Just seven years ago cyber risk ranked as low at 15th in the Allianz Risk Barometer, an annual survey in which more than 2,700 risk experts from 100 countries identify the top threats for companies for the next 12 months and beyond.
Today, it ranks either near or at the top of seemingly every risk poll conducted. In the intervening years both knowledge of the threats posed to businesses by cyber and the number of related claims or losses have increased significantly. At the same time, businesses and their insurers now have to deal with a fast-changing, ever-evolving risk landscape, which has been further exacerbated by the outbreak of the coronavirus pandemic.
Companies are facing a number of challenges: such as the prospect of more disruptive and expensive business interruptions, the increase in the frequency and cost of ransomware incidents, the consequences from larger data breaches and more robust regulation – both at home and overseas – as well as the prospect of litigation if something does go wrong. The playing out of political differences in cyber space also ups the ante while even a successful merger and acquisition (M&A) can bring unexpected problems. Then, there is the fact that many employees are now working remotely. Displaced workforces create new opportunities for increasingly better organized and funded cyber criminals to exploit and gain access to networks and sensitive information. At the same time the potential impact from human error or technical failure incidents – already one of the most frequent drivers of cyber claims – may also be heightened. Employers and employees must work together to raise awareness and increase cyber resilience in the home office set-up.
Despite the huge advances companies have made in cyber risk awareness in recent years, many are still playing catch-up and often do not realize how important their digital assets are until something happens.
1. Laxer security post Covid-19 heightens cyber risk
Rise in scammers and spammers looking to exploit vulnerabilities, as pandemic enhances existing threats and problems
2. Business interruption and digital supply chain vulnerability growing
Digital disruption has become a much more significant driver of cyber losses while cyber risk in supply chains is a growing exposure, given the increasing reliance on technology
Business interruption (BI) following a cyber incident has become a major concern for business. Analysis of cyber claims by AGCS shows that BI is the main cost driver in the majority of cases. Whether ransomware, human error or a technical fault, the loss of critical systems or data can bring an organization to its knees in today’s digitalized economy.
Cyber and BI now rank as the top two risks for companies respectively, according to the Allianz Risk Barometer 2020, which was conducted before the coronavirus outbreak – and are increasingly interrelated. Awareness has been growing following high profile outages across a number of sectors, including banking and airlines. At the same time, ransomware attacks, such as the NotPetya malware and the Ryuk campaign, have caused serious disruption for manufacturing and service sectors, as well as public sector organizations.
3. Ransomware now the most prominent cyber-crime threat
Incidents are becoming more frequent, sophisticated and financially damaging
4. Business email compromise attacks surging
Economic downturn and shifting landscape resulting in more incidents
5. Mega data breaches come with increasing costs
Many factors can now contribute to the financial fall-out from such events
6. Increasing regulatory exposure - At home and overseas
Stricter enforcement around increased liability for data breaches and the collection and use of data is to be expected
7. Class action litigation a developing situation
Consumers, investors and other stakeholders are increasingly looking to the courts as well if things go wrong
8. Buying a company can bring cyber risk
The acquiring firm could still be liable for any damage from incidents which predate an M&A
9. Nation states increase risks
More sponsored attacks causing damage and disruption
Risk mitigation: Prepare, practice, prevent
Preparation and training are the most effective forms of mitigation and can significantly reduce the likelihood or consequences of a cyber event. Many incidents are the result of human error, which can be mitigated by training, especially in areas like phishing and business email compromise, which are among the most common forms of cyber-attack.
Training could also help mitigate ransomware attacks, although maintaining secure backups can also limit the damage from such incidents. Business resilience and business continuity planning are also key to reducing the impact of a cyber incident, although response plans need to be tested, practiced and regularly reviewed.
Businesses should consider taking the opportunity to carry out a desktop exercise with their insurer and broker, and include key internal and external stakeholders. This builds trust and can take the sting out of any crisis.
Success in mitigating the impact of a cyber event also requires good oversight and knowledge of IT systems and processes across an organization. If there is no overall control or oversight it will take much longer to get on top of a situation. Clear lines of responsibility and communication, and having all departments aligned with an established relationship and master plan, will lead to a more effective response.
The post Covid-19 landscape brings new challenges for businesses. With home-working widespread, security around access points and potential ransomware attacks is critical but organizations should also regularly monitor and ensure there is sufficient network capacity as this can have a significant impact on business income loss if there is an outage. There can also be bandwidth challenges when many employees are video conferencing and companies should ensure they do not compromise availability.
Purchasing cyber insurance should be one of the final points in a company’s plan to enhance its cyber resilience. Insurance has a vital role to play in helping companies recover if all other measures are insufficient but it should not replace strategic risk management. Investing in employee awareness, together with updating and continuous monitoring of systems should definitely be at the top of any company’s cyber to-do list.