Cyber Risk a core business concern according to 2019 Allianz Risk Barometer
By Emy Donavan, Global Head – Cyber, Tech and Media PI at
Allianz Global Corporate & Specialty
In the wake of mega data breaches and privacy scandals, major IT outages and the introduction of tighter data protection rules in the European Union and other countries, cyber risk is now a core business concern in 2019 and beyond, according to the Allianz Risk Barometer 2019. This annual survey of global business risks from Allianz Global Corporate & Specialty (AGCS) incorporates the views of a record 2,415 experts from 86 countries, including CEOs, risk managers, brokers, and insurance experts.
For the first time, cyber incidents are neck-and-neck with business interruption (BI) at the top of the Allianz Risk Barometer– with the two risks increasingly interlinked, reflecting the magnitude of the threat now posed by a growing dependence on technology and the malicious actions of nation states and criminals.
Incidents, such as cybercrime, privacy breaches, BI (including ransomware and distributed denial of service (DDoS) attacks) can trigger extensive losses. Cybercrime generates the headlines, but often it is more mundane technical failures, IT glitches or human error, which frequently cause system outages or data losses for the business. The fall-out can be costly.
According to AGCS analysis of insurance industry claims, over the past five years, even the average insured loss from a cyber incident is now in excess of €2mn ($2.3mn) compared with almost €1.5mn from the average claim for a fire/explosion incident, with losses from the largest events in the hundreds of millions or higher.
Increasing concern about cyber incidents follows a watershed year. In the wake of the highly disruptive global WannaCry and NotPetya malware attacks, 2018 witnessed a stream of major IT outages, mega data breaches and privacy scandals, as well as landmark data protection rules in the EU’s General Data Protection Regulation (GDPR).
Mega Data Breaches and Attacks Soar
As organizations hold more and more personal data, breaches are increasing in size and cost. Recent mega data breaches include Equifax (143 million individuals), Facebook (50 million) and Uber (57 million). Meanwhile, the data breach which impacted around 380 million customers of Marriott hotels at the end of 2018 is one of the largest on record.
The number of cyber-attacks worldwide doubled in 2017 to 160,000, although endemic underreporting means the true figure could be as high as 350,000, according to the Online Trust Alliance. At the same time, the average cost of a cyber-attack has increased 62% over the past five years, according to Ponemon Institute and Accenture. A typical data breach now costs a company $4mn, according to Ponemon, but very large breaches can cost hundreds of millions – the cost of the Marriott breach is estimated between $200mn and $600mn by AIR Worldwide.
Rising Regulation and Litigation
An important factor driving the cost of data breaches is regulation and litigation. In May 2018, the GDPR entered force, introducing greater privacy rights for consumers and greater enforcement powers for regulators, backed by the threat of large fines. Other jurisdictions have since announced plans to introduce tougher privacy laws inspired by the GDPR ranging from California to Brazil to India. Canada and Australia have also established mandatory breach notification regimes, in line with the GDPR and similar requirements in the US.
Cyber incidents are also increasingly likely to spark litigation, including securities and consumer class actions. Data breaches, IT outages and cyber security incidents can generate large third-party liabilities, as data subjects, shareholders and supply chain partners seek to recoup losses from companies and in some cases their directors.
Already a feature of US data breaches, class actions have spread to Europe, giving consumers the right to claim non-financial damages, such as for distress. A number of recent data breaches, including that of British Airways, one of the first significant breaches under the GDPR, have triggered class actions in the UK while a landmark case against Morrison’s has seen the retailer held vicariously liable for a breach in the UK’s first successful data breach class action.
Cybercrime has become pervasive as criminals use more innovative methods to steal data, commit fraud or extort money. Worldwide, cybercrime costs an estimated $600bn a year, according to the Center for Strategic and International Studies (CSIS), up from $445bn in 2014. This compares with a 10-year average economic loss from natural catastrophes of around $208bn – three times as much.
However, the past year has also witnessed a growing threat from nation states, which increasingly use technology to play out rivalries and conflicts, with implications for businesses. Nation states and affiliated hacker groups have targeted universities and public sector agencies, looking to steal valuable data and trade secrets, as well as the networks and industrial control systems (ICS) of critical infrastructure companies. NotPetya was attributed to Russian-backed hackers targeting Ukraine while energy companies in the Middle East have been hit with destructive malware attacks.
Iot and New Tech
Advancements in technology are also generating new cyber threats and vulnerabilities. Organizations are concerned about the effect of increasing interconnectivity and developments such as automation and artificial intelligence.
The vulnerability is also growing with the increase in connected devices, with the Internet of Things (IoT), Industry 4.0 and digitalization of supply chains, which create new attack fronts for criminals and nation states to exploit.
According to cybersecurity firm Kaspersky, over three-quarters of the companies, it surveyed expect to become a target of a cybersecurity attack in the ICS space. However, only 23% are compliant with minimal cybersecurity guidance or regulations of ICS. In 2016, a DDoS attack against internet company Dyn used a botnet army of corrupted IoT devices, while December 2018 saw hackers take control of 50,000 connected printers around the world to create posters supporting vlogger PewDiePie.
“Silent Cyber” Becomes Noisier
The WannaCry and NotPetya malware attacks highlight the growing risk of BI and even physical damage from malware and other cyber incidents. They also have accelerated discussions around cyber insurance and in particular the need for affirmative cover.
The NotPetya attack is expected to generate around $3bn in losses for insurers, according to Property Claims Services. However, some 90% of this total can be attributed to so-called “silent cyber” exposure, with only 10% covered by the affirmative cover. The non-affirmative cover is where the cover for cyber incidents may exist in traditional property/casualty (P&C) policies, even though this was not the intention of the underwriter.
“Silent” or non-affirmative cyber exposures lead to inadequate protection for businesses with a lack of certainty and transparency for all parties involved. As part of a group-wide project, Allianz has reviewed cyber risks in its P&C policies in the commercial, corporate and specialty insurance segments and developed a new underwriting strategy to address “silent cyber” exposures.
It is clear from these findings that every company needs to adopt an IT security position which is adequate to its size, operations, and risk profile and invest in technological security solutions, proper backup mechanisms, and staff training. Companies need to think about all of their employees as members of the cybersecurity team and provide them with proper training and empowerment to transform their staff from the ‘weakest link’ to the ‘first line of defense’.
About the Author
Emy Donavan is currently serving as Global Head and CUO of Cyber, Tech & Media PI for Allianz Global Corporate and Specialty (AGCS). In July of 2018, she was also tasked to head Allianz SE’s Cyber Center of Competence, which provides support and expertise on Cyber products for all Operating Entities of Allianz.