A guide to cyber risk

Increasing interconnectivity, globalization and "commercialization" of cyber crime are driving greater frequency and severity of cyber incidents, including data breaches.

Data privacy and protection is one of the key cyber risks and related legislation will toughen globally. More notifications of, and significant fines for, data breaches can be expected in future. Legislation has already become much tougher in the US, Hong Kong, Singapore and Australia, while the European Union is looking to agree pan-European data protection rules. Tougher guidelines on a country-by-country basis can be expected.

Attacks by hackers dominate the headlines but there are many “gateways” through which a business can be impacted by cyber risk. Impact of business interruption triggered by technical failure is frequently underestimated compared with cyber-attacks.

Vulnerability of industrial control systems (ICS) to attack poses a significant threat. To date there have been accounts of centrifuges and power plants being manipulated. However, the damage could be much higher from security sensitive facilities such as nuclear power plants, laboratories, water suppliers or large hospitals.

Cyber risk is the risk most underestimated by businesses according to the Allianz Risk Barometer but there is no “silver bullet” solution for cyber security. Businesses need to identify key assets at risk and weaknesses such as the “human factor” or overreliance on third parties. Employees can cause large IT security or loss of privacy events, either inadvertently or deliberately.

Businesses need to create a cyber security culture and a “think-tank” approach to tackling risk. Different stakeholders from the business need to share knowledge. Implement a crisis or breach response plan. Test it.

Cyber risk is constantly evolving. “Hidden risks” can emerge. For example, businesses should consider how merger and acquisition (M&A) activity and changes in corporate structures will impact cyber security and holding of third party data in particular. Companies need to make decisions around which risks to avoid, accept, control or transfer.

The cyber insurance market is currently estimated to be worth around $2bn in premium worldwide, with US business accounting for approximately 90%. Fewer than 10% of companies are thought to purchase cyber insurance today. However, the cyber insurance market is expected to grow by double-digit figures year-on-year and could reach $20bn+ in the next 10 years.

Growth in the US is already underway, driven by data protection regulation. Legislative developments and increasing levels of liability will help growth accelerate elsewhere, as will a growing number of small- to medium-sized enterprises (SME) seeking cover.

Sectors holding large volumes of personal data, such as healthcare and retail, or those relying on digitalized technology processes such as manufacturing and telecommunications, are most likely to buy cyber insurance at present. However, there is growing interest among financial institutions and the energy, utilities, and transport sectors, driven by the increasing perils posed by interconnectivity.

Data protection and liability risks dominate the cyber landscape today. Impact of BI from a cyber incident and further development of interconnected technology will be of increasing concern to businesses over the next decade and will spur insurance growth.

Businesses are also exposed to cyber risk through supply chains and, increasingly, will need to consider the impact of an incident in this area such as the liability they could face if they cannot deliver their products or lose customer data, as well as the costs to resolve such issues. Companies will increasingly look to extend protection to their supply chains.

“The Internet of Things” will have an increasing influence on the world in which we live and businesses operate. Estimates suggest as many as a trillion devices could be connected by 2020. New technologies create new vulnerabilities. Cyber criminals could exploit this increase in interconnectivity.

As technology evolves, older devices that remain in use could also create vulnerabilities, especially where they rely on outdated operating systems and unsupported software. The use of outsourced services and storage – such as the cloud – brings risks as well as benefits. One issuea at a cloud provider could result in large business interruption and data breach losses for many.

The prospect of a catastrophic cyber loss is becoming more likely. An attack or incident resulting in a huge data loss or business interruption - and the subsequent reputational damage - could put a large corporation out of business in future.

A successful attack on the core infrastructure of the internet; for example main protocols such as Border Gateway Protocol (BGP) or Domain Name System (DNS), could be devastating¹. Interest in protecting critical infrastructure is likely to see governments becoming increasingly involved in cyber security, resulting in greater levels of scrutiny and liability.