‘Companies usually only start rethinking their position when they themselves are affected, when they have incurred cyber damage.’
Cyber risks are an international problem that is just getting bigger. Damages are being reported from virtually all industrialised countries, and companies around the world are affected. Specific attacks with malware can easily cross international borders. Take previous cyber attacks such as WannaCry, a ransomware Trojan, which infected IT systems in more than 150 countries in 2017. Not long after, the NotPetya attack saw malware infecting systems in around 65 countries. Cyber attacks have become a widespread risk with potentially high financial damages, currently representing a global and systemic problem.
Damage in the billions
A different picture arises from surveys in the IT industry. Here, a study of 500 industrial companies carried out in autumn of 2018 by IT association Bitkom showed that seven out of ten companies surveyed had been affected by data theft, industrial espionage or sabotage. Cyber attacks caused financial damage for 47 per cent of the industrial companies. Bitkom says that total losses from the last two years amounted to 43.4 billion euros. Around 20 per cent of the costs arose from damage to image and violations of patent rights. Business interruptions are responsible for 15 per cent of the costs, coming in third place and followed by damage assessment and clarification costs.
Human beings represent a huge vulnerability. According to the Bitkom study, the main sources of cyber attacks are predominately former or current employees and individuals from the business environment, i.e. clients, suppliers, service providers and competitors. This is confirmed by a 2018 study by insurer Hiscox, which shows that around two-thirds of all cyber damage can be attributed to human misdeeds. ‘Attentive employees are the best protection in this case. With the right level of awareness, they are the first line of defence, supported by a professional IT security system,’ says Dr Alexander Skorna. Let’s look at the claim statistics. In the past two years, a number of companies have shone a light on their individual risk situations and taken out cyber insurance as a result. At the same time, the risk is rising significantly, primarily due to the spread of ransomware (encryption Trojans) and malware.
Cyber damage according to reported incidents
Claims are rising
Insured damages are currently on the rise accordingly – with some insurers reporting increases of up to 50 per cent per year. In 2017 alone, the American International Group reported as many claims in its current report from May 2018 as in the years 2013 to 2016 combined. Just as great are insurers’ concerns about accumulated losses, which can be incurred simultaneously as the result of huge-scale attacks by hackers or worms infecting multiple companies. ‘We are currently seeing lower and lower capacities on the market, and sometimes even a general reticence among insurers when it comes to new business with high exposure,’ Dr Alexander Skorna summarises the market situation. The claim amounts differ greatly depending on the size of the company. According to a 2018 Ponemon Institute study, the average damage incurred from a data breach worldwide amounts to 3.86 million US dollars, which represents an increase of 6.4 per cent compared to the previous year – and where a data breach affects a million or more data records, the study says that costs go up quickly and average around 40 million US dollars. These figures only refer to costs arising from data protection breaches.
According to a KPMG study, the average cyber incident costs 6.1 million euros. ‘For small to medium-sized businesses, losses arising from cyber incidents are usually much lower, but even here they are clearly trending upward,’ says Dr Skorna. ‘In Germany the cost of claims for cyber is rising especially quickly year on year.’ Cost drivers both for large enterprises and medium-sized businesses are business interruption losses, the costs of notifying affected clients in the event of data breaches and the costs of assessing the damage. The studies show a relatively uniform picture for the affected industries. Financial service providers, legal/business advisers, companies from the healthcare sector and retailers submit the most claims. Germany’s heavily industrial machine construction sector falls in the middle of the claim statistics – around one in ten claims affects this industry. Cyber attacks cause the greatest financial damage in the finance, energy and aviation/defence sectors. Industrial production and trade (which were still the most affected a few years ago) now fall more into the middle range in terms of the extent of damage experienced.
Clients put on the pressure
Let’s look at the drivers for taking out cyber insurance. According to a study in 2018 by PartnerRe together with Advisen, companies are taking out insurance against cyber risks predominately due to pressure from third parties – usually clients. Other drivers include the intensification of the General Data Protection Regulation and the greater liability risk. Media coverage of incidents and companies’ own experiences with cyber-related losses also lead to increased insurance sales. Premiums are currently volatile and vary greatly from insurer to insurer. ‘An insurance broker like Funk offers added value here, ensuring market consistency through a uniform policy and the best price–performance ratio from the client’s point of view,’ says Dr Skorna. A basic prerequisite for efficient cyber protection, however, is that companies be able to estimate their risk exposure. A risk analysis can help with this. Companies should also prepare for business interruptions in the aftermath of a cyber attack by creating contingency plans or implementing business continuity management. Only holistic protection against cyber attacks will put companies in the best possible position to come out of an incident unscathed.