Cyber risk appears in many forms, all of which can represent major threats to business. Companies increasingly face new exposures, including firstand third-party damage, business interruption and regulatory consequences.
It is estimated that cyber-crime alone costs the global economy approximately $445bn a year (1) with the world’s largest economies accounting for around half
of this, data analyzed in an AGCS report A Guide to Cyber Risk: Managing The Impact of Increasing Interconnectivity shows. The threat posed by such incidents is expected to increase further during 2016.
According to Symantec Corporation (2) risks associated with the increasing use of Apple devices and the “Internet of Things” are among the factors which will drive this increase. The US software security firm predicts that attacks on critical infrastructure will also rise.
This increasing risk is reflected in the Risk Barometer with cyber incidents (cyber-crime, data breaches, IT failures) gaining 11 percentage points year-onyear to move into the top three risks for the first time (28%). Three years ago this peril ranked just 15th (6%).
Loss of reputation (69%) is the main cause of economic loss for businesses after a cyber incident, according to responses, followed by business interruption (60%) and liability claims after a data breach (52%).
Due to the almost automatic blow a company’s reputation can sustain in the event of a cyber incident many attacks still go unreported. However, many network outages and disruptions, that are not caused by cyber-attacks, but by technical issues, are not made public for similar reasons.
A lack of understanding (48%) of the complexity of the risks involved is cited as the main factor preventing companies from being better prepared to combat cyber threats. Not having a concrete assessment of the cost of the risks involved (46%) ranks second. Budgetary constraints (39%) ranks third.
“Attacks by hackers are becoming more targetoriented, lasting for longer and can trigger a continuous penetration,” says Jens Krickhahn, Practice Leader at AGCS Financial Lines Central & Eastern Europe.
“Studies show that it takes, on average, 90 days for businesses to discover they have been hacked. Often the incident is identified, not by the business itself, but by the customer or another stakeholder, which is another reason why cyber risks pose a huge threat to a company’s reputation.
“The fact that companies often only recognize the loss when an attack has already happened means all they can do is try and prevent further damage. This is why prevention is such a key element in IT security. Managing cyber risk has to be an integral part of any company’s risk management strategy.“
Increasing impact of technical failure and user error
According to almost 60% of responses, an increase in cyber incidents is the major trend that will increase the threat of business interruption (BI) risk in future.
“Cyber incidents can have a huge impact on BI,” explains Volker Muench, Global Practice Group Leader, AGCS Property Underwriting.
“We know cyber-attacks are increasing. However, cyber risk not only includes the threat from hackers. As automation of industry continues, operational technology (OT) issues such as technical failure and user error, for example, also pose an increasing challenge.
“OT is the capability that directly controls the valueadd, or transformation, of goods in real-time. In today’s interconnected world of internet-based supply chain
management, a simple technical failure can result in a major system interruption.”
“Early warning systems and better monitoring systems are necessary in order to prevent large BI losses,” Krickhahn adds.
Assessment of cyber BI risk involves many factors including financial analysis of the health of the company, service/production processes and their bottlenecks,
computer/network infrastructure management, as well as discussion of loss scenarios and modeling.
Addressing and minimizing exposure
All organizations need to consider their cyber exposures and prepare for a potential incident.
Monitoring tools, improved processes and greater employee awareness can help companies be more prepared. Businesses should identify key assets at risks and potential weaknesses – such as human error or overreliance on third party service providers.
Different stakeholders from the business must share knowledge. Insurance can mitigate the impact of many cyber risks but after a security incident or loss of data an immediate response is required to manage the incident successfully. Companies need a crisis or breach response plan, which should be regularly reviewed and
(1) Net Losses: Estimating the Global Cost of Cyber-Crime, CSIS/McAfee
(2) www.symantec.com/connect/blogs/Symantec predictions 2016 looking ahead