Published in The One Brief; date unknown
It’s no longer a case of if, but when your organization will be hit by cyber crime. Company leaders are gradually accepting the idea that cyber attacks are rapidly becoming a regular part of doing business.
The line between physical and digital risk is becoming more and more blurred. And while in Aon’s 2017 Global Risk Management Survey, business leaders ranked cyber a top threat, teams are having trouble translating sentiment into action. Fallout from cyber attacks remains dramatically under-insured compared to the more traditional, physical risks.
For increasingly global operations, fallout from a cyber breach can be far-reaching: “When you have a global organization that has integrated global networks, the impact of a sophisticated cyber attack can be like having a hurricane at all of your locations around the world at once,” says Stephanie Snyder, U.S. Sales Leader, Aon Professional Risk Solutions. “This can result in a significant financial statement impact to the organization. Getting to grips with the reality of cyber risk – and making sure the right insurance cover is in place – will be crucial for business leaders to properly prepare for the growing threat.”
At the end of last year, a cyber attack once considered unthinkable was launched. Hackers – possibly working for a nation-state – managed to hack into an important infrastructure project. While few details have been revealed, the worrying story is that this isn’t going to be the last time we’re going to hear about such an attack. Indeed, Aon and Stroz Friedberg have listed the collision between the physical and digital worlds as one of the key emerging trends in their 2018 Cyber Security Predictions Report.
One of the first instances of a cyber attack on a physical asset, such as a factory, was the targeting of Iran’s nuclear power program via the Stuxnet worm in 2010. Since then, similar attacks have become increasingly commonplace. Last year saw the WannaCry ransomware attack, which caused severe disruption to the UK’s National Health Service (NHS), and the NotPetya ransomware attack, which disrupted numerous commercial organizations – in various industries– around the globe.
In cyber security terms, these kinds of attacks have demonstrated the success of hackers in bridging the “air gap,” a term given to the space between operational technology or industrial control systems running plants and infrastructure – such as power networks, manufacturing equipment or logistics fleets – and the connected world of IT systems and the Internet.
As more and more services become digitized, this air gap is increasingly being bridged. This means that cyber risk is no longer just a threat to an organization’s intangible assets – like customer records and payment information – but to its entire operational infrastructure. Snyder emphasizes the growing threat: “Cyber risk has become an enterprise risk – the C-suite, risk managers and insurers need to adjust accordingly.”
Under-Protecting Information & Data Assets
The damage to data assets caused by cyber crime is more expensive than damage to property, plant and equipment (PP&E). Nonetheless, Aon and Ponemon’s 2017 Global Cyber Risk Transfer Comparison Report, found that organizations were routinely underinsuring when it came to data assets. Just 15 percent of total potential cyber losses were found to be insured, compared to 59 percent of potential PP&E losses, the survey found.
“We’re seeing a mismatch between value and protection. Organizations value data assets far more than they value tangible assets, yet they insure tangible assets far more than they insure data assets,” says Snyder.
The Risk Of Disruption
A cyber attack may not need to involve the physical sabotage of equipment or other assets to have an impact on the physical world. Because so many physical systems have a digital backbone, attacking IT networks can also cause substantial damages due to business interruption.
Snyder also points out that some of the biggest targets of cyber attacks are precisely those who have most to lose from IT disruption. “Many of these ransomware attacks are targeted towards organizations that are incredibly dependent on their technology, like health care organizations,” she says. “For less sophisticated organizations, it may be faster or easier for that organization to get back on its feet by paying the ransom than by systematically working through the malware, especially if they do not have the ability to access backup data.”
Why Aren’t Businesses Closing Their Coverage Gaps?
Cyber risks are big, and they’re only likely to get bigger. If businesses are going to properly prepare for the threats of the future, leaders first need to identify the weak points in their organizations’ defenses, and what can be done to fix them. Some key points of difficulty include:
- Lack of awareness of the risk:Some people are simply unaware of the risks posed. The Ponemon report states that 20 percent of respondents have no awareness of the economic and legal consequences of an international data breach or security exploit. “There’s a lot of misinformation that still exists, in that people associate the need to buy cyber insurance only if they have sensitive data such as credit card, health, or personally identifiable information. That is not the case,” says Snyder. Furthermore, the potential impacts of cyber breaches are likely to broaden as the international regulatory landscape tightens, with legislation like the EU’s General Data Protection Regulation (GDPR) – a trend also featured in Aon and Stroz Friedberg‘s predictions report. “Broadly speaking, every company depends on technology, and this reliance will only increase,” says Snyder. “If there is a breach or technology outage, cyber insurance can respond to the business interruption and help protect the organization from the associated financial statement impact.”
- Evolving risk landscape:The idea that a cyber attack could take over physical infrastructure could have been considered science fiction a decade ago. Now, it’s a growing threat to everything from power grids to hospitals, and even our homes. If business leaders don’t stay on top of emerging threats, then responding to them will inevitably be partial and inadequate. Assessing and quantifying risk is essential. “Organizations should consider doing a cyber risk quantification study,” says Snyder. “What is the potential financial impact if their network goes down for six, eight, 24, 48, or 72 hours? That’s a real risk to them, and they need to get a clear understanding of what risk they are keeping on their balance sheet and what they are transferring using insurance.”
- Lack of awareness of insurance policy details and risk-transfer options: One reason why data assets are underinsured compared with physical assets is because, in the past, some of these losses were covered under traditional property and casualty policies, such as property or kidnap, ransom and extortion. However, says Snyder, “now that carriers are seeing losses, they’re taking a second look at the cyber coverage extensions and reducing limits, or excluding cyber losses from the property policy, for example.” Organizations must understand what, if any, cyber coverage exists in their traditional property and casualty policies, and work with their brokers to craft manuscript cyber insurance coverage. For their part, insurers and brokers have begun to recognize the opportunity to create new products that can bridge the cyber-physical gap – 36 percent of companies said that one of the main reasons they had not purchased cyber coverage was because existing policies were inadequate for their exposure.
- Fully Addressing Cyber Risks Will Require New Thinking
If 2017 had an overriding lesson for businesses it was that cyber attacks are only going to get more and more disruptive. From health care providers to manufacturing companies, high-profile breaches impacted various parts of an organization – with direct impact to the bottom line.
Now, the challenge for business leaders is to evaluate what cyber threats mean from an enterprise risk management perspective, and to make sure they have the right teams, procedures and policies in place.
Not only is cyber changing the way organizations are viewing risk, but it is also forcing various stakeholders to rethink how they approach protecting their assets. Snyder explains: “Cyber is a great example of the changing landscape of insurance. Where risk managers would purchase one type of insurance to protect one type of loss, they’re now seeing that cyber risks – both the impact and the potential for losses across the business – are something that need to be contemplated on a stand-alone and bespoke basis.” And with the risk predicted to only increase, looking at how to manage cyber – across an organization – becomes only more important.