Business interruption (BI) following a cyber incident has emerged as a key risk for businesses, with an increasing number of scenarios leading to disruption. For the first time in the Allianz Risk Barometer, survey participants indicated that cyber incidents were of a similar level of concern to the closely related risk of BI, which has ranked as the top peril in the survey over the past seven years.
For many companies, this is where their big exposure lies today. Think of a large organization that has a very sophisticated supply chain and an operation that produces millions of dollars in revenue – daily or monthly. Depending on the size of the organization, if it shuts down for technical issues in a cyber incident, that will trigger a significant loss.
“As all businesses embrace digital business models, success is highly dependent on the technology facilitating the business,” says Georgi Pachov, Global Practice Leader, Cyber, AGCS. “Revenue streams can be easily interrupted following abnormal technological behavior. Cyber incidents leading to BI will become much more frequent in future due to the massive reliance on technology and data for running businesses. In the age of the ‘Internet of Things’, if two manufacturing devices cannot communicate and exchange data with each other this will inevitably lead to a business disruption.”
Business interruption was a hallmark of the WannaCry and NotPetya malware attacks in 2017, causing large losses for a number of shipping, logistics and manufacturing companies. Companies such as Maersk and FedEx saw losses of $300mn from the NotPetya event, while consumer goods manufacturer Reckitt Benckiser reported £100mn ($130mn) in loss revenues.
Malware attacks have continued to trouble companies – semiconductor maker Taiwan Semiconductor Manufacturing Company, a key supplier to Apple, lost over a day of production after a virus infected machinery at plants in Taiwan in August, 2018. The virus was a variant of WannaCry. Meanwhile, the ports of Barcelona and San Diego were both victims to ransomware attacks which impacted servers and administrative systems in September 2018, as was the shipping company COSCO in July, which also saw its IT systems disabled in the US. Insurers have seen a growing number of BI claims trigged by cyber incidents with claims that exceed $100mn1.
IT outages have emerged as a significant exposure as organizations become reliant on technology to conduct everyday business. The airline sector has experienced a number of technology-related outages, including a major outage in 2017 which occurred after a power surge on reconnection knocked out British Airways systems over a holiday weekend affecting 75,000 passengers and costing it £80mn, according to initial estimates4.
Customers at UK bank TSB suffered months of disruption in 2018 after a failed IT platform migration – the incident cost the bank in excess of €300mn5. The FCA says bank outages have risen 138% in the past year6.
Reliance on IT and technology service providers – such as cloud services, online booking platforms and supply chain systems – also brings potential contingent business interruption (CBI) exposures. A software glitch at network equipment provider Ericsson disrupted services for millions of mobile phone customers in Europe and Japan in 20187. When Visa suffered an outage in 2018, it affected the payment card services used by banks and retailers across Europe. Similarly, in 2017, a four hour outage at Amazon’s AWS cloud computing division impacted a number of internet services, websites and other businesses. It was reported the outage was caused by human error. Guidewire Cyence Risk Analytics estimated that companies in the S&P 500 dependant on Amazon’s services lost approximately $150mn as a result8.
It has been estimated that in the event of an outage at a cloud service provider lasting more than 12 hours losses could total as much as $850mn in North America and $700mn in Europe, based on 50,000 companies in three specific industry sectors (financial, healthcare and retail) being impacted by the outage in each region9.
“A single point of failure can trigger a chain reaction across the value chain, including suppliers to the final customer, and cause a severe business interruption and accumulation for insurers,” says Pachov. “The same event can trigger a significant reputational loss.”
1. Allianz Global Corporate & Specialty, Global Claims Review, The Top Causes of Corporate Insurance Losses
2. The Financial Conduct Authority, Cyber and technology resilience in UK financial services, November 27, 2018
3. Kroll, Data breach reports to Information Commissioner increase by 75%, September 4, 2018
4. Financial Times, BA faces £80m cost for IT failure that stranded 75,000 passengers, June 15, 2017
5. Reuters, Spain’s Sabadell exceeds forecasts despite TSB outage costs, October 26, 2018
6. The Financial Conduct Authority, Cyber and technology resilience in UK financial services, November 27, 2018
7. Reuters, Ericsson sorry for software glitch that hits mobile services in Britain and Japan, December 6, 2018
8. Guidewire Cyence Risk Analytics, MMC Cyber Handbook 2018, Evolution of Cyber Risks Quantifying Systemic Exposures
9. Guidewire Cyence Risk Analytics, Allianz Global Corporate & Specialty, Allianz Risk Barometer 2018