New threats such as “cyber hurricanes”, increasing reputational risk and tougher data rules mean businesses and risk experts are more concerned than ever.
Production of a vital vaccine is disrupted, leading to fears of a drug shortage. One of the world’s busiest “smart” ports is brought to a standstill, leaving containers stranded. Recent events show how vulnerable businesses are to an ever-evolving cyber threat and its impact on the balance sheet – an estimated $275m1 in insured losses alone from the vaccine incident and a potential $300m2 hit for a shipping company from the terminal incident, and others, are among reported losses from the June 2017 Petya ransomware attack. Economic losses from the WannaCry attack a month earlier could eventually hit $8bn, according to cyber risk analytics and modeling firm, Cyence Risk Analytics. Just like a natural disaster, a single cyberattack can potentially impact hundreds of companies, leading to severe business interruption and loss of customers and reputation. It is no wonder that cyber incidents continue a six year climb up the Allianz Risk Barometer in 2018 – cyber is now the top risk in 11 countries.
Multiple threats underestimated
“Every company has been or will be impacted by cyber risk. It is not over-hyped. If anything it is under-appreciated because the threats are not always well understood,” says Emy Donavan, Global Head of Cyber at AGCS, noting that over 50% of Risk Barometer responses rank cyber as the risk most underestimated by businesses. “There are now multiple cyber threats to a company’s digital presence.”
Personal data or intellectual property can be compromised. Businesses can incur network liability if a corrupted file is transferred to another company. Respondents are increasingly worried about new perils such as cyber extortion and, particularly, business interruption (BI). Meanwhile, the emergence of two major security flaws in computer chips – Meltdown and Spectre – in January 2018, which raised fears that hackers could steal data from computers and devices around the world, shows how cyber interconnectivity continues to bring unexpected threats.
Larger infrastructure attacks in 2018
Businesses worry about the increasing sophistication of cyber-attacks. December 2017 brought the first report of a successful safety system breach at an industrial plant by hackers, after previous incidents at other types of critical infrastructure3. Meanwhile, incidents such as WannaCry, Petya, and Mirai, the massive distributed denial of service (DDoS) attack on internet provider Dyn, which disrupted the likes of Twitter, CNN and Netflix in October 2016, are part of a growing trend of broader accumulation events, or “cyber hurricanes”. Hackers can disrupt larger numbers of companies by targeting common infrastructure dependencies – a trend that will likely continue through 2018.
One of the most effective prevention techniques for ransomware is effective, secure, segregated back-ups that are performed regularly, Donavan says. User-based access rights can also be effective. If the concern is a DDoS attack, systems redundancy and back-up servers are vital.
Reputation on the line
Cyber incidents aren't just caused by hackers. Technical failure or malicious or innocent employee action is often to blame. Whatever the cause, reputational damage is irrevocably linked. According to reputation analysis and research institute, MediaTenor, 75% of all companies which suffer a cyber-attack also incurred reputational damage or loss. Companies in the entertainment, banking and retail sectors are particularly vulnerable due to handling confidential data. Furthermore, companies can suffer reputational damage without negative media coverage. If sensitive data is compromised, trust can be destroyed among core stakeholders without media involvement.
Cyber insurance as a service
Increasing interconnectivity means it is more important than ever for companies to review cyber security and resilience and consider the role of cyber insurance as part of their risk management. As the cyber threat evolves, so does the cyber insurance proposition, beyond just covering financial loss such as BI and restoration costs. For example, if an organization suffers a data breach it will need instant access to specialist lawyers, IT forensics and crisis management consultants to help mitigate the impact of an incident as it develops. Insurance provides this.
“Companies can’t bury their heads in the sand. The sooner they respond the better the outcome. Companies that respond poorly to a cyber incident will see more of a long-term impact on their stock price than those that respond well,” says Donavan.