Cyber risks, and their accompanying costs, are something that many organisations still struggle to fully come to terms with. In attempting to quantify the potential costs of cyberattacks, many businesses are limited to listing the costs of replacing their IT assets, without realising that their software and hardware replacement costs are merely the tip of the proverbial iceberg. It is no wonder that there have been numerous cases of profitable corporations of various sizes having gone the way of the Titanic after experiencing a cyber breach. Mr Kegan Chan of Marsh explains.
As organisations are becoming increasingly globalised and interconnected, cyber risk exposures are growing correspondingly, impacting businesses across all sectors and countries.
Cyber security – A key concern in recent years
In recent years, the annual World Economic Forum’s Global Risks Report (See chart) has consistently listed cyber risks as one of the key threats to organisations around the world. Despite the best efforts of risk managers and IT experts to tackle the ever-evolving cyber threats, cyber criminals are highly innovative and persistent in their attacks simply because the returns for them are high.
Even in the absence of obvious and direct monetary returns for the cyber criminals, they are also after the personal information along with whatever other corporate secrets they can get along the way.
The odds against organisations in this arms race are compounded by the introduction of sophisticated cyber hackers and even state actors with the ability to ruin an organisation’s systems integrity. The results include severe business interruption and even physical damage to assets, including data servers and production equipment. In extreme cases, human casualties have even been reported.
Can cyber defences ever be water-tight?
Even with the best cyber defences against external threats, negligent or disgruntled employees and vendors can still cause damage, with the potential to cripple company systems from within. In many of these instances, the IT department has already done whatever they could to secure the systems and can rightfully be absolved of blame.
Unfortunately, there is no “silver bullet” solution for cyber security, and corporates spend millions of dollars every year on enhancing their IT-infrastructure just to stay in the game. Meanwhile in the boardroom, risk managers are working with management on identifying a comprehensive risk registry, along with solutions such as an emergency response, and a crisis management plan to tackle the unfortunate events which could potentially afflict the company.
Frequently overlooked costs of cyber breaches
While cyber risk is obvious in most situations, it is equally critical to carefully identify the contingent risks which are not so apparent to the organisation. Directors and Officers might be subject to litigation if they were found to be aware of a cyber exposure but were ineffective in carrying out their fiduciary duty. In more serious situations, this liability may extend to other employees within the company who may face claims from the stakeholders because of their inaction or negligent acts.
Taking all these factors into account will provide boards and executives with a more accurate picture of the information assets critical to an organisation’s success. It will also keep them up-to-date on known business security vulnerabilities and threats and help them make well-informed decisions because all it takes is one single successful cyber-attack to devastate an organisation’s financial standing or reputation.
For years, organisations have focused on building up their network defences. However, in recent years, we have seen network breaches in many organisations, including many governments’ agencies. This does not mean that cyber risk management is futile, but rather the need to extend the focus towards a more sustainable solution, including a more comprehensive understanding of risks, and transferring it accordingly. Planning for worst-case scenarios is no longer an option, but a necessity.
The process of quantifying cyber risks
Organisations seeking to quantify cyber risks should take into account the likelihood that their company will suffer a cyber breach (which is higher than most people think), and the associated costs of these events.
One of the best approaches to start the quantification process would be to address the revenue impacts each loss scenario has on the organisation. Similar to traditional business interruption insurance calculations, risk managers examine the associated revenue streams and working expenses that are impacted, along with the anticipated business downtime the cyber event has on the business.
However, not every cyber scenario will cause a cyber business interruption loss. Cyber criminals, negligent vendors, or rogue employees may purely carry out fraudulent acts resulting in loss of sensitive information or funds. In such cases, the company is able to continue to operate as usual. Situations like this would require organisations to look beyond business interruption and to identify first party costs and expenses which they may incur in a potential cyber or data loss event.
Using a cyber breach timeline, management would be able to track these costs, starting from the moment they pick up their phone to call their lawyers and public relations consultants to assist with minimising the reputation damage to the company.
Next on the list would be forensics investigation, which is a costly process of having IT experts trace how and when the breach occurred, as well as the damage that has been done.
If there is data lost or ransom money demanded, data asset restoration and cyber extortion costs are taken into account. Depending on nationalities of the affected individuals (for example the customers whose private information have been compromised), the company may also be required by the local law to notify each one of the affected individuals, resulting in costs ranging from US$0.02 in India to US$0.59 in the US. The costs of setting up call centres to respond to client enquiries and, in instances where credit card information was stolen, credit monitoring costs, should also not be underestimated.
These costs can already be unsettling for some companies, but unfortunately, they are not the only costs applicable. Consequential claims by third parties should not be overlooked. Damages from liability claims by affected individuals resulting from the privacy and data breach, as well as legal defence costs, can be enormous; especially in jurisdictions where class actions are common.
Regulatory investigations often follow closely, hitting companies with fines and penalties for the breach. Other scenarios may also lead to intellectual property or tortious claims such as wrongful publication or broadcast of clients’ or vendors’ confidential information or trade secrets. For companies providing online servicing, system security failures causing a denial of service could potentially face claims from clients who are unable to carry out their transactions on a timely basis.
Do it right
Quantifying first and third party costs is an arduous and challenging project for most organisations. Marsh can assist our clients with our tested and proven processes and models. Our quantification models can pinpoint a company’s and its industry’s potential cyber breach exposures.
By undertaking a structured and risk-based approach in understanding cyber risk exposures, information security, and risk management processes, organisations can take a two-fold approach.
This is achieved by segregating the risk drivers capable of being transferred through different insurance products, while devoting its in-house attention on developing a stronger risk management culture across the company, streamlining its crisis response time, and keeping its reputation losses to a minimum in times of a cyber crisis. A
Mr Kegan Chan is Vice President, Analytics Sales Leader – Asia, at Marsh.