Inga Beale the Chief Executive of the Lloyd’s of London insurance and reinsurance market has warned today that it is reputational risks and fallout from a cyber breach that “kills modern businesses.”
With the recent WannaCry ransomware attacks, and the ongoing impacts of Petya or PetrWrap which is a current attack, cyber is moving up the corporate agenda and the potential costs are becoming better understood.
“The reputational fallout from a cyber breach is what kills modern businesses. And in a world where the threat from cyber-crime is when, not if, the idea of simply hoping it won’t happen to you, isn’t tenable,” Beale explained today.
Lloyd’s of London warns that businesses can face much higher costs than they might anticipate from cyber attacks, making proper preparation vital to avoid the ‘slow burn’ costs such as reputational damage, litigation and loss of competitive edge.
Lloyd’s has released a new report on cyber risks today in collaboration with KPMG and law firm DAC Beachcroft, assessing the nature of the cyber risk landscape currently, as well as the top threats by industry sector.
Beale commented on the report’s launch; “To protect themselves businesses should spend time understanding what specific threats they may be exposed to and speak to experts who can help handle a breach, minimise reputational harm and arrange cyber insurance to ensure that the risks are adequately covered. By reacting swiftly to mitigate the impact of a cyber breach once it has occurred, companies will be able to minimise the immediate costs and their exposure to subsequent slow burn costs.”
Matthew Martindale, Director in KPMG’s cyber security practice, added; “Cyber risk has moved up in the business agenda and businesses are taking measures to prepare themselves. However, they are failing to factor in the long-term damage that a breach can cause and the cost implications of it. Dealing with things like reputational issues and litigation in the aftermath of a breach, can add substantial costs to the overall loss. Businesses really need to start thinking about the cyber risk holistically rather than one that is currently very short sighted.”
Hans Allnutt, Partner, Head of Cyber & Data Risk at DAC Beachcroft, also said; “Whilst the immediate business impact of a breach could be significant for any organisation, it may only be the tip of the iceberg when it comes to dealing with the legal consequences which may last months or even years. Once notified, it is not uncommon for regulatory investigations to take more than a year before they reach a conclusion. Subsequent litigation can take even longer, particularly because the law surrounding data security and privacy is a relatively evolving area. In one UK data protection case, it took three years and a failed appeal before the litigation was finally settled.”
The report seems largely focused on cyber breaches and subsequent loss of data, seeking to identify gaps in business coverage where the insurance and reinsurance industry has work to do, presenting it an opportunity.
It perhaps fails to fully identify the major risk of critical infrastructure attacks, and the resulting business interruption and contingent business interruption costs due to system failure, downtime, lock-out, or factors such as inability to complete orders and receive supplies, all of which can result from cyber attacks.
Business interruption is mentioned as an immediate cost, but we would venture that the slow burn of business interruption and potential for contingent business interruption can, in many cases, be the largest financial threat to businesses due to the evolving cyber risk threat.
It is of course also important to consider how business interruption of all forms can amplify reputational risk, with the potential to result in spiralling costs.
The research identifies ransomware, such as the recent WannaCry attack last month and the currently ongoing Petya or PetrWrap ransomware which has caused global problems in the last 24 hours, as a threat that is rapidly increasing.
Distributed denial-of-service, or DDOS, attacks and CEO fraud are also identified as significant risks to businesses in today’s cyber risk landscape.
The report also highlights that financial services companies are the most targeted by organised cyber-crime, citing bank systems and financial market infrastructure as at risk, with the retail sector now becoming increasingly targeted as well.
The oil and gas is also often a target, the report highlights, both for political and crime reasons, the report finds. While the public sector and telecommunications sectors are susceptible to espionage-focused cyber-attacks.
The report from Lloyd’s and collaborators can be downloaded here.