Allianz Risk Barometer 2019
Spotlight on cyber business interruption

Whether resulting from cyber-attacks or, more frequently, from system outages or failures, cyber incidents are now a major cause of business interruption for today’s networked companies.

Business interruption (BI) following a cyber incident has emerged as a key risk for businesses, with an increasing number of scenarios leading to disruption. For the first time in the Allianz Risk Barometer, survey participants indicated that cyber incidents were of a similar level of concern to the closely related risk of BI, which has ranked as the top peril in the survey over the past seven years.

For many companies, this is where their big exposure lies today. Think of a large organization that has a very sophisticated supply chain and an operation that produces millions of dollars in revenue – daily or monthly. Depending on the size of the organization, if it shuts down for technical issues in a cyber incident, that will trigger a significant loss.

“As all businesses embrace digital business models, success is highly dependent on the technology facilitating the business,” says Georgi Pachov, Global Practice Leader, Cyber, AGCS. “Revenue streams can be easily interrupted following abnormal technological behavior. Cyber incidents leading to BI will become much more frequent in future due to the massive reliance on technology and data for running businesses. In the age of the ‘Internet of Things’, if two manufacturing devices cannot communicate and exchange data with each other this will inevitably lead to a business disruption.”

Business interruption was a hallmark of the WannaCry and NotPetya malware attacks in 2017, causing large losses for a number of shipping, logistics and manufacturing companies. Companies such as Maersk and FedEx saw losses of $300mn from the NotPetya event, while consumer goods manufacturer Reckitt Benckiser reported £100mn ($130mn) in loss revenues.

Malware attacks have continued to trouble companies – semiconductor maker Taiwan Semiconductor Manufacturing Company, a key supplier to Apple, lost over a day of production after a virus infected machinery at plants in Taiwan in August, 2018. The virus was a variant of WannaCry. Meanwhile, the ports of Barcelona and San Diego were both victims to ransomware attacks which impacted servers and administrative systems in September 2018, as was the shipping company COSCO in July, which also saw its IT systems disabled in the US. Insurers have seen a growing number of BI claims trigged by cyber incidents with claims that exceed $100mn¹.

Cyber incidents rank as the BI trigger most feared by businesses, and BI is also the biggest cause of economic loss for businesses after a cyber incident, according to Allianz Risk Barometer respondents. Loss of revenues and additional costs of working can be incurred from malicious acts, but more often than not are the result of technical glitches or human error. According to the Financial Conduct Authority (FCA), only 18% of all cyber incidents reported to the UK regulator were cyber attacks², while 82% were the result of technology issues. Meanwhile, analysis of data breaches by Kroll found that 88% of data breaches were caused by human error, and just 12% were the result of a cyber-attack³.

IT outages have emerged as a significant exposure as organizations become reliant on technology to conduct everyday business. The airline sector has experienced a number of technology-related outages, including a major outage in 2017 which occurred after a power surge on reconnection knocked out British Airways systems over a holiday weekend affecting 75,000 passengers and costing it £80mn, according to initial estimates⁴.

Customers at UK bank TSB suffered months of disruption in 2018 after a failed IT platform migration – the incident cost the bank in excess of €300mn⁵. The FCA says bank outages have risen 138% in the past year⁶.

Reliance on IT and technology service providers – such as cloud services, online booking platforms and supply chain systems – also brings potential contingent business interruption (CBI) exposures. A software glitch at network equipment provider Ericsson disrupted services for millions of mobile phone customers in Europe and Japan in 2018⁷. When Visa suffered an outage in 2018, it affected the payment card services used by banks and retailers across Europe. Similarly, in 2017, a four hour outage at Amazon’s AWS cloud computing division impacted a number of internet services, websites and other businesses. It was reported the outage was caused by human error. Guidewire Cyence Risk Analytics estimated that companies in the S&P 500 dependant on Amazon’s services lost approximately $150mn as a result⁸.

It has been estimated that in the event of an outage at a cloud service provider lasting more than 12 hours losses could total as much as $850mn in North America and $700mn in Europe, based on 50,000 companies in three specific industry sectors (financial, healthcare and retail) being impacted by the outage in each region⁹.

“A single point of failure can trigger a chain reaction across the value chain, including suppliers to the final customer, and cause a severe business interruption and accumulation for insurers,” says Pachov. “The same event can trigger a significant reputational loss.”