Lloyd’s of London has warned that a serious cyber-attack could cost the global economy more than £92bn. Yet despite mass cyber-attacks hitting organisations and headlines around the world, there is little evidence of this being a wake-up call to the risk posed by weak cyber-security. In our Risk and Confidence Survey, only 27% of businesses believed that technology risk was likely to increase in Autumn 2017, and over two thirds (67%) believed it would stay the same or reduce.
This either suggests businesses are already factoring risk into their planning, or, more worryingly, that it is still not commanding the attention it requires.
New attacks are occurring every day – with Bupa and The Four Seasons recently admitting to potential data breaches – cyber risk must be taken more seriously. However a recent survey shows that the latest cyber-attacks haven’t seemingly boosted demands for cyber insurance.* According to the survey, 73% of brokers surveyed said that there had been no change at all in the number of enquiries for cyber cover following the Wannacry attack. Only 4% of brokers said that they had seen a significant increase.
One reason for this could be because customers are not yet sufficiently worried about the risk, potentially as the public impact of previous attacks has been limited so far. Secondly, insurers are still developing and improving their policies, to more clearly set out cyber coverage. Cyber insurance is a relatively new line of insurance and therefore there is little loss data compared with mature lines with which to quantify the financial consequences of a cyber-attack.
Another reason cyber risk is not gaining the attention it needs is because it is potentially still viewed as an issue for the IT department. However in today’s digital and interconnected world it needs to move from IT to the boardroom. Cyber risk is now a key driver of boardroom risk, which our Risk and Confidence Survey showed was a growing concern for business leaders. And this will only grow with the introduction of the General Data Protection Regulations (GDPR) in 2018.
Currently the response to a cyber-attack is to minimize the damage as quickly as possible after each breach. But GDPR means both the cost and reputational damage will be even higher, and companies cannot continue to think of attacks as single instances of business interruption, but long-term threats with serious, business limiting consequences.
For cyber risk to be better managed in the future, behavioural and governance changes need to be made:
• Cyber risk must be taken more seriously: processes and protocols need to be constantly reviewed to ensure that protection is up to date, relevant information in the public domain must be reviewed and warnings from hackers should not be ignored.
• Lessons must be learned from each attack: fixes and patches should be immediately installed, and with each new attack vector introduced systems should be updated.
• Plans need to be made before an attack occurs: GDPR means customers must be informed of breaches, improvements made to ensure it won’t happen again, and security reviews undertaken as a matter of course.
• Businesses must review their cover in case of a cyber-attack: and this should include support with any response and remediation required as much as cover for financial loss
Anthony Williams, Chief Risk Officer
Next in the series: Insurance must Adapt, but it is not a Dying Industry
Download your copy of the CNA Hardy Risk and Confidence Survey at www.cnahardy.com/pulse
*FWD Consulting survey