The rise of cyber

Additional complexity in managing cyber risks comes not only from the new technologies being adopted, but also from the increased growth and sophistication of attacks originating from organised cyber-criminals and nation-state sponsored actors.¹

We are seeing bigger and more sophisticated cyber-attacks, such as the big, global ransomware attacks WannaCry and NotPetya in 2017. Considered to be the most devastating cyber-attack to date, NotPetya hit many global industries and companies at the same time, with several filing losses for more than 100 million dollars.

The omnipresent risk

"Cyber risks touch clients from all industries, and companies of all sizes. Cyber is an emerging area with largely unknown losses. There are lots of incidents that have not been reported, and almost 70 percent of breaches take months or longer to discover³", If Cyber Risk Engineer Peter Granlund says.

Cyber-crime is largely driven by financial motives³, making practically anyone a target. Governments also play a critical role, as cyber has emerged as an effective tool to pressure, influence, and spy on foreign nations – ­ a weapon without going to war.

Over the past ten years, state-sponsored attacks have been responsible for one quarter of all cyber incidents³, not only affecting public sector organisations and critical infrastructure, but also sensitive information in the private sector. This trend shows no signs of decreasing, but rather the opposite.

In all industry sectors, personal information (name and address, credentials, payment and medical records) is the number one data compromised in cyber breaches.³

"The planning for building these connected networks is not yet mature, and where automation and IIoT bring great possibilities, they can also create risk exposures", Peter notes. "Many organisations have started to realise their cyber risks, but still often choose operational efficiency and costs over security, or do not spend sufficient time thinking about cyber security, lifetime support, and budgets when incorporating these devices as part of the infrastructure4", Peter says.

Defence from collaboration

"No industry is safe from cyber risks, so all industries need to find means to develop resistance against them. In nearly two-thirds of organisations, cyber risk is among the top five risk management priorities.¹ However, it should be top five for everyone", Peter says.

"We are beginning to understand the risks and the means to protect against them as we gather more data. Cyber risks cannot be eliminated, but we can prepare and mitigate the risks", Peter continues.
The key to tackling the rapidly changing cyber risk environment is transparent collaboration between organisations, insurers, and governments.

The new EU data protection regulation, GDPR, requires all organisations to report breaches on privacy to the authorities, inform affected individuals, and compensate them for damages.

"With this new regulation in place, and the increasing number of cyber-attacks, combined with privacy information being the most affected in data breaches, I think 2018 is the year we will start to see a sharp increase in financial losses among organisations experiencing cyber-attacks", Peter continues.

On the positive side of GDPR, the authorities have the potential to provide new and wider information on the number and consequences of cyber incidents, which both organisations and insurance companies can use to manage this risk.

This could enable the cyber insurance market to better understand this new, complex, and unpredictable risk. This, along with the capability to calculate and price risks, can provide more financial capacity to the market.
"In the end, the key is to manage cyber risks together. It is neither practically nor financially feasible for organisations to implement technical and organisational security controls that protect them 100 percent. Cyber insurance solutions will play a vital role in protecting organisations' intangible assets", Peter concludes.