Allianz’s yearly survey of nearly 2,000 risk experts from 80 countries highlights business interruption and cyber incidents as the top two major threats for companies through 2018 and beyond. Forty-two percent of responses identified business interruption (BI) as the most important global risk because it can substantially impact revenues. So it is no surprise that BI has been highlighted as the most important risk for six years in a row. New for 2018, however, is that cyber incidents are the most feared BI trigger in the new year.
In addition to cyber incidents’ potential to trigger BI, risk experts identified cyber incidents generally as the second most important risk of 2018 (42 percent of responses). In particular, risk experts highlighted attacks on common internet infrastructure (with the potential to harm multiple companies at one time) as an increasing risk. These large‑scale attacks, such as the October 2016 Mirai Botnet attack on Dyn that brought down Twitter, SoundCloud, Spotify, Reddit and a host of other sites for hours, can substantially disrupt online operations and be used to extort multiple companies.
The Allianz report highlights what most policyholders already know: Cyber risk, whether in the form of business interruption, data‑breach liability, extortion, or otherwise, continues to expand at an almost breathtaking pace.
Every organization should survey the threat landscape to measure cyber exposure in six key risk areas:
- Business email compromise (BEC) scams
- Distributed denial of service (DDoS)
- Data breach
- Theft of intellectual property
- Destruction or damage to computer systems
Surveying the cyber risk landscape is only the first step. For most organizations, the next step — cyber risk mitigation — includes purchasing cyber insurance. Due to the evolving nature of cyber insurance, and insurers’ differing tolerances for undertaking cyber risk, organizations must carefully assess proposed cyber insurance policies. Coverage grants vary and can include coverage for computer fraud and theft, cyber business interruption, cyber remediation, liability (including defense costs) resulting from a cyber event, regulatory costs, and PCI penalties.
- Computer fraud and theft coverage pays for losses sustained as a result of unauthorized access to electronic systems or data.
- Cyber business interruption coverage pays for losses resulting from a cyber event that prevents normal business operations, such as a DDoS attack that restricts web traffic or a ransomware event that shuts down servers, preventing potential customers from accessing the affected services.
- Remediation coverage pays for response costs following a cyber event (investigation, public relations, customer notification, and credit monitoring).
- Liability coverage pays defense and indemnity costs resulting from network security events (unauthorized access to systems causing injury to third parties), privacy events (exposure of confidential information), and media liability (advertising injury and copyright or trademark infringement).
- Regulatory coverage pays defense and investigation costs for regulatory investigations and claims resulting from cyber events (or failure to properly handle a cyber event).
- PCI coverage pays for liability to credit card issuers arising out of unauthorized disclosure of credit information (and, as noted above, generally requires proof of compliance with PCI standards).
For more information on mitigating your organization’s cyber risks through cyber insurance, our previous article, published by MISTI Infosec Insider, provides a more detailed overview of the factors to consider when managing a cyber‑insurance program.