This post first appeared on Risk Management Magazine. Read the original article.
Cyberrisks are fast-evolving, posing an ever-changing threat to businesses. According to the annual Allianz Risk Barometer, which surveys more than 1,900 risk experts, cyberrisks have gone from 15th five years ago to now ranking as the second most important peril globally. But some of these risks remain underestimated, and negligence scenarios are increasing.
There are now multiple threats to a company’s digital presence. Personal information or intellectual property can be compromised through a data breach, resulting in third party liabilities such as legal or regulatory actions, as well as first-party costs responding to the breach. Businesses can incur network liability if a corrupted file is transferred to another company. Then there are newer perils, such as the threat of cyber extortion, and particularly business interruption (BI), caused by a targeted attack against a company’s computer system.
The recent rise in distributed denial of service (DDoS) and ransomware attacks—so-called “cyber hurricane” events, where hackers disrupt a large numbers of companies by targeting common internet infrastructure dependencies—means BI is now the leading cause of economic loss for firms after a cyber event. As the recent WannaCry ($8 billion) and NotPetya ($3 billion) incidents demonstrate, such events can inflict significant financial and reputational damage.
Growing anxiety about the threat to data and IT security coincides with the introduction of more robust privacy rules around the world, such as the General Data Protection Regulation (GDPR) and the Network and Information Security Directive (NIS) in the European Union, and reform of data protection in many U.S. states. Global companies are now exposed to tougher potential liabilities and fines in the event of non-compliance.
Target, Home Depot, Yahoo, Sony, JP Morgan Chase, Equifax and Uber are just some of the global companies that have made headlines for big data breaches. Companies suffering data breaches can experience large losses, BI, reputational damage and even class action lawsuits from customers whose data and privacy are compromised. Equifax’s 2017 breach, which impacted 140 million people in the U.S. alone, leading to the CEO’s resignation and costing the company a predicted $439 million by the end of 2018, making it one of the most costly ever.
Research shows costs associated with breaches are rising. Last year, the average cost of a data breach globally increased by more than 6% to $3.86 million. Meanwhile, the average cost for each lost or stolen record also increased by almost 5% to $148, according to the Ponemon Institute’s 2018 Cost of a Data Breach Study. Another study by the institute shows that although close to half (48%) of cyber incidents involve malicious or criminal activity, even more (52%) involve human factors, such as negligent employees, or IT and business process failures, demonstrating companies face exposures from all areas.
The potential fall-out from such incidents is exacerbated by the introduction of tougher data rules around the globe. The NIS Directive requires “essential services” providers like ports and transport services to show they have taken sufficient measures to manage cybersecurity and report incidents or potentially face substantial penalties. Similarly, under GDPR, steep fines of up to 4% of a company’s global revenue can be imposed for data protection breaches.
The introduction of new notification requirements and new rights for consumers could also increase third-party liability risk and threat of litigation. GDPR allows consumers to “opt-out,” requiring businesses to find new ways to isolate data and strengthen IT security. During the first half of 2018 alone, its introduction also spurred 11 U.S. states to expand data breach notification rules to mirror some of the protections GDPR provides, during the first half of 2018 alone.
It is not just companies who could be on the hook in the event of a cyber incident. In future, it may be possible to claim substantial damages from their directors in the event of negligence in any failure to protect data or a lack of controls. There are a wide range of scenarios in which a director could be potentially considered negligent, such as a fund transfer fraud, or where a vulnerable network is compromised, leading to significant BI, property damage or loss of intellectual property.
Also, looking to the future, new threats will create new loss and liability scenarios. Wider adoption of Artificial Intelligence technology could be accompanied by a greater number of more sophisticated cyberattacks. Vulnerability of connected systems and machines to system failure or hacking will also increase. Cryptocurrencies and blockchain systems could also be compromised.
RISK MANAGEMENT AND INSURANCE IMPACT
While it is impossible to prevent data and IT security events completely, their impact can be lessened. To address data privacy concerns, businesses should ensure they review data protection and classification practices, implement security automation tools that can highlight pre-compromise vulnerabilities, deliver timely software updates and patches, and maintain secure back-ups of data and servers on a regular basis.
If sensitive data is compromised, the business needs to respond at all levels: board, IT, communications, compliance and investor relations. According to reputation analysis and research institute MediaTenor, 75% of all companies that suffer a cyberattack also incur reputational damage or loss. The way an organization manages a breach has a direct impact on the cost, and this will only increase as the regulatory environment toughens.
Cyber insurance is not just about protecting against financial losses such as BI and restoration costs, it also presents a key part of any mitigation strategy. When a business suffers a cyber incident, a strong policy can offer instant access to specialist counsel, network forensics services and crisis management consultants to help mitigate the impact in real-time and in accordance with necessary regulations.