Cyber rises up risk ranking for sixth year in a row, but the threat is still underappreciated, says Brian Kirwan of Allianz Global Corporate & Speciality
Just like a natural disaster, a single cyber-attack can potentially impact hundreds of companies, leading to severe business interruption and loss of customers and reputation. It is no wonder that cyber incidents continue a six year climb up the Allianz Risk Barometer 2018.
Allianz's seventh ever Risk Barometer - an annual survey of global businesses, brokers, underwriters and risk consultants - revealed that cyber is now the top risk in 11 countries, including the UK, Australia, Austria, Belgium, Brazil, India, Indonesia, Netherlands, Singapore, South Africa, USA. On a sector basis, it was named the biggest risk in entertainment & media, financial services, professional services, technology and telecommunications.
Cyber threat is still misunderstood
Every company has been, or will be impacted by cyber risk. Far from being over-hyped, the threat is underappreciated and not always well understood. Recent events such as the WannaCry and Petya ransomware attacks brought significant financial losses to a large number of businesses.
Others, such as the Mirai botnet in 2016, the largest-ever distributed denial of service (DDoS) attack on major internet platforms and services in Europe and North America, demonstrate the interconnectedness of risks and shared reliance on common internet infrastructure and service providers.
On an individual level, recently-identified security flaws in computer chips in nearly every modern device reveal the cyber vulnerability of modern societies. The potential for so-called "cyber hurricane" events to occur, where hackers disrupt larger numbers of companies by targeting common infrastructure dependencies, will continue to grow in 2018.
GDPR: time is running out
The introduction of the General Data Protection Regulation (GDPR) across Europe in May 2018 will intensify scrutiny further, bringing the prospect of more, and larger, fines for businesses who do not comply. Time is running out to be GDPR-ready. Firms in Europe will now also have to prepare for tougher liabilities and notification requirements. Many businesses will quickly realise that privacy issues can create hard costs once the GDPR is fully implemented.
Past experience has shown that a company's response to a cyber crisis, such as a breach, has a direct impact on the cost, as well as on a company's reputation and market value. This will become even more the case under the GDPR.
Business interruption: the leading cause of loss
But it is business interruption (BI) that is the leading cause of economic loss for firms after a cyber event. While BI can result from ransomware attacks, such as WannaCry, Petya etc, it is more likely to occur from system failure or human error.
This time last year Amazon suffered an outage of its cloud storage service for four hours, caused accidentally by an employee. It is thought that the S&P 500 companies that were dependant on this service lost around $150m as a result. Estimated losses in a scenario where a cloud outage lasts for 12 hours and impacts 50,000 companies in the healthcare, financial and retail sectors could cost close to $1bn in the US.
Cyber insurance
Increasing interconnectivity means it is more important than ever for companies to review cyber security and resilience and consider the role of cyber insurance as part of their risk management.
As the cyber threat evolves, so does the cyber insurance proposition, beyond just covering financial loss such as BI and restoration costs. For example, if an organisation suffers a data breach it will need instant access to specialist lawyers, IT forensics and crisis management consultants to help mitigate the impact of an incident as it develops. Insurance can provide this cover.
Brian Kirwan is UK CEO of Allianz Global Corporate & Specialty (AGCS)