The rise of cyber

The value of a company used to be determined by its physical assets, but today, most of the value comes from intangibles like data, intellectual property and technology.

In 1975, just 17 percent of the market value of S&P 500 companies was tied to intangible assets. Today, the numbers have reversed: just 16 percent of value is in physical assets; the rest comes from intangibles.¹
There has been significant growth in the cyber insurance market in the past few years, with 16 percent growth in GWP from 2016 to 2017 and the estimated size of the market to reach 20 billion in 2025.² The main driver for cyber insurance, especially in Europe, is business interruption.

Additional complexity in managing cyber risks comes not only from the new technologies being adopted, but also from the increased growth and sophistication of attacks originating from organised cyber-criminals and nation-state sponsored actors.¹

We are seeing bigger and more sophisticated cyber-attacks, such as the big, global ransomware attacks WannaCry and NotPetya in 2017. Considered to be the most devastating cyber-attack to date, NotPetya hit many global industries and companies at the same time, with several filing losses for more than 100 million dollars.

The omnipresent risk

"Cyber risks touch clients from all industries, and companies of all sizes. Cyber is an emerging area with largely unknown losses. There are lots of incidents that have not been reported, and almost 70 percent of breaches take months or longer to discover³", If Cyber Risk Engineer Peter Granlund says.

Cyber-crime is largely driven by financial motives³, making practically anyone a target. Governments also play a critical role, as cyber has emerged as an effective tool to pressure, influence, and spy on foreign nations – ­ a weapon without going to war.

Over the past ten years, state-sponsored attacks have been responsible for one quarter of all cyber incidents³, not only affecting public sector organisations and critical infrastructure, but also sensitive information in the private sector. This trend shows no signs of decreasing, but rather the opposite.

In all industry sectors, personal information (name and address, credentials, payment and medical records) is the number one data compromised in cyber breaches.³

Cyber-crime is largely driven by financial motives, making anyone a target.
Peter Granlund, Cyber Risk Engineer, If

The good and bad technology

Companies from all industries are becoming more and more dependent on different and increasingly complex IT systems, information, cloud computing, software, sensors, smart devices, and artificial intelligence, making them more vulnerable to cyber-attacks.

32 percent of IIoT (Industrial Internet of Things) devices are connected directly to the Internet, bypassing traditional IT security layers.

"The planning for building these connected networks is not yet mature, and where automation and IIoT bring great possibilities, they can also create risk exposures", Peter notes. "Many organisations have started to realise their cyber risks, but still often choose operational efficiency and costs over security, or do not spend sufficient time thinking about cyber security, lifetime support, and budgets when incorporating these devices as part of the infrastructure4", Peter says.

Defence from collaboration

"No industry is safe from cyber risks, so all industries need to find means to develop resistance against them. In nearly two-thirds of organisations, cyber risk is among the top five risk management priorities.¹ However, it should be top five for everyone", Peter says.

"We are beginning to understand the risks and the means to protect against them as we gather more data. Cyber risks cannot be eliminated, but we can prepare and mitigate the risks", Peter continues.
The key to tackling the rapidly changing cyber risk environment is transparent collaboration between organisations, insurers, and governments.

The new EU data protection regulation, GDPR, requires all organisations to report breaches on privacy to the authorities, inform affected individuals, and compensate them for damages.

"With this new regulation in place, and the increasing number of cyber-attacks, combined with privacy information being the most affected in data breaches, I think 2018 is the year we will start to see a sharp increase in financial losses among organisations experiencing cyber-attacks", Peter continues.

On the positive side of GDPR, the authorities have the potential to provide new and wider information on the number and consequences of cyber incidents, which both organisations and insurance companies can use to manage this risk.

This could enable the cyber insurance market to better understand this new, complex, and unpredictable risk. This, along with the capability to calculate and price risks, can provide more financial capacity to the market.
"In the end, the key is to manage cyber risks together. It is neither practically nor financially feasible for organisations to implement technical and organisational security controls that protect them 100 percent. Cyber insurance solutions will play a vital role in protecting organisations' intangible assets", Peter concludes.

Article by

Ida Tuononen

References

1) Marsh & McLennan – Global Cyber Risk Perception Survey February 2018

https://www.marsh.com/us/insights/research/global-cyber-risk-perception-survey.html

2) Allianz Global: A Guide to Cyber Risk – Managing the Impact of Increasing Interconnectivity

https://www.agcs.allianz.com/assets/PDFs/risk%20bulletins/CyberRiskGuide.pdf

3) Verizon – 2018 Data Breach Investigations Report

https://www.verizonenterprise.com/verizon-insights-lab/dbir/

4) The 2018 SANS Industrial IoT Security Survey

https://www.forescout.com/2018-sans-industrial-iot-security-survey/