Digital vulnerability: As the volume of online business soars, so does crime. Cyber insurance products are helping businesses face the many threats and risks in global digital networks.
Download this and other articles, as well as the full issue, here.
Deflecting rapidly rising IT risks
With digitalization continuing to spread at an exponential pace and global networks finding their way into practically every aspect of commercial life, the threats and damage caused by deliberate or mistaken misapplication of information and communications systems are likely to measurably increase as well. It is time to use augmented cyber-insurance products to safeguard against these risks.
When data breaches occur, during which protected and/or sensitive information has been viewed or stolen by someone not authorized to do so, costs rise. Germany, for instance, has the highest costs associated with such events: $199 per record (e.g., a table in a database or a collection of data stored on a CD). The United States trails slightly behind, at $188 per record. By contrast, such breaches only cost $42 per record in India.
These figures were compiled by the U.S.-based Ponemon Research Institute for a study titled Cost of Data Breach 2013. Conducted on behalf of the computer security company Symantec, this study surveyed 277 companies in 16 industrial sectors and nine countries. The study found that an average data breach costs German companies about US$4.8 million. As a rule, many records are affected when such a data breach occurs. Tens of thousands of customer data can be involved, as a case of credit card fraud recently demonstrated. The costs in these cases arose from the detection of security breaches, escalation and notification activities and after-the-fact response, the study said. Furthermore, the study examined diminished customer trust on the basis of per capita sales and customer turnover.
Like other research done before it, the Ponemon study found that the root causes of data breaches were distributed relatively equally: 37 percent of incidents involved a malicious or criminal attack, 29 percent system glitches and 35 percent human error (negligence).
Cyber attacks, system and process errors almost equally distributed
José Fidalgo, the Head of Risk Consulting Germany at Allianz Global Corporate & Specialty (AGCS), agrees with the study’s findings about the causes. “Our data and discussions with companies show a roughly equal distribution of causes. The reasons for first-party and third-party damage can be broken down by thirds: one-third can be traced to glitches in the IT infrastructure, one-third to internal process failures and one-third to external attacks.” AGCS’s technical experts say these problems can result in micro-blackouts, process crashes and/or data loss. These short system crashes are particularly vexing, the experts say. Because they are so short, these crashes are neither detected by the controller of the uninterruptible power supply nor adequately countered by IT monitoring systems, they add. “This can cause the system to become disoriented and be knocked out of service for hours at a time, particularly when the source of the problem cannot be traced right away,” Fidalgo says. When such a disruption in operation occurs, costs naturally arise for the company itself. But the business could also face additional costs if service warranties for customers are involved or third-party damage occurs.
Another frequent cause of damage that can result in operational interruptions or disruptions, as well as losses or unavailability of data, are software updates or migrations. Here is an example of just how expensive such an incident can be for an airline service provider: Due to a bad update, all bargain fares temporarily vanished from the airline’s booking system. “As a result, the flights had fewer passengers and the company lost sales and earnings,” Fidalgo says. “Such updates, even if they are small ones being installed in a complex system, can cause major damage among third parties.”
When it comes to cyber attacks, Fidalgo continues to think that the situation will not improve. Actually, he is rather pessimistic: “If you want to deal with this risk, you have to work with worst-case scenarios.” He says this includes the systematic search for vulnerabilities in order to influence the control systems of production facilities or even nuclear power plants.
High average-costs for security breaches
Other studies, including one done by the security software company Kaspersky, found lower costs for security breaches than those cited by the Ponemon analysis. In the report Global Corporate IT Security Risks 2013, Kaspersky said the average cost of a security incident totaled US$649,000 for a major company. A midsized enterprise would face average costs of US$50,000, the study said. But the costs for dealing with successful attacks would climb to about US$2.4 million at large companies, Kaspersky said.
Figures from the Kaspersky study regarding England were confirmed by the British Department for Business Innovation & Skills. The PwC study 2013 Information Security Breaches Survey works on the assumption of a significantly higher number of security breaches. It says 93 percent of large companies (more than 250 employees) and 87 percent of small companies (fewer than 50 employees) recorded security breaches last year. Seventy-eight percent of the large companies were attacked by outside parties in 2012, compared with 73 percent in 2011. On average, major companies experience 113 security breaches of all types each year, and small companies fight off an average of 17 such attacks. The British study says the average costs for the most serious security breaches in a year total between £450,000 to £850,000 at large companies. It is much lower at smaller companies, at £35,000 to £65,000.
New sources of threats arising
Even though the various sets of numbers tell a different story on their own, one point stands out: Data-security breaches are multiplying, and they are causing increasing amounts of damage. Given the type of trends sweeping through information technology – cloud computing, real-time analysis of huge amounts of data (big data), mobile devices and new forms of digital, collaborative working relationships – it is obvious that companies’ dependency on IT infrastructures, applications and online applications will rapidly rise. The relationship between the analog and digital worlds is growing tighter and tighter, a trend that will expand the threat potential.
Added to this are attacks on industrial control systems like the Stuxnet computer worm discovered in 2010. Up to now, such attacks needed precise information about the particular equipment-control unit. But if these units are connected online and if transmission protocols and bus systems become increasingly standardized, as expected, they will be just as threatened as today’s commercial computer systems, PCs and smartphones. It should also be remembered that the cyber-technical protection of these structures lags far behind that of the commercial systems. Some experts speak of a lag of five to 10 years.
Allianz Cyber Protect – protection against major IT risks
Given the spreading nature of the threat, companies must act. First, they must respond to risks and threats by using the very latest security technologies. But they also have to go a step farther and consider how they intend to cover, or at least reduce, the residual risks arising from first- and third-party damage related to cyber risks. One option is the cyber and IT insurance that AGCS recently began to offer as Allianz Cyber Protect (see box). These policies enable companies to obtain single-source protection against the cyber risks they face. “This market is rapidly growing,” says Hartmut Mai, Chief Underwriting Officer, Corporate Lines at AGCS. Mai estimates current premium volume in this area at €150 million in Europe and at €50 million in Germany. “Outside the United States, where the market for cyber insurance has already risen to US$1.3 billion, we are expecting to see double-digit growth each year. By 2018, we see market volume for Europe alone of €700 million to €900 million.” The Allianz product is being initially launched in selected European markets. It will be introduced later in South America and Asia. Due to special liability conditions, the coverage will not be offered in the United States.
Joachim Albers, Global Head of Product Development at AGCS, adds: “With Allianz Cyber Protect, we are offering an insurance product that covers the major IT risks across a number of insurance areas. The customer no longer has to worry about which IT risks are covered by something like liability or property insurance.” If the customer suffers damage as a result of infringement of personal rights, data-breach liability, network-security liability, multimedia breach of contract, computer fraud, business interruption, as well as data recovery, data-security legal cases, forensic services and crisis-communication costs, this is covered up to the limit set in the policy. With Cyber Protect, AGCS is responding to new types of risks that companies have to be able to cover, Albers says. “As an insurer, we cannot just lean back on traditional products.” The wider the use of digitalization in company processes, the greater the need to minimize the risks that arise from it. “We have responded to this development,” he says.
Countries demand increased consumer protection
As an example, Albers cites compliance violations. The EU and individual countries are demanding increased consumer protection in the area of IT. A number of legislative proposals call for companies to inform not only government officials, but also their customers about possible data breaches within a certain period of time. Cyber Protect also covers the costs associated with these notifications. “We are working on the assumption that regulations in the EU and in other countries will be changed and toughened,” Albers says.
Dr. Georgi Pachov, Global Cyber Leader Property at AGCS, offers another example. Cyber attacks or undesired changes made to electronic data can result in significant costs for the policyholder if business is interrupted. Simply changing a date in the control system could result in inaccurate warehouse information. This error could then cause the entire warehouse to have to be shut down. “Allianz Cyber Protect covers the costs of business interruption or for reprogramming the control systems,” Pachov says.
Another type of damage that Allianz is covering for the first time with Cyber Protect is the costs involved in preventing reputational damage caused by IT glitches and successful cyber attacks. “The reputational damage itself cannot be covered because we don’t have a sufficient base line for it. But the costs for crisis communications and the consulting work related to it can be covered,” Albers says.