Reported data breaches, not including other cyber events, are expected to grow 40% a year by 20191. “Whether due to a technical glitch, human error or a highly skilled cyber-attack, these incidents are surfacing around the globe, which implies, collectively, the emergence of a ‘new normal’,” explains Rishi Baviskar, Senior Cyber Risk Consultant, AGCS.
As digitalization joins together smart factories, grids, machines, public networks and other facilities, cyber incidents may disrupt many industries. New vulnerabilities are arising in which cyber criminals could exploit the increase in interconnectivity. Whether accidental or planned, the end result of these incidents is business interruption (BI). Impacted businesses cross all sectors.
An example of the vulnerability of one sector, in healthcare, can be seen when a hospital in Germany came under ransomware attack – a type of virus that incapacitates files and demands cash to extricate the maliciously encrypted data. Staff at Lukaskrankenhaus Hospital in Neuss, Germany, noticed one morning that the system was running slow and unusual error messages were popping up. The entire system, including servers and email, was moved offline.
After weeks, the hospital still experienced problems andmonths passed before normal business resumed2. What damages resulted in the cyber incident? One-fifth of hospital operations were cancelled; emergency room services were sharply curtailed; hospital IT staff had to contract expensive British IT specialists to eradicate the virus; and doctors, staff and patients were inconvenienced for weeks.
Luckily, no patient information was corrupted3. The incident shows the devastation that cyber incidents can cause and the resulting interruption that can afflict a business.
“Although in this scenario the focus was on the ransomware, the key consequence was unavailability of systems, as well as the slowdown of operations and services – in other words, cyber BI,” says Georgi Pachov, AGCS Global Practice Group Leader Cyber, CUO Property.
Similar BI losses occurred when a large manufacturing company, Saint-Gobain, was struck by the Petya ransomware attack in June 2017, which caused it to be over two weeks (16 days) with sub-normal operations activity. The company estimates its lost sales to be 1% worth of six months of revenue (about €200m according to 2016 results)4. “These are good examples of how important technology is to normal operations - and how significant financial impacts can ensue,” Pachov says.
“Cyber risks are not isolated to a particular segment, but span across different industries and company sizes,” says Pachov. “A cyber-attack, for example such as a DDoS can overload an online retailer’s web server and render it inaccessible. Technical glitches such as incompatible software components and sensors or inaccurately set temperature or pressure parameters can also cause the interruption of normal business activity.”
Businesses increasingly rely more on digitalization to control and optimize production. Likewise, interconnectivity makes the digital supply chain a fundamental part of business. Such dependencies make BI incidents ever more non-physical in nature. One estimate is that the Internet of Things (IoT) will add $10trn to $15trn to the global gross domestic product (GDP) by 20307.
Digitalization is especially evident in the heavy manufacturing sector. The world now includes 1.1 million working robots and about 80% of the car-manufacturing work is allocated to robots8. Today, over 3.5 billion machines are connected within the global supply chain – a number that will only increase in future, to an estimated 50 billion machines over the next decade.
The applicability of interconnected devices, smart factories, smart machines, and real-time monitoring, will lead to a convergence of IT (desktop applications, emails and office tools) and OT (smart machines, production devices and sensors) domains in the next 15 to 20 years.
A “smart factory” includes real-time data communication and exchange from the raw material entry to the final shipping of the product and provides the logic to a variety of devices and machines in order to execute “smart” physical processes.
“In such a scenario,” says Pachov, “machines identify anomalies and will shut down in order to prevent physical damage, which results in less physical damage losses. However, this will also lead to more frequent cyber-driven BI and to the necessity for cyber BI and cyber contingent business interruption (CBI) coverages.”
Insurance solutions address the fact that cyber events are fast-moving and difficult to prevent or predict. Because of the uncertainty, many companies may not even know they have been impacted until long after the initial event. Standalone cyber insurance has been designed to specifically cover business losses and liabilities arising from cyber exposures.
Cyber insurance focuses on non-traditional, non-damage cyber BI following an event. When an incident occurs and physical damage or machinery breakdown results, the resulting claim for damages typically falls under the standard property damagem policy, due to the existence of physical damage as well as the difficulty to prove a cyber trigger in case of severe damage.
“The market needs to work on the ‘gray areas’ in cyber policies, as well as policy gaps and overlaps across different solutions,” Pachov says. “We are seeing more cyber covers that include a range of BI elements,” adds Emy Donavan, Global Head of Cyberand Tech PI, AGCS.
As the industry grapples with the “silent” cyber exposures that may be triggered in routine incidents, and covered in traditional property and liability policies, it tends to study traditional wordings more closely in order to understand and calibrate new exposures. The issue, however, is that reported loss history is limited, particularly related to BI, and risk aggregation is difficult to quantify.
Insurers are turning a corner but it’s definitely a work in progress, as they
have to use hypothetical modelling scenarios. At the end of 2015, Lloyd’s of London asked its syndicates to come up with plausible but extreme cyber-attack scenarios and to report back estimated total exposure in what is to become “an annual requirement .”
“AGCS has had a Cyber BI product since the beginning of the 21st century,” says Pachov, “so it’s not something new for us. But the cyber BI severity we are seeing is definitely not driven by cyber-attacks and data breaches, nearly as much as hidden, non-reported technical/technological failure and/or internal operational errors.”
Donavan says that a way for companies to mitigate against cyber risk is to install a Chief Information Security Officer (CISO) or equivalent to implement a comprehensive information security management system (ISMS). “Although it is costly and time consuming, it is necessary not just for information security but also for the long-term health of the business. This is why it should be a board-level concern,” she says.
In June 2017, the Petya ransomware cyber-attack affected some of the world’s largest corporations, including the Danish shipping company AP Moller- Maersk, UK-based advertising group WPP, US delivery service provider FedEx, among others and UK-based pharmaceutical giant Reckitt Benckiser, which reported a £100m hit in revenue as a result of the attack10.
A month earlier, WannaCry, another ransomware program, infected more that 300,000 computers in 150 countries. The attack hit several large companies, including a major American parcel delivery company, a European car manufacturer and a Spanish telecom company. It disrupted the operations of the UK’s National Health Service and affected some operations of German rail network Deutsche Bahn, among others.
WannaCry is a worm that targets the Microsoft Windows operating system. It works by encrypting compromised data and locking it up, with the attackers asking victims to pay up to $200 ransom in bitcoins to regain access. It spreads through an erroneous click or download. Once it infects a computer it searches for other computers to attack.
In April 2017, British Airways experienced an IT meltdown of a different kind after an engineer disconnected a power supply. A power surge on reconnection knocked out BA systems over a holiday weekend, disrupting 75,000 passenger, costing it £80m ($100m)11, according to initial estimates. These incidents again highlight how vulnerable companies are to cyber risks – be it a technical glitch, a human error or a cyber attack – and the BI that usually follows.
In the case of the WannaCry incident, although the ransomware payments were scant compared to the widespread nature of the attack – estimated to be somewhere between $50,000 to £100,000 – it was reported that the total cost of resuming commercial operations could run into billions of dollars.This is why cyber insurance promises to be the next blockbuster in the insurance space, says Hartmut Mai, Chief Underwriting Officer for Corporate Lines at Allianz Global Corporate & Specialty (AGCS).
While cyber insurance is already a mature market in the United States with an estimated premiums volume of $3bn, it is still an emerging segment in Europe and Asia. Given the frequency of such events cyber security and related insurance will become an important part of corporate risk management strategies. These recent ransomware cases may lead insurers to underwrite their cyber risks more carefully, consider the risk aggregation of their exposures and pay more attention to the details and to certifying their clients’ cyber security protocols.
1. New report points to alarming DDoS attack statistics and projections, Corero, June 26, 2016
2. Hackers hold German hospital data hostage, DW News, Feb. 25, 2016
3. Cyber-Angriff sabotiert deutsches Krankenhaus, eperi, 19.02.2016
4. Cyber-attack, return to normal operations, Press Release, Saint-Gobain, July 13, 2017
5. Average large corporation experiences 87 hours of network downtime a year, ZD Net, Jan. 20, 2005
6. Downtime costs auto industry $22k/Minute – Survey, Bartol Mag-Probe, Mar. 27, 2005
7. Ten illuminating stats about the Internet of Things, VE Interactive, Oct. 26, 2016
8. Automation, robots and AI: The rise of the supply chain machines, Digital Supply Chain, 11 November, 2016
9. Average large corporation experiences 87 hours of network downtime a year, ZD Net, Jan. 20, 2005
10. Massive cyber-attack could cost Nurofen and Durex maker £100m, The Guardian, July 6, 2017
11. BA faces £80m cost for IT failure that stranded 75,000passengers, Financial Times, June 15, 2017
12. Average large corporation experiences 87 hours of network downtime a year, ZD Net, Jan. 20, 2005
13. Insurers grapple with cyber-attacks that spill over into physical damage, The Economist, 1 Dec. 2016