By Bob Parisi – Cyber Product Leader, Marsh
Cyber attacks are a potent and dynamic threat for all organisations, regardless of geography, size, or sector. Today, the biggest technological threats to organisations are not limited to server outages or data breaches.
Cyber events can result in significant disruption to supply chains, partial or complete shutdown of operations, even damage to property and other critical assets. The financial losses alone can reach hundreds of millions of dollars. As such, organisations and their senior leaders need to view cyber exposures as an operational risk to be managed, not a problem to be solved. No amount of money or technology will eliminate an organisation’s cyber risk. The goal instead, should be to become cyber resilient.
The WannaCry and NotPetya global ransomware attacks from earlier this year underscore the significant challenges facing organisations. While potential insured losses resulting from these events are still being determined, they are expected to exceed $100million. These attacks, which affected numerous companies around the world, encrypted files on computers and shut down operations for hours and even days, causing significant business interruption and disruption.
These recent events highlight that cyber risks are constantly evolving along with the ever-increasing scale and scope of cyber attacks.
And business leaders around the world are getting worried. According to the World Economic Forum’s proprietary Executive Opinion Survey that asked 12,411 executives across 136 countries to identify the five biggest risks to doing business in their respective countries, large cyber attacks ranked eighth on the top 10 list of global risks in 2017, moving up three spots from the previous year. Large cyber attacks were identified as a top concern of business leaders in a number of advanced economies, including the United States, Canada, Japan, Singapore and the UAE.So, how does an organisation become cyber resilient? At a macro level, it involves implementing the right mix of cyber risk mitigation, risk quantification and risk transfer strategies. Cyber resilience enables organisations to mitigate the effects of
cyber attack and continue operating.
Gone are the days when technology, data and other information could be secured by locking the door behind you when you left the computer room. Companies today need to approach cyber risk in the same way they do any other operational risk they face.
Like managing other operational risks, this means starting with an understanding of the exposure from the most broad level of ‘what specific actions should we take?’ to the more granular, ‘how do we value our assets and are we unknowingly placing them at risk?’.
“Gone are the days when technology, data and other information could be secured by locking the door behind you when you left the computer room. Companies today need to approach cyber risk in the same way they do any other operational risk they face”
Answering these questions with precision requires identifying which data, applications and systems are essential in conducting your organisation’s operations and then developing a cyber strategy that is driven by protecting core business functions – and not merely responding to threats. What are your potential losses? What are your most critical assets? Is it intellectual property? Customer data? Medical histories? Trade secrets? Proprietary financial data? Industrial control systems?
A good start is to adopt a management framework for cybersecurity. The Cybersecurity Framework published by the National Institute of Standards and Technology helps organization develop and manage its cybersecurity program through desired outcomes within five categories:
- Identify: Develop the organisational understanding to manage cybersecurity risk to systems, assets, data and capabilities
- Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services
- Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event
- Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event
- Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event
The NIST Cybersecurity Framework is a tool to help organisations to understand their cybersecurity posture – including business continuity, crisis management and IT disaster recovery – and to systematically improve it. By employing this framework, organisations can look at cybersecurity holistically to pursue resilience – not just security.
Cyber risk quantification
An often-quoted comment about cyber risk is that there are two kinds of companies: those that know that they have suffered a breach and those that have yet to discover the breach. Indeed, various experts estimate that 50 per cent of companies suffer a breach every year. So, simply putting in place preventive measures only gets you part of the way to resilience. The question remains: have you implemented and tested a plan that allows you to work through the crisis and minimise the disruption? A first step in that journey is a deeper understanding of what is at risk, both technical and financial.
Many organisations rely on traditional cyber risk assessment methodologies that are not designed to produce financial estimates of the exposure. Until you are able to understand the financial impact, you cannot begin to develop and implement a cyber strategy that is centred on proactively protecting core business functions.
Although historical data is well-suited to estimating the impact of data breaches, cyber business interruption costs can be more difficult to quantify because every company’s IT systems, infrastructure and exposures differ. How much a cyber event costs will depend on many factors, including the organisation’s business operation model, incident response capabilities, actual response time and insurance coverages at play. By undertaking a cyber business interruption risk quantification analysis, organisations can gain a better understanding of the risks and associated costs. They can also build a foundation for making more informed risk mitigation and transfer investment decisions and, by extension, improving cyber attack resilience.
One way of quantifying cyber business interruption risk is to use scenario-based analyses that focus on three factors:
- Estimating the severity and likelihood of a cyber business interruption event Using realistic scenarios can allow organisations to more accurately quantify the potential financial loss from a cyber business interruption event. Equally important is to scope these scenarios such that their likelihood of occurrence falls within a preselected range based on enterprise risk appetite and tolerance considerations.
- Identifying mitigation options Depending on the significance of an organisation’s cyber business interruption exposures, risk mitigation options could include changing business processes, re-architecting IT infrastructure to improve resilience, enhancing IT restoration capabilities, or strengthening technical cybersecurity controls. To properly evaluate these choices and identify the strategies that will have the greatest impact, it’s important to have a credible estimate of potential cyber business interruption exposure.
- Evaluating risk transfer options Insurers are increasingly offering broader coverage for business interruption exposures in both cyber policies and traditional property all-risk policies. A scenario-based cyber business interruption risk quantification analysis can support the proper structuring of these insurance options, including selecting appropriate limits.
All the risk identification, mitigation and quantification efforts will not stop a cyber attack or failure of technology from occurring. Risk transfer, typically in the form of insurance, can respond to the residual risk that cannot be prevented by providing financial recourse after a cyber loss – in effect bolstering resilience.
Cyber insurance, while relatively new compared to other lines of insurance cover, has been around for two decades and has evolved and grown to meet the changing nature of cyber risk. The number of new organisations in the United States purchasing standalone cyber insurance has steadily grown by double-digits year-on-year for the last 10 years. This is due in part to the ever-expanding recognition of the risk among organisations across a wider array of industries (see the 2016 Cyber Insurance table, below).Broadly, cyber insurance covers the risks companies face from handling data and relying upon technology. Adopted early on by certain industries – technology, retail, health care and financial institutions – the coverage has expanded to respond to risks well beyond privacy breaches that tended to dominate the news media until recently.
Cyber insurance now addresses the full spectrum of operational cyber risk faced by companies across all industries, including business interruption, contingent business interruption, loss caused by the failure of a Cloud services provider, harm associated with a breach attributable to the Internet of Things and property damage rising from a cyber event. Cyber insurance has also risen to the challenge of picking up where traditional insurance left off. As the risk profile of companies has changed – with unplanned technology outages presenting as big a threat as adverse weather and currency fluctuation – traditional property/casualty insurance has stumbled in matching coverage to risk. Cyber insurance has stepped in to fill that vacuum.
Just as cyber risks have expanded, so too has the penetration of cyber insurance into the economy. Over the past two decades, the cyber insurance market included a handful of insurers in the US and London that combined could offer a $100million policy for a potential buyer. It has now grown to more than 50 insurers offering close to $2billion in limits globally. In practice, individual cyber insurance programme size varies depending on industry and coverage, with many large organisations purchasing between $200million and $500million in limits. From a pricing perspective, organisations that buy cyber insurance have generally been experiencing a plateau in pricing, with cyber rates decreasing on average of 1.5 per cent in the second quarter of 2017.
Organisations continue to increase their total cyber programme size, due in part to growing recognition of the risk. The recent global ransomware and malware attacks have organisations paying more attention to business interruption exposures and how/if that can be insured. Even prior to WannaCry and NotPetya, the most recent survey by the Business Continuity Institute found that for the fifth year in a row, unplanned IT or telecommunications outages were the leading cause of supply disruption; cyber attacks and data breaches were identified as the third cause of a high-impact disruption. Recent enhancements to cyber insurance wordings for business interruption risk now provide a greatly improved means to manage this peril through risk transfer.
Cyber insurance is available that starts with the premise that all major technological risks should be covered. These types of policies offer broad protection, including coverages not typically available in commercial cyber insurance policies. Such insurance dovetails with other insurance policies to minimise potential gaps in coverage and maximise protection. Key features include triggers that allow a security incident or technology system failure to activate coverage; a waiting period treated as a qualifier instead of a deductible; and coverage for the cost of forensic accounting services. Work with your insurance advisor to understand how risk transfer – particularly cyber insurance – can best protect your organisation from a potential cyber event.
Your organisation will be affected by a cyber event, if it hasn’t already. Companies can no longer assume that more technology will be the solution to cyber issues. As an operational risk, cyber risks must be addressed through a combination of mitigation, quantification and risk transfer. Taking steps toward building cyber resilience can ensure that when your organisation is impacted by a cyber event, it can continue to operate and weather the attack.
This information is not intended to be taken as advice regarding any individual situation or as legal, tax, or accounting advice and should not be relied upon as such. You should contact your legal and other advisors regarding specific risk issues. The information contained in this publication is based on sources we believe reliable but we make no representation or warranty as to its accuracy. All insurance coverage is subject to the terms, conditions and exclusions of the applicable individual policies. Marsh cannot provide any assurance that insurance can be obtained for any particular client or for any particular risk. Marsh makes no representations or warranties, expressed or implied, concerning the application of policy wordings or of the financial condition or solvency of insurers or reinsurers.
About the Author:
Robert Parisi is a managing director and National Cyber Product Leader in Marsh’s New York City headquarters. His current responsibilities include advising clients on issues related to intellectual property, technology, privacy, and cyber related risks as well as negotiating with the carriers on terms and conditions. Robert is also responsible for coordinating Marsh’s Global Cyber Network.
Prior to joining Marsh, Robert was the senior vice president and Chief Underwriting Officer (CUO) of eBusiness Risk Solutions at AIG. Robert joined AIG in 1998 as legal counsel for its Professional Liability group and held several executive and legal positions, including CUO for Professional Liability and Technology. While at AIG, Robert oversaw the creation and drafting of underwriting guidelines and policies for all lines of Professional Liability. Robert was also instrumental in the development of specialty reinsurance to address aggregation of risk issues inherent in cyber, privacy and technology insurance. In addition to working with AIG, Robert has also been in private practice, principally as legal counsel to various Lloyds of London syndicates.