytics. Just like a natural disaster, a single cyberattack can potentially impact hundreds of companies, leading to severe business interruption and loss of customers and reputation. It is no wonder that cyber incidents continue a six year climb up the Allianz Risk Barometer in 2018 – cyber is now the top risk in 11 countries.
Multiple threats underestimated
“Every company has been or will be impacted by cyber risk. It is not over-hyped. If anything it is under-appreciated because the threats are not always well understood,” says Emy Donavan, Global Head of Cyber at AGCS, noting that over 50% of Risk Barometer responses rank cyber as the risk most underestimated by businesses. “There are now multiple cyber threats to a company’s digital presence.”
Personal data or intellectual property can be compromised. Businesses can incur network liability if a corrupted file is transferred to another company. Respondents are increasingly worried about new perils such as cyber extortion and, particularly, business interruption (BI). Meanwhile, the emergence of two major security flaws in computer chips – Meltdown and Spectre – in January 2018, which raised fears that hackers could steal data from computers and devices around the world, shows how cyber interconnectivity continues to bring unexpected threats.
Larger infrastructure attacks in 2018
Businesses worry about the increasing sophistication of cyber-attacks. December 2017 brought the first report of a successful safety system breach at an industrial plant by hackers, after previous incidents at other types of critical infrastructure3. Meanwhile, incidents such as WannaCry, Petya, and Mirai, the massive distributed denial of service (DDoS) attack on internet provider Dyn, which disrupted the likes of Twitter, CNN and Netflix in October 2016, are part of a growing trend of broader accumulation events, or “cyber hurricanes”. Hackers can disrupt larger numbers of companies by targeting common infrastructure dependencies – a trend that will likely continue through 2018.
One of the most effective prevention techniques for ransomware is effective, secure, segregated back-ups that are performed regularly, Donavan says. User-based access rights can also be effective. If the concern is a DDoS attack, systems redundancy and back-up servers are vital.
Reputation on the line
Cyber incidents aren't just caused by hackers. Technical failure or malicious or innocent employee action is often to blame. Whatever the cause, reputational damage is irrevocably linked. According to reputation analysis and research institute, MediaTenor, 75% of all companies which suffer a cyber-attack also incurred reputational damage or loss. Companies in the entertainment, banking and retail sectors are particularly vulnerable due to handling confidential data. Furthermore, companies can suffer reputational damage without negative media coverage. If sensitive data is compromised, trust can be destroyed among core stakeholders without media involvement.
Cyber insurance as a service
Increasing interconnectivity means it is more important than ever for companies to review cyber security and resilience and consider the role of cyber insurance as part of their risk management. As the cyber threat evolves, so does the cyber insurance proposition, beyond just covering financial loss such as BI and restoration costs. For example, if an organization suffers a data breach it will need instant access to specialist lawyers, IT forensics and crisis management consultants to help mitigate the impact of an incident as it develops. Insurance provides this.
“Companies can’t bury their heads in the sand. The sooner they respond the better the outcome. Companies that respond poorly to a cyber incident will see more of a long-term impact on their stock price than those that respond well,” says Donavan.
GDPR: the most significant cyber risk development in 2018
Data protection security is back in the spotlight following huge breaches at Equifax and Uber in late 2017, which potentially exposed the data of 200 million people. The introduction of the General Data Protection Regulation (GDPR) across Europe in May 2018 will intensify scrutiny further. The GDPR introduces stricter procedures – such as the requirement to notify the regulator and data owners of a data breach – and significantly higher penalties for companies doing business in the EU who don’t comply. Companies could be fined as much as 4% of global revenues, so more and larger fines can be anticipated. Demand for cyber insurance is also expected to increase, as companies bolster security in response.
“Compared with the US where laws are already strict and privacy regulation is continuously evolving, firms in Europe now also have to prepare for tougher liabilities and notification requirements,” says Emy Donavan, Global Head of Cyber at AGCS. “Many businesses are waking up to the fact they have potential vulnerabilities, and the realization that privacy issues create hard costs will emerge fairly quickly once GDPR is implemented. Being well prepared for a data breach will help reduce the reputational impact as well as the business interruption. Past experience has shown that the way in which an organization manages a breach has a direct impact on the cost. This will become even more the case under GDPR.”
SOURCES
1. Reuters, Merck cyber attack may cost insurers $275 million: Verisk's PCS, October 19, 2017
2. Financial Times, Moller-Maersk puts cost of cyber-attack at up to $300m, August 16, 2017
3. Reuters, Hackers halt plant operations in watershed cyber-attack, December 14, 2017
4. MediaTenor, Enhancing risk management by helping companies shield and build their reputations
Newsletter
Keep up to date on all news and insights from Allianz Commercial