Print

Expert Risk Articles

Allianz Risk Barometer 2017 - Top risks in focus: Cyber incidents

With increasing numbers of data breaches and cyber-attacks invading the news cycle – ranging from Yahoo’s recent admission that one billion accounts were compromised in one of the biggest data breaches in history in 2013[1] to the alleged disruption of the US Presidential election – it is no wonder that cyber incidents continues an impressive five-year climb up the Allianz Risk Barometer.

In 2013, cyber was the 15th top risk, with only 6% of responses naming it in their top three business risks. By 2014, it jumped to 8th place with 12%. In 2015, it was the most significant mover, climbing to 5th place with 17% of responses. Last year, cyber emerged for the first time into the top three in 3rd position with 28% and although still in third place this year, the number of responses is up to 30%, only one point behind the number two risk, market developments.

Why cyber risk is a growing concern

“Cyber risk is not going away and people around the world are right to be concerned,” says Emy Donavan, Head of Cyber North America, AGCS. Concern is increasing because it is still largely an unknown risk, is not isolated to a particular segment and spans different industries and sizes of companies, from an online retailer through to a heavy manufacturer to an oil refinery. The nature of hacking attacks, for example, is enigmatic and will change over time and companies are worried about increasing sophistication of attacks" (see chart in Top Risks in Focus - Market Developments).

“Increasing interconnectivity and sophistication of cyber-attacks poses not only a huge direct risk for corporate and commercial clients but also indirectly via exposed critical infrastructures such as IT, water or power supply. Cyber-attacks might impact companies and societies more severely via long-lasting and widespread business interruptions of those critical infrastructures,” says Michael Bruch, Head of Emerging Trends at AGCS.
/assets/Graphics/Risk%20Barometer%202017/Cyber%20Incidents/Causes-Loss-Cyber-Incidents_873x384.jpg
(Click to enlarge chart)

Meanwhile, data protection rules are becoming increasingly tough as government agencies bolster cyber security. This significantly impacts businesses; as penalties for non-compliance can be severe. Laws in the US are already strict but a heightened liability focus is also seen elsewhere in the world. A significant development is occurring in Europe where the introduction of the General Data Protection Regulation will transform the landscape.

According to Nigel Pearson, Global Head of Fidelity at AGCS, time is already running out for businesses to prepare for its implementation in May 2018. “It will impose significant liabilities and penalties on companies doing business in the EU or with EU citizens. Costs to comply with the legislation will be high, the penalties of not complying could be even higher,” he says. Companies could be fined as high as 4% of their global revenues for breaching rules. Executive liability is also expected to increase. Then there is the impact of technical IT failure or human error, which can also result in costly damages.

Business interruption, customer and reputational damage

Business interruption impact is now the cause of economic loss after a cyber incident companies worry about most, according to Risk Barometer responses. Almost 70% cited this a major concern. “Cyber exposure goes well beyond standard privacy/data breaches,” says Georgi Pachov, Global Practice Group Leader Cyber, AGCS. “A single cyber incident, be it a technical glitch, human error or cyber-attack can lead to a severe business interruption, loss of customers and market share, as well as mid to long-term reputational and brand damage.”

“In today’s Internet of Things/Industry 4.0 production environment the machines and companies are connected. A failure to submit the data or read the data correctly could stop production,” adds Volker Muench, Global Practice Group Leader, Property Underwriting, AGCS.

/assets/Graphics/Risk%20Barometer%202017/Cyber%20Incidents/Internet-Incidents_471.jpg

In the Industry 4.0 environment a failure to submit or interpret data correctly could stop production. Photo: iStockPhoto

Cyber risk mitigation strategies

As a fast-moving and difficult to prevent risk, cyber is challenging to mitigate because not only is the nature of the assault unknown but the nature of the loss can be hard to determine, as well. Because of the indefinite nature of the risk, companies may not even know they have been impacted until long after the initial event occurred.

All organizations, including smaller-sized enterprises need to consider their potential exposures and prepare for an incident. Businesses should know their assets and how to prepare and protect data. Although there is no such thing as 100% security, companies and employees at all organizational levels should implement monitoring and early warning systems to guard against data breaches, for example. Developing a cyber strategy with a business continuity plan is equally important. “Security is not just an IT issue,” says Thomas Varney, Regional Manager, Americas, Allianz Risk Consulting. “Every organization is vulnerable to cyber threats and how swiftly they respond to mitigate a breach is key.”

Donavan suggests companies train employees on how to identify fake emails and not to click through on suspicious links. She emphasizes the importance of backing up data offsite, segmented apart from the rest of the company’s network. Finally, she stresses the importance of using role-based permissions for employees and not granting more data access to employees than they need to effectively do their jobs. “Doing these three things,” she says, “would prevent half the losses I see.”

According to Pearson, businesses should employ a chief information security officer (CISO) or equivalent who should implement a comprehensive information security management system. “This can be costly and time-consuming but is necessary, not just for information security but for the long-term health of the business,” he says. “This is why it should be a board level concern.”


Cyber insurance continues to evolve. Examples of areas of protection include:

• Business interruption and restoration costs
• Consultant services
• Crisis communication
• Cyber extortion
• E-payments
• Hacker theft
• Media liability claims
• Network security claims
• Notification costs
• Privacy and data breach
• Regulatory costs
• Response costs

 


[1] Important Security Information for Yahoo Users, Yahoo.tumblr.com