Why cyber business interruption is a bigger threat than GDPR
March 2019 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
March 2019 Issue
Businesses and the cyber insurance market on either side of the Atlantic have developed a sophisticated understanding of, and response mechanism to, data breaches. The same cannot be said about cyber business interruption, which poses a potentially catastrophic risk on a global scale.
Historically, the cyber insurance market in the US and Europe has been driven by different factors. In the US, data protection laws in California created a demand for corporates to insure themselves against third-party liability risks, while in Europe, prior to the General Data Protection Regulation (GDPR), business interruption was the main driver for corporates buying this cover.
These factors have now started to converge. Buyers in the US have come to realise that the business interruption caused by a cyber event, particularly a system outage, can cause significant financial losses. The build up to, and introduction of, the GDPR has increased the level of awareness at board level in Europe of data breach risks.
Despite this increased awareness, breach events still occur. The Marriott International hotels breach of 2018 was one of the biggest of all time, affecting up to 500 million records. However, within a couple of weeks of the incident, mainstream press coverage had all but dried up. This is rather different to the cyber attack on telecoms company Talk Talk in October 2015, when press coverage continued for several months after the event.
This reduced media interest probably results from two factors. First, society appears to be increasingly immune to the consequences of a breach event, accepting it almost as part of 21st century life. Second, the knowledge developed by insurers and other service providers in how to respond to this type of event has developed exponentially. Consequently, the financial losses that result from these types of events are now better understood.
However, can we say the same about cyber business interruption?
The 2017 attack using the ‘NotPetya’ malware caused a number of high-profile losses. Reviews of publicly available information for FedEx, Maersk, Merck, Mondelez and Reckitt Benckiser indicate that these companies have suffered financial losses in excess of $1.5bn, albeit it is unclear how much of this is covered by insurance.
These losses represent the cost of restoring each company’s network to an operating state, the loss of profit from the business being unable to trade until network operations were restored and increased costs associated with accelerating the process of returning to business-as-usual. Given that there was no data breach in this event (all data being encrypted without there being an actual workable key), all of these losses can therefore be considered as business interruption.
To put these losses into context, in 2017, the global cyber insurance market generated a total premium of approximately $3bn. If these losses had been insured, add in losses from NotPetya that were insured, the costs of the 2017 WannaCry ransomware attack, losses paid out for data breaches and other attritional losses, it is likely that the cyber market would have generated its first annual total loss.
Many cyber underwriters will have been grateful that the market is “frustratingly immature”, as described by the former chief executive of Lloyd’s of London, Inga Beale, in February 2018. Ms Beale also noted that while most businesses have property insurance, only 20 to 35 percent have specific cyber insurance in the US and Europe. This is a shocking statistic, considering the dependency that every business now has on IT.
Back in the 1990s, paper-based manual processes were still widely used. Fast forward 20-plus years and business has become leaner. The pressure on maintaining profits has seen many companies invest significantly in IT and system-based automation to reduce headcount. The downside to this, however, has been the inability of companies to fall back on paper-based solutions when computer systems fail, thereby increasing the pressure on IT teams to maintain operations.
As we can see, every business faces some form of cyber risk. However, to properly understand this, it is critical to recognise how most corporates have developed their IT networks and been left vulnerable when they outgrow their systems.
IT investment projects are subject to their own risk, as demonstrated by TSB’s public issues following its system implementation in April 2018. Company directors are therefore faced with a ‘stick or twist’ decision – do they stay with a system that they know works, albeit sub-optimally, or do they risk the disruption of an upgrade project that may not work as expected?
Furthermore, given the finite resources available for investment, company boards have the unenviable dilemma of choosing between a project that ultimately improves profitability or IT that improves infrastructure, security and reduces business continuity risk.
The issue with the latter is twofold. Firstly, how does a business quantify the financial consequences of an interruption event crystallising, particularly if the probability of this event is unclear or not known? Secondly, given that the average tenure of a Fortune 1000 CFO is less than three years, are they thinking of the long-term benefits of investing in IT infrastructure or boosting short-term profitability for shareholder gain and thereby enhancing their own longer-term career prospects?
Company mergers also raise separate issues. Should management merge the combined business onto a common IT platform to generate the desired synergies, and run the project risk highlighted above, or should they leave it as it is, developing bespoke code to get the IT platforms of the two different businesses to communicate with each other? While the latter may reduce the project risk, tailor-made code creates the potential for downtime if system patches require the code to be rewritten.
To understand the cyber risk, companies must therefore accept that every IT network is the result of compromise and there is an element of Frankenstein’s monster in the way in which they are assembled.
So, how can the understanding of risk be improved? Fundamentally, an IT network is made up of two things: the network infrastructure itself and the data that flows around the business using this infrastructure. A business interruption loss occurs when this data flow ceases. By developing a complete understanding of these flows, companies can identify the financial consequences of an interruption and develop appropriate workarounds should an interruption occur.
In addition to understanding the data flows, it is critical to understand the infrastructure itself. Bottlenecks or points of failure are likely to exist within the network, increasing the financial risk if a system failure event occurs on that part of the network. Again, by properly mapping the infrastructure and performing a risk assessment exercise, the financial consequences of an event can be assessed and workarounds developed.
Recognising that companies need to perform this type of analysis so that appropriate insurance is purchased is one thing, making sure it happens is another. The cyber market as a whole is suffering from a shortage of talent, so there is not enough expertise available to properly perform thorough risk assessments.
Furthermore, Aon reported that the loss ratio in 2017 for the US cyber market was 61.4 percent, or, put another way, underwriting profits were 38.6 percent. This much profit will inevitably lead to new entrants to the cyber insurance market, which, in turn, will lead to increased competition and lower rates. The effect of this will be to reduce the amount of premium for each risk that could be used to fund this type of risk analysis exercise.
So, what will come first – market equilibrium through natural competition or a shock that causes significant financial losses? Given that the property insurance market has traditionally relied on disaster events to cause realignment in pricing, it is reasonable to expect the same for the cyber market.
And this is where the threat to the cyber market sits – a NotPetya-esque event that causes significant losses on a global scale, before the market is ready for it in terms of premium and expertise. This threat is not limited to insurers only. While some companies have large cyber insurance towers, it is unclear if these will be big enough should the corporate be unlucky enough for its entire global business to be impacted, particularly if a thorough cyber business interruption risk analysis has not been performed.
Despite the EU’s best efforts, the GDPR does not extend beyond EU citizens, irrespective of where they are in the world. On that basis, there will be some companies that do not have a GDPR risk.
However, today, every business has an IT failure risk and an exposure to the cataclysmic impact that an enterprise-wide event can have. Given the truly global nature of this IT risk and the resulting threat to the cyber insurance market, cyber business interruption will always be a bigger risk for insurers than GDPR.
Ben Hobby is a partner at BTVK Advisory LLP. He can be contacted on +44 (0)20 7065 7925 or by email: firstname.lastname@example.org.
© Financier Worldwide
BTVK Advisory LLP