Print

Expert Risk Articles

When businesses get bit by bytes

Whether it is due to a technical glitch, human error or, as in the recent Petya and WannaCry cases, a full-on cyber-attack, as digitalization transforms the industrial world there is a significant cyber risk for companies delivering products and services. Implementing proper risk management procedures should be top priority, including understanding the significant threat posed by business interruption (BI).

The 1 Minute Dialogue

> Cyber incidents are often associated with data loss or privacy but, more and more, business interruption is becoming a key risk for companies

> Even though smart factories will reduce the number of physical damage losses, the number of cyber-driven BI events is predicted to increase

> As seen in the recent WannaCry case, “ransomware” attacks can easily stop production across many different industries

> Cyber-attacks create a lot of public awareness about cyber risk but, more often, it is often mundane technical failures and IT glitches that cause cyber BI

----

A single cyber incident can lead to a severe interruption of normal business. And the number of incidents is growing. Globally, distributed denial of service (DDoS) attacks will increase over two-fold to 17 million by 2020, roughly 25% per year. Network service provider, Akamai, noted a 77% increase in infrastructure layer attacks just in the period from Q3 2015 to Q3 2016, the largest of which – the Mirai botnet – brought down the infrastructure provider, Dyn, and affected websites like Netflix, Twitter, the Guardian, CNN, etc. in October 2016. Technical computer infrastructure failures are also increasing, causing transportation stoppages and manufacturing production interruptions.

/assets/ContentImages471x160/GRD/1-2017/CyberBIInsurance_471.jpg

As businesses rely more on digitalization to control and optimize production, insurance solutions address fast-moving and difficult to prevent or predict cyber exposures. Photo: iStock.

Reported data breaches, not including other cyber events, are expected to grow 40% a year by 2019 [1]. “Whether due to a technical glitch, human error or a highly skilled cyber-attack, these incidents are surfacing around the globe, which implies, collectively, the emergence of a ‘new normal’,” explains Rishi Baviskar, Senior Cyber Risk Consultant, AGCS.

As digitalization joins together smart factories, grids, machines, public networks and other facilities, cyber incidents may disrupt many industries. New vulnerabilities are arising in which cyber criminals could exploit the increase in interconnectivity. Whether accidental or planned, the end result of these incidents is business interruption (BI). Impacted businesses cross all sectors.

Hacking into the hospital

An example of the vulnerability of one sector, in healthcare, can be seen when a hospital in Germany came under ransomware attack – a type of virus that incapacitates files and demands cash to extricate the maliciously encrypted data.
Staff at Lukaskrankenhaus Hospital in Neuss, Germany, noticed one morning that the system was running slow and unusual error messages were popping up. The entire system, including servers and email, was moved offline.

After weeks, the hospital still experienced problems andmonths passed before normal business resumed [2]. What damages resulted in the cyber incident? One-fifth of hospital operations were cancelled; emergency room services were sharply curtailed; hospital IT staff had to contract expensive British IT specialists to eradicate the virus; and doctors, staff and patients were inconvenienced for weeks.

Luckily, no patient information was corrupted [3]. The incident shows the devastation that cyber incidents can cause and the resulting interruption that can afflict a business.

“Although in this scenario the focus was on the ransomware, the key consequence was unavailability of systems, as well as the slowdown of operations and services – in other words, cyber BI,” says Georgi Pachov, AGCS Global Practice Group Leader Cyber, CUO Property.

Similar BI losses occurred when a large manufacturing company, Saint-Gobain, was  struck by the Petya ransomware attack in June 2017, which caused it to be over two weeks (16 days) with sub-normal operations activity. The company estimates its lost sales to be 1% worth of six months of revenue (about €200m according to 2016 results). [4] “These are good examples of how important technology is to normal operations - and how significant financial impacts can ensue,” Pachov says.

Smart still means vulnerable

“Cyber risks are not isolated to a particular segment, but span across different industries and company sizes,” says Pachov. “A cyber-attack, for example such as a DDoS can overload an online retailer’s web server and render it inaccessible. Technical glitches such as incompatible software components and sensors or inaccurately set temperature or pressure parameters can also cause the interruption of normal business activity.”

Businesses increasingly rely more on digitalization to control and optimize production. Likewise, interconnectivity makes the digital supply chain a fundamental part of business. Such dependencies make BI incidents ever more non-physical in nature. One estimate is that the Internet of Things (IoT) will add $10trn to $15trn to the global gross domestic product (GDP) by 2030 [7].

Digitalization is especially evident in the heavy manufacturing sector. The world now includes 1.1 million working robots and about 80% of the car-manufacturing work is allocated to robots [8]. Today, over 3.5 billion machines are connected within the global supply chain – a number that will only increase in future, to an estimated 50 billion machines over the next decade.

The applicability of interconnected devices, smart factories, smart machines, and real-time monitoring, will lead to a convergence of IT (desktop applications, emails and office tools) and OT (smart machines, production devices and sensors) domains in the next 15 to 20 years.

A “smart factory” includes real-time data communication and exchange from the raw material entry to the final shipping of the product and provides the logic to a variety of devices and machines in order to execute “smart” physical processes.

“In such a scenario,” says Pachov, “machines identify anomalies and will shut down in order to prevent physical damage, which results in less physical damage losses. However, this will also lead to more frequent cyber-driven BI and to the necessity for cyber BI and cyber contingent business interruption (CBI) coverages.”

Cyber insurance solutions

Insurance solutions address the fact that cyber events are fast-moving and difficult to prevent or predict. Because of the uncertainty, many companies may not even know they have been impacted until long after the initial event. Standalone cyber insurance has been designed to specifically cover business losses and liabilities arising from cyber exposures.

Cyber insurance focuses on non-traditional, non-damage cyber BI following an event. When an incident occurs and physical damage or machinery breakdown results, the resulting claim for damages typically falls under the standard property damagem policy, due to the existence of physical damage as well as the difficulty to prove a cyber trigger in case of severe damage.

“The market needs to work on the ‘gray areas’ in cyber policies, as well as policy gaps and overlaps across different solutions,” Pachov says. “We are seeing more cyber covers that include a range of BI elements,” adds Emy Donavan, Global Head of Cyberand Tech PI, AGCS.

As the industry grapples with the “silent” cyber exposures that may be triggered in routine incidents, and covered in traditional property and liability policies, it tends to study traditional wordings more closely in order to understand and calibrate new exposures. The issue, however, is that reported loss history is limited, particularly related to BI, and risk aggregation is difficult to quantify.

Insurers are turning a corner but it’s definitely a work in progress, as they
have to use hypothetical modelling scenarios. At the end of 2015, Lloyd’s of London asked its syndicates to come up with plausible but extreme cyber-attack scenarios and to report back estimated total exposure in what is to become “an annual requirement [13].”

“AGCS has had a Cyber BI product since the beginning of the 21st century,” says Pachov, “so it’s not something new for us. But the cyber BI severity we are seeing is definitely not driven by cyber-attacks and data breaches, nearly as much as hidden, non-reported technical/technological failure and/or internal operational errors.”

Donavan says that a way for companies to mitigate against cyber risk is to install a Chief Information Security Officer (CISO) or equivalent to implement a comprehensive information security management system (ISMS). “Although it is costly and time consuming, it is necessary not just for information security but also for the long-term health of the business. This is why it should be a board-level concern,” she says.

###

[1] New report points to alarming DDoS attack statistics and projections, Corero, June 26, 2016
[2] Hackers hold German hospital data hostage, DW News, Feb. 25, 2016
[3] Cyber-Angriff sabotiert deutsches Krankenhaus, eperi, 19.02.2016
[4] Cyber-attack, return to normal operations, Press Release, Saint-Gobain, July 13, 2017
[5] Average large corporation experiences 87 hours of network downtime a year, ZD Net, Jan. 20, 2005
[6] Downtime costs auto industry $22k/Minute – Survey, Bartol Mag-Probe, Mar. 27, 2005
[7] Ten illuminating stats about the Internet of Things, VE Interactive, Oct. 26, 2016
[8] Automation, robots and AI: The rise of the supply chain machines, Digital Supply Chain, 11 November, 2016
[9] Average large corporation experiences 87 hours of network downtime a year, ZD Net, Jan. 20, 2005
[10] Massive cyber-attack could cost Nurofen and Durex maker £100m, The Guardian, July 6, 2017
[11] BA faces £80m cost for IT failure that stranded 75,000passengers, Financial Times, June 15, 2017
[12] Average large corporation experiences 87 hours of network downtime a year, ZD Net, Jan. 20, 2005
[13] Insurers grapple with cyber-attacks that spill over into physical damage, The Economist, 1 Dec. 2016