Businesses rely heavily on computer software and the internet when dealing with digital data and they are becoming increasingly aware of the cyber risk exposure faced by their organisations.
Over the last few years there has been increasing focus on cyber risks and associated insurance cover.
A UK Government survey carried out in 2014 estimated that 81% of large corporations and 60% of small businesses suffered a cyber-breach in 2014. Whilst over 60% of incidents reported to insurers are the result of accidents, cyber-crime is now the world’s fastest growing category of organised crime and the majority of high value losses stem from actions designed to cause harm.
1. Definition of Cyber Risk
The Institute of Risk Management defines cyber risk as,
“Any risk of financial loss, disruption or damage to the reputation of an organisations from some sort of failure of its information technology systems.”
Almost every organisation faces exposure to loss resulting from damage or destruction of its computers and computer networks. This can lead to business interruption, income loss, damage management and repair costs and reputational damage.
Non malicious events such as major physical incidents, for example, fires, explosions, floods and natural disasters, can have a devastating effect on a business. A good example is the recent Holborn underground fire which caused considerable damage to services effecting network access for hundreds of businesses and, in some cases, consequent supply chain disruptions.
Malicious events such as cyber-attacks are designed to cause maximum disruption exploiting vulnerabilities within a business IT framework. Such attacks can result in the theft of commercially sensitive information or intellectual property, data and software destruction or deletion, theft of funds, reputational damage and liability to third parties (such as customers and supply chain partners).
2. Potential Losses from Cyber Attacks
Potential losses deriving from cyber-attacks or non-malicious IT failures fall into the following categories:
|Intellectual Property (IP theft)||Loss of value of an IP asset, expressed in terms of loss of revenue as a result of reduced market share.|
|Business Interruption||Lost profits or extra expenses incurred due to the unavailability of IT systems or data as a result of cyber-attacks or other non-malicious IT failures.|
|Data and software loss||The cost to reconstitute data or software that has been deleted or corrupted.|
|Cyber extortion||The cost of expert handling for an extortion incident, combined with the amount of the ransom payment.|
|Cyber-crime/cyber fraud||The direct financial loss suffered by an organisation arising from the use of computers to commit fraud or theft of money, securities, or other property.|
|Breach of privacy event||The cost to investigate and respond to a breach event, including IT forensics and notifying affected data subjects. Third party liability claims arising from the same incident. Fines from regulators and industry associations.|
|Network failure liabilities||Third party liabilities arising from certain security events occurring within the organisation’s IT network or passing through it in order to attack a third party.|
|Impact on Reputation||Loss of revenues arising from an increase in customer attrition or reduced transaction volumes, which can be directly attributed to the publication of a defined security breach event.|
|Physical asset damage||First party loss due to the destruction of physical property resulting from cyber-attacks.|
|Death and bodily injury||Third party liability for death and bodily injuries resulting from cyber-attacks.|
|Incident investigations and response costs||Direct costs incurred to investigate and ‘close’ the incident and minimise post incident losses.|
3. Risk Profile
For larger organisations intellectual property theft is considered to be the risk which would have the most severe impact and issues of quantification can be challenging because IP assets and the loss suffered by an organisation are difficult to value. However, key risks also include the unauthorised disclosure of personal data, system outage events and consequent reputational damage. In fact it is estimated that reputational damage accounts for 5% – 20% of the cost of a cyber-security breach for large businesses.
Whilst physical losses are a less publicised element of cyber breaches they are a growing concern and can include damage to plant and machinery and system malfunctions. In Germany in 2014 a spear phishing scam allowed hackers to access a steel mill’s system preventing a blast furnace from shutting down in the appropriate manner causing massive damage to the mill.
4. Risk Mitigation
In June 2014 the UK Government announced the launch of the Cyber Essentials Scheme. It has been designed to fulfil two functions:
The Cyber Essentials scheme concentrates on five key controls. These are:
In addition to implementing those basic cyber security controls an organisation may undergo certification and it is expected that insurers, investors and auditors will start to take certification into account when assessing an organisation’s risk profile.
5. Cyber Insurance
Earlier this year the Association of British Insurers suggested that cyber insurance should become as common a purchase for UK businesses as property insurance within the next decade.
The ABI note that there are five key reasons why cyber policies are a business essential and these are:
MRIB has been working with our clients guiding them through the product options, as with all products that are new the perception is that the cost can be prohibitive but they are not.
Less than 10% of UK companies have cyber insurance protection even though 52% of CEOs believe that their companies have some form of coverage in place.
For further information on this issue please contact: MRIB
Tel: 01494 455 666