By Kelly Castriotta, North American Head of Product Development for Financial Lines at Allianz Global Corporate & Specialty
For the first time ever, Cyber incidents (39% of responses) ranks as the most important business risk globally in the ninth Allianz Risk Barometer 2020, relegating perennial top peril Business Interruption (BI) (37% of responses) to second place. Awareness of cyber threats has grown rapidly in recent years, driven by companies increasing reliance on data and IT systems and a number of high-profile incidents. Seven years ago, cyber ranked 15th with just 6% of responses.
The annual survey on global business risks from Allianz Global Corporate & Specialty (AGCS) incorporates the views of a record 2,718 experts in over 100 countries, including CEOs, risk managers, brokers and insurance experts.
Here are some of the reasons why cyber has overtaken the top spot and is likely to remain a leading business risk for the foreseeable future.
Data breaches larger and more expensive
As companies collect and use ever-greater volumes of personal data, data breaches are becoming larger and costlier. In particular, so-called mega data breaches (involving more than one million records) are more frequent and expensive. In July 2019, Capital One revealed it had been hit by one of the largest ever breaches in the banking sector with approximately 100 million customers impacted. Yet this breach is by no means the largest in recent years.
Data breaches at hotel group Marriott in 2018 and credit score agency Equifax in 2017 were reported to have involved the personal data of over 300 million and 140 million customers respectively. Both companies faced numerous lawsuits and regulatory actions in multiple jurisdictions – the UK’s data protection regulator intends to fine Marriott $130mn for the breach, among the earliest and largest fines under the EU’s new privacy laws to date.
The General Data Protection Regulation (GDPR) rules that came into force across Europe in 2018 will likely bring further fines in 2020. The European Data Protection Board (EDPB) released a preliminary report stating that of the 206,326 cases reported under the GDPR across 31 countries in the first nine months of its implementation, the national data protection agencies had only resolved around 50% of them.
A mega breach now costs an average of $42mn, according to the Ponemon Institute, an increase of nearly 8% over 2018. For breaches in excess of 50 million records, the cost is estimated to be $388mn (11% higher than in 2018).
Ransomware brings increasing losses
According to the EU’s law enforcement agency, Europol, ransomware is the most prominent cybercrime threat.
Already high in frequency, incidents are becoming more damaging, increasingly targeting large companies with sophisticated attacks and hefty extortion demands. Five years ago, a typical ransomware demand would have been in the tens of thousands of dollars. Now they can be in the millions. The consequences of an attack can be crippling, especially for organizations that rely on data to provide products and services.
Extortion demands are just one part of the picture. Business interruption brings the most severe losses from ransomware attacks, and in some cases, ransomware is a smokescreen for the real target, such as the theft of personal data. Industrial and manufacturing firms are increasingly targeted but losses tend to be highest for law firms, consultants, and architects, for which IT systems and data are their lifeblood.
Bec attacks result in billion-dollar fraud
Business email compromise (BEC) – or spoofing – attacks are increasing in frequency. BEC incidents have resulted in worldwide losses of at least $26bn since 2016 according to the FBI in the US.
Such attacks typically involve social engineering and phishing emails to dupe employees or senior management into revealing login credentials or to make fraudulent transactions.
Litigation prospects rising
Many large data breaches today spark regulatory actions, but they can also trigger litigation from affected consumers, business partners, and investors. When they do, legal expenses can add substantially to the cost.
Data breach litigation in the US is a developing situation. A number of large breaches have triggered class actions by consumers or investors. Outside the US, a number of countries have expanded group action litigation rights. For example, in Europe, the GDPR makes it easier for victims of a data or privacy breach to seek legal redress.
In addition, claimant law firms and litigation funders are actively looking to bring class actions for data breaches in Europe and elsewhere – a class action against British Airways following its 2018 data breach was recently given the go-ahead in the UK courts. Consumer groups are also looking to test the GDPR and challenge some organizations’ interpretation of the new law.
M&A can bring cyber issues
Cyber exposures have emerged as a hot topic in mergers and acquisitions (M&A) following some large data breaches. For example, the 2018 Marriott breach was traced to an intrusion in 2014 at Starwood, a hotel group it acquired in 2016.
Even the best-protected companies will be exposed if they acquire a company with weak cybersecurity or existing vulnerabilities. The acquiring firm could be liable for any damage from incidents that pre-date the merger.
Ultimately, considering potential cyber vulnerabilities and exposures needs to become a higher priority for businesses during M&A, as many companies are not doing enough due diligence in this area. At the same time, once a deal has been completed many companies do not address any weaknesses in acquired systems quickly enough.
Political factors play out in cyberspace
The involvement of nation-states in cyber-attacks is an increasing risk for companies, which are being targeted for intellectual property or by groups intent on causing disruption or physical damage. For example, growing tensions in the Middle East have seen international shipping targeted by spoofing attacks in the Persian Gulf while oil and gas installations have been hit by cyber-attacks and ransomware campaigns.
Sophisticated attack techniques and malware may also be filtering down to cybercriminals while nation-state involvement is providing increased funding to hackers. Even where companies are not directly targeted, state-backed cyber-attacks can cause collateral damage. In 2017 the notpetya malware attack primarily targeted Ukraine but quickly spread around the world.
Preparation and training are the most effective forms of mitigation and can significantly reduce the likelihood or consequences of a cyber event. Many incidents are the result of human error, which can be mitigated by training, especially in areas like phishing and business email compromise, which are among the most common forms of cyber-attack.
Training could also help mitigate ransomware attacks, although maintaining secure backups can also limit the damage from such incidents. Business resilience and business continuity planning are also key to reducing the impact of a cyber incident, although response plans need to be tested, practiced, and regularly reviewed.
More information on the Allianz Risk Barometer 2020 is available here:
About the Author
Kelly B. Castriotta is the Regional Head of Product Development in North America for Financial Lines at Allianz Global Corporate Specialty. Ms. Castriotta develops new products for all Financial Lines in North America, including cyber, directors and officers liability and all professional liability offerings. Most recently, Ms. Castriotta led the company’s initiative to address non-affirmative cyber across nearly 100 discrete product lines.
She can be reached online at https://www.agcs.allianz.com/