When businesses get bit by bytes

Whether it is due to a technical glitch, human error or, as in the recent Petya and WannaCry cases, a full-on cyber-attack, as digitalization transforms the industrial world there is a significant cyber risk for companies delivering products and services.

• Cyber incidents are often associated with data loss or privacy but, more and more, business interruption is becoming a key risk for companies
• Even though smart factories will reduce the number of physical damage losses, the number of cyber-driven BI events is predicted to increase
• As seen in the recent WannaCry case, “ransomware” attacks can easily stop production across many different industries
• Cyber-attacks create a lot of public awareness about cyber risk but, more often, it is often mundane technical failures and IT glitches that cause cyber BI

A single cyber incident can lead to a severe interruption of normal business. And the number of incidents is growing. Globally, distributed denial of service (DDoS) attacks will increase over two-fold to 17 million by 2020, roughly 25% per year. Network service provider, Akamai, noted a 77% increase in infrastructure layer attacks just in the period from Q3 2015 to Q3 2016, the largest of which – the Mirai botnet – brought down the infrastructure provider, Dyn, and affected websites like Netflix, Twitter, the Guardian, CNN, etc. in October 2016. Technical computer infrastructure failures are also increasing, causing transportation stoppages and manufacturing production interruptions.

Reported data breaches, not including other cyber events, are expected to grow 40% a year by 2019¹. “Whether due to a technical glitch, human error or a highly skilled cyber-attack, these incidents are surfacing around the globe, which implies, collectively, the emergence of a ‘new normal’,” explains Rishi Baviskar, Senior Cyber Risk Consultant, AGCS.

As digitalization joins together smart factories, grids, machines, public networks and other facilities, cyber incidents may disrupt many industries. New vulnerabilities are arising in which cyber criminals could exploit the increase in interconnectivity. Whether accidental or planned, the end result of these incidents is business interruption (BI). Impacted businesses cross all sectors.

An example of the vulnerability of one sector, in healthcare, can be seen when a hospital in Germany came under ransomware attack – a type of virus that incapacitates files and demands cash to extricate the maliciously encrypted data. Staff at Lukaskrankenhaus Hospital in Neuss, Germany, noticed one morning that the system was running slow and unusual error messages were popping up. The entire system, including servers and email, was moved offline.

After weeks, the hospital still experienced problems andmonths passed before normal business resumed². What damages resulted in the cyber incident? One-fifth of hospital operations were cancelled; emergency room services were sharply curtailed; hospital IT staff had to contract expensive British IT specialists to eradicate the virus; and doctors, staff and patients were inconvenienced for weeks.

Luckily, no patient information was corrupted³. The incident shows the devastation that cyber incidents can cause and the resulting interruption that can afflict a business.

“Although in this scenario the focus was on the ransomware, the key consequence was unavailability of systems, as well as the slowdown of operations and services – in other words, cyber BI,” says Georgi Pachov, AGCS Global Practice Group Leader Cyber, CUO Property.

Similar BI losses occurred when a large manufacturing company, Saint-Gobain, was  struck by the Petya ransomware attack in June 2017, which caused it to be over two weeks (16 days) with sub-normal operations activity. The company estimates its lost sales to be 1% worth of six months of revenue (about €200m according to 2016 results)⁴. “These are good examples of how important technology is to normal operations - and how significant financial impacts can ensue,” Pachov says.

“Cyber risks are not isolated to a particular segment, but span across different industries and company sizes,” says Pachov. “A cyber-attack, for example such as a DDoS can overload an online retailer’s web server and render it inaccessible. Technical glitches such as incompatible software components and sensors or inaccurately set temperature or pressure parameters can also cause the interruption of normal business activity.”

Businesses increasingly rely more on digitalization to control and optimize production. Likewise, interconnectivity makes the digital supply chain a fundamental part of business. Such dependencies make BI incidents ever more non-physical in nature. One estimate is that the Internet of Things (IoT) will add $10trn to $15trn to the global gross domestic product (GDP) by 2030⁷.

Digitalization is especially evident in the heavy manufacturing sector. The world now includes 1.1 million working robots and about 80% of the car-manufacturing work is allocated to robots8. Today, over 3.5 billion machines are connected within the global supply chain – a number that will only increase in future, to an estimated 50 billion machines over the next decade.

The applicability of interconnected devices, smart factories, smart machines, and real-time monitoring, will lead to a convergence of IT (desktop applications, emails and office tools) and OT (smart machines, production devices and sensors) domains in the next 15 to 20 years.

A “smart factory” includes real-time data communication and exchange from the raw material entry to the final shipping of the product and provides the logic to a variety of devices and machines in order to execute “smart” physical processes.

“In such a scenario,” says Pachov, “machines identify anomalies and will shut down in order to prevent physical damage, which results in less physical damage losses. However, this will also lead to more frequent cyber-driven BI and to the necessity for cyber BI and cyber contingent business interruption (CBI) coverages.”

Insurance solutions address the fact that cyber events are fast-moving and difficult to prevent or predict. Because of the uncertainty, many companies may not even know they have been impacted until long after the initial event. Standalone cyber insurance has been designed to specifically cover business losses and liabilities arising from cyber exposures.

Cyber insurance focuses on non-traditional, non-damage cyber BI following an event. When an incident occurs and physical damage or machinery breakdown results, the resulting claim for damages typically falls under the standard property damagem policy, due to the existence of physical damage as well as the difficulty to prove a cyber trigger in case of severe damage.

“The market needs to work on the ‘gray areas’ in cyber policies, as well as policy gaps and overlaps across different solutions,” Pachov says. “We are seeing more cyber covers that include a range of BI elements,” adds Emy Donavan, Global Head of Cyberand Tech PI, AGCS.

As the industry grapples with the “silent” cyber exposures that may be triggered in routine incidents, and covered in traditional property and liability policies, it tends to study traditional wordings more closely in order to understand and calibrate new exposures. The issue, however, is that reported loss history is limited, particularly related to BI, and risk aggregation is difficult to quantify.

Insurers are turning a corner but it’s definitely a work in progress, as they
have to use hypothetical modelling scenarios. At the end of 2015, Lloyd’s of London asked its syndicates to come up with plausible but extreme cyber-attack scenarios and to report back estimated total exposure in what is to become “an annual requirement [13].”

“AGCS has had a Cyber BI product since the beginning of the 21st century,” says Pachov, “so it’s not something new for us. But the cyber BI severity we are seeing is definitely not driven by cyber-attacks and data breaches, nearly as much as hidden, non-reported technical/technological failure and/or internal operational errors.”

Donavan says that a way for companies to mitigate against cyber risk is to install a Chief Information Security Officer (CISO) or equivalent to implement a comprehensive information security management system (ISMS). “Although it is costly and time consuming, it is necessary not just for information security but also for the long-term health of the business. This is why it should be a board-level concern,” she says.

In June 2017, the Petya ransomware cyber-attack affected some of the world’s largest corporations, including the Danish shipping company AP Moller- Maersk, UK-based advertising group WPP, US delivery service provider FedEx, among others and UK-based pharmaceutical giant Reckitt Benckiser, which reported a £100m hit in revenue as a result of the attack¹⁰.

A month earlier, WannaCry, another ransomware program, infected more that 300,000 computers in 150 countries. The attack hit several large companies, including a major American parcel delivery company, a European car manufacturer and a Spanish telecom company. It disrupted the operations of the UK’s National Health Service and affected some operations of German rail network Deutsche Bahn, among others.

WannaCry is a worm that targets the Microsoft Windows operating system. It works by encrypting compromised data and locking it up, with the attackers asking victims to pay up to $200 ransom in bitcoins to regain access. It spreads through an erroneous click or download. Once it infects a computer it searches for other computers to attack.

In April 2017, British Airways experienced an IT meltdown of a different kind after an engineer disconnected a power supply. A power surge on reconnection knocked out BA systems over a holiday weekend, disrupting 75,000 passenger, costing it £80m ($100m)¹¹, according to initial estimates. These incidents again highlight how vulnerable companies are to cyber risks – be it a technical glitch, a human error or a cyber attack – and the BI that usually follows.

In the case of the WannaCry incident, although the ransomware payments were scant compared to the widespread nature of the attack – estimated to be somewhere between $50,000 to £100,000 – it was reported that the total cost of resuming commercial operations could run into billions of dollars.This is why cyber insurance promises to be the next blockbuster in the insurance space, says Hartmut Mai, Chief Underwriting Officer for Corporate Lines at Allianz Global Corporate & Specialty (AGCS).

While cyber insurance is already a mature market in the United States with an estimated premiums volume of $3bn, it is still an emerging segment in Europe and Asia. Given the frequency of such events cyber security and related insurance will become an important part of corporate risk management strategies. These recent ransomware cases may lead insurers to underwrite their cyber risks more carefully, consider the risk aggregation of their exposures and pay more attention to the details and to certifying their clients’ cyber security protocols.

• Consider potential exposures in line with the longterm strategy and prepare for potential incidents
• Know your assets and how to prepare, process and protect data
• Implement monitoring and early warning systems to guard against data compromise and manipulation, digital anomalies along the business chain, viruses, etc.
• Implement downtime tracking tools/software in order to reduce idle time and increase productivity
• Develop a cyber strategy in conjunction with a business continuity plan (BCP)
• Train employees how to identify data flow dependencies and related anomalies, fake emails and not to click through on suspicious links.
• Ensure 100% back-up and timely recovery for all real-time (just-in-time) data-driven processes
• Back up data off-site, segmented apart from the company’s network
• Use role-based permissions for employees and do not grant more data access than needed for their jobs
• Appoint a Chief Information Security Officer (CISO) to oversee the company’s operational technology (OT) landscape

Read this article in Global Risk Dialogue. Appearing twice a year, Global Risk Dialogue is the Allianz Global Corporate & Specialty magazine with news and expert insights from the world of corporate risk.