Expert Risk Articles

The cyber risk landscape today

Cyber risk is complex and forever-changing. Attacks and incidents are increasing with costs climbing into the multimillions. There are certain risks that cause the most concern; most notably those around data breaches and the potential for significant business interruption.


> Download the full publication "A Guide to Cyber Risk"

Security breaches

Over the past decade, data breaches involving personal data have become a major concern for many organizations, both in the private and public sector. Major corporations, governments and public services have all been targeted by cyber criminals or so-called hacktivists.

Since 2005 there have been 5,029 reported data breach incidents in the US, where organizations must report data breaches to regulators, involving more than 675 million estimated records, according to the Identity Theft Resource Center [1].

Statistics outside the US are patchy. However, there have been at least 200 breaches in Europe involving 227 million records since 2005, according to an estimate by the Center for Media, Data and Society at the Central European University. [2]

Some of the largest breaches include the likes of US retailers Target and Home Depot, health insurer Anthem, entertainment and electronics firm Sony and investment bank JPMorgan Chase.

The Target data breach, in which the personal details of some 70 million people may have been compromised, was one of the largest in history. At time of writing it has been reported that it has cost the company well in excess of $100m, not including damage to reputation and loss of business, and was followed by the company’s chief executive leaving the post. [3]

Increasing trend

The frequency and sophistication of cyber-attacks and incidents continues to increase and looks likely to do so for the foreseeable future.

"As little as 15 years ago, cyber-attacks were fairly rudimentary and typically the work of hacktivists,” explains Chris Fischer Hirs, CEO, Allianz Global Corporate & Specialty (AGCS).

"But with increasing interconnectivity, globalization and the commercialization of cyber-crime, there has been an explosion in both frequency and severity of cyber-attacks,” he says.

      "With increasing interconnectivity and the commercialization
      of cyber-crime there has been an explosion
      in both frequency and severity of cyber-attacks”

"In addition incidents on computer/network infrastructures (outages, disruptions of different sizes and scales) are also occurring. However they are not reported due to fears about loss of reputation or lack of legal requirements and, thus, don’t make the headlines. Alternatively, businesses manage these internally due to lack of insurance,” adds Georgi Pachov, Group Practice Leader Cyber, CUO Property, AGCS.

Shifting regulatory landscape

Awareness of cyber risk is highest in the US, where strict data protection laws require companies to notify individuals of a breach.

Outside the US, data protection regimes differ by country, but there is now a general trend towards tougher rules as governments look to bolster cyber security.

"Legislation has already become much tougher in the US. Hong Kong, Singapore and Australia all have new data protection laws, and Europe looks to be heading in the same direction,” says Nigel Pearson, Global Head of Fidelity, AGCS.

The European Union (EU) is currently reviewing its data protection law, looking to introduce a new harmonized regime. While the exact scope and shape of the proposed regime is still hotly debated, it is likely to mean greater powers for regulators and more stringent rules for most EU member states.

Harsher penalties

For example, draft legislation has proposed mandatory reporting of a data breach to the regulator, and potentially to individuals affected by the breach. There are also proposals to impose larger fines for breaches of data protection laws – of between 2% to 5% of a company’s global turnover.

Similar requirements in many US states have significantly driven up the costs of dealing with a data breach. "In Europe we can expect tougher rules on a country-by-country basis,” says Pearson. “Politically, it is difficult to be seen to be soft on data breaches. We will see more notifications and significant fines for data breaches in future.”

Consumers are increasingly likely to seek compensation for the loss or misuse of their personal data, a view that appears to be shared by regulators and courts.

At the same time companies – conscious of both their statutory and corporate social responsibilities – are beginning to recognize the need to compensate those affected by a breach.

Business interruption an increasing concern

While data breaches are a major concern for organizations holding large volumes of personal data, security breaches highlight other threats to business, such as business interruption, intellectual property theft and even cyber-extortion.

With more companies increasingly reliant on technology, business interruption exposures are becoming ever more significant; particularly in sectors such as telecoms, transport, media and logistics.

For example, hackers took French broadcaster TV5 off air in April 2015, affecting 11 TV stations, social media, websites and email [4]. In June 2015, hackers grounded 10 planes belonging to a Polish airline (LOT) [5] after a denial-of-access attack blocked the sending of flight plans.

Meanwhile, in 2012, “malware” disabled tens of thousands of computers at oil company Saudi Aramco, disrupting operations for a week [6].

Of course business interruption can also be caused by technical failure or human error as well, as demonstrated by two high-profile recent examples.

Stocks worth $28trn in total were suspended for three and a half hours during July 2015 on the New York Stock Exchange, with authorities reporting that the glitch was not due to cyber terrorism or criminal activity [7].

During the same month 4,900 United Airlines flights were impacted due to a “network connectivity” issue [8].

“The impact of cyber business interruption, triggered by technical failure, is something which is frequently being underestimated by businesses relative to cyber attacks,” says Pachov.

Industrial control systems

Recent years have seen growing concern about the vulnerability of industrial control systems (ICS), which are used to monitor or control processes in industrial and manufacturing sectors, for example.

An attack against an ICS could result in physical damage, such as a fire or explosion, as well as business interruption.

“A number of ICS still used by manufacturing and utilities companies today were designed at a time before cyber security became a priority issue,” explains Pearson.

Vulnerability of ICS was first highlighted by the Stuxnet computer worm in 2010. Stuxnet was reportedly developed by Israel to target Iranian nuclear facilities – the worm allegedly destroyed uranium enrichment centrifuges.

ICS are also vulnerable to both technical failure and operator error as well, which can be much more frequent and severe in terms of impact and are often not captured in cyber reports, Pachov adds.

While ICS are a particular issue for the energy sector, similar cyber-related physical damage and business interruption risks exist in other industries.
For example, car manufacturing plants rely on robots to make and assemble vehicles. Should a robot be hacked or suffer a technical fault, a production line could be interrupted for hours or days, at a potential cost of tens of millions of dollars per day.

And the potential cost of damages could be even higher from an incident involving security-sensitive facilities such as nuclear power plants, laboratories, water suppliers or large hospitals.