Allianz Risk Barometer 2019
Major risks in focus: Cyber

For the first time, cyber incidents is neck-and-neck with business interruption (BI) at the top of the Allianz Risk Barometer – with the two risks increasingly interlinked, reflecting the magnitude of the threat now posed by a growing dependence on technology and the malicious actions of nation states and criminals.

Incidents, such as cyber crime, privacy breaches, BI (including ransomware and distributed denial of service (DDoS) attacks) can trigger extensive losses. Cyber crime generates the headlines but often it is more mundane technical failures, IT glitches or human error which frequently causes system outages or data losses for business. The fall-out can be costly. According to AGCS analysis of insurance industry claims over the past five years, even the average insured loss from a cyber incident is now in excess of €2mn ($2.3mn) compared with almost €1.5mn from the average claim for a fire/explosion incident¹, with losses from the largest events in the hundreds of millions or higher.

Increasing concern about cyber incidents follows a watershed year. In the wake of the highly disruptive global WannaCry and NotPetya malware attacks, 2018 witnessed a stream of major IT outages, mega data breaches and privacy scandals, as well as landmark data protection rules in the EU’s General Data Protection Regulation (GDPR).

“Cyber risk has been a major risk for a number of years, ever since IT moved from being a support function to a core, business-critical asset,” says Marek Stanislawski, Deputy Global Head of Cyber and Tech PI, AGCS. “Finally we have reached an important point where cyber is equally concerning for our customers as their major ‘traditional’ exposures, which means that entities across all industries and business segments now have this risk firmly on their radars.”

As organizations hold more and more personal data, breaches are increasing in size and cost. Recent mega data breaches include Equifax (143 million individuals), Facebook (50 million) and Uber (57 million). Meanwhile, the data breach which impacted around 380 million² customers of Marriott hotels at the end of 2018 is one of the largest on record.

The number of cyber-attacks worldwide doubled in 2017 to 160,000, although endemic underreporting means the true figure could be as high as 350,000, according to the Online Trust Alliance³. At the same time, the average cost of a cyber-attack has increased 62% over the past five years, according to Ponemon Institute and Accenture⁴. A typical data breach now costs a company $4mn, according to Ponemon, but very large breaches can cost hundreds of millions – the cost of the Marriott breach is estimated between $200mn and $600mn by AIR Worldwide⁵.

An important factor driving the cost of data breaches is regulation and litigation. In May 2018, the GDPR entered force, introducing greater privacy rights for consumers and greater enforcement powers for regulators, backed by the threat of large fines. Other jurisdictions have since announced plans to introduce tougher privacy laws inspired by the GDPR ranging from California to Brazil to India. Canada and Australia have also established mandatory breach notification regimes, in line with the GDPR and similar requirements in the US.

“GDPR and similar regulations are the ‘new normal’ in which we all need to find our way to operate,” says Stanislawski.

Cyber incidents are also increasingly likely to spark litigation, including securities and consumer class actions. Data breaches, IT outages and cyber security incidents can generate large third party liabilities, as data subjects, shareholders and supply chain partners seek to recoup losses from companies and in some cases their directors.

Already a feature of US data breaches, class actions have spread to Europe, giving consumers the right to claim non-financial damages, such as for distress. A number of recent data breaches, including that of British Airways, one of the first significant breaches under the GDPR, have triggered class actions in the UK while a landmark case against Morrisons has seen the retailer held vicariously liable for a breach in the UK’s first successful data breach class action⁶.

Cyber crime has become pervasive as criminals use more innovative methods to steal data, commit fraud or extort money. Worldwide, cybercrime costs an estimated $600bn a year⁷, according to the Center for Strategic and International Studies (CSIS), up from $445bn in 2014. This compares with a 10-year average economic loss from natural catastrophes of around $208bn⁸ – three times as much.

However, the past year has also witnessed a growing threat from nation states, which increasingly use technology to play out rivalries and conflicts, with implications for businesses. Nation states and affiliated hacker groups have targeted universities and public sector agencies, looking to steal valuable data and trade secrets, as well as the networks and industrial control systems (ICS) of critical infrastructure companies. NotPetya was attributed to Russian-backed hackers targeting Ukraine while energy companies in the Middle East have been hit with destructive malware attacks.

Advancements in technology are also generating new cyber threats and vulnerabilities. Organizations are concerned about the effect of increasing interconnectivity and developments such as automation and artificial intelligence.

Vulnerability is also growing with the increase in connected devices, with the Internet of Things (IoT), Industry 4.0 and digitalization of supply chains, which create new attack fronts for criminals and nation states to exploit.

According to cyber security firm Kaspersky, over three quarters of the companies it surveyed expect to become a target of a cyber security attack in the ICS space⁹. However, only 23% are compliant with minimal cybersecurity guidance or regulations of ICS. In 2016, a DDoS attack against internet company Dyn used a botnet army of corrupted IoT devices, while December 2018 saw hackers take control of 50,000 connected printers around the world to create posters supporting vlogger PewDiePie¹⁰.

The WannaCry and NotPetya malware attacks highlight the growing risk of BI and even physical damage from malware and other cyber incidents. They also have accelerated discussions around cyber insurance and in particular the need for affirmative cover.

The NotPetya attack is expected to generate around $3bn in losses for insurers, according to Property Claims Services. However, some 90% of this total can be attributed to so-called “silent cyber” exposure, with only 10% covered by affirmative cover. Non-affirmative cover is where cover for cyber incidents may exist in traditional property/casualty (P&C) policies, even though this was not the intention of the underwriter.

“Silent” or non-affirmative cyber exposures lead to inadequate protection for businesses with a lack of certainty and transparency for all parties involved. As part of a group-wide project, Allianz has reviewed cyber risks in its P&C policies in the commercial, corporate and specialty insurance segments and developed a new underwriting strategy to address “silent cyber” exposures.

“We will make it clear how cyber risks are covered in traditional policies and for which scenarios a dedicated cyber insurance solution is needed,” says Emy Donavan, Global Head of Cyber and Tech PI, AGCS.

“Risk transfer is a vital element of cyber risk management, but, today, cyber insurance goes beyond this,” adds Stanislawski. “It can be a valuable part of incident response, providing companies with contacts to specialists and consultants who can help battle the incident but also better prepare for events before they happen.

 “Every company needs to adopt an IT security position which is adequate to its size, operations and risk profile and invest in technological security solutions, proper backup mechanisms and staff training. The last aspect is possibly the easiest one to miss but is equally important, especially for small and mid-sized enterprises.

“Companies need to think about all of their employees as members of the cyber security team and provide them with proper training and empowerment to transform their staff from the ‘weakest link’ to the ‘first line of defense’.”