Cyber Risk: The Answers to Five Big Questions

With cyber risk a top-level concern for all organizations, FM Global executive vice president, Mike Turner, provides insights on this growing business threat.

Q: What might motivate an individual or organization to attempt a cyber attack?
A: In today's environment, most threat actors continue to be motivated by financial gain, whether they are stealing individuals' personal identifiable information in a data breach or using ransomware to extort the target.

That said, not all attacks are financially motivated—as we saw with the Dyn denial-of-service attack last October; there is a subset of hackers that is purely interested in causing maximum business disruption on the internet. And, not surprisingly, nation states and terrorist organizations are attempting to cause physical damage or interruption of certain services through cyber means.


Q: Cyber attacks seem to follow trends. Most attacks from 2014 and 2015 were on information assets. In 2016, more information and product technology platforms were targeted. Do you foresee a shift in the focus of attacks in 2017?
A: As hackers become more sophisticated, we are seeing more incidents involving the interruption or shutdown of business operations. This is a huge concern for organizations, as it can have a financial and reputational impact.

Additionally, threat actors are becoming increasingly interested in exploiting vulnerabilities associated with the Internet of Things—physical devices connected to the internet. And with many companies now relying on industrial control and building automation systems that are also connected to the internet for improved efficiency, attacks on these physical devices—known as cyber-physical attacks—represent a new frontier.


Q: Threat actor motivations seem to evolve with time, as does cyber coverage in the property insurance marketplace. What types of cyber coverage are prevalent today?
A: Just a few years ago, we tended to view the cyber insurance market as providing primarily a third-party liability product. But now, most cyber carriers also provide first-party coverage for things like notification fees, credit monitoring services, crisis management expenses and computer forensics, as well as coverage for corrupted or damaged data and business interruption.

The area in which we've seen the greatest degree of expansion is business interruption, particularly contingent BI coverage for the interruption of data services. FM Global continues to provide broad cyber coverage in our form, including for the interruption of data services, plus coverage for damage to data and interruption of our clients' network. And, unlike others in the cyber market, we provide coverage on an all-risk basis for physical damage resulting from a cyber attack.


Q: What challenges does the insurance industry face, with cyber attacks becoming less virtual and more tangible?
A: While FM Global has covered data as physical property for more than 15 years, the cyber community views "tangible" as what we would consider resulting physical damage to real or personal property. And considering the proliferation of physical devices that are connected to the internet and to business networks, we know that threat actors are constantly seeking new ways to exploit these vulnerabilities.

These devices represent another way to access a company's network, only now malicious acts can have physical consequences. There are but a few known examples of successful cyber-physical attacks—Stuxnet, a malicious computer worm that was responsible for causing substantial damage to Iran's nuclear program, plus the control system hacks at a German steel mill and the Ukrainian power grid—but regardless of whether it's politically motivated or simply attention-seeking behavior, many expect to see an increase in similar cyber attacks.


Q: How has preparing for enterprise resilience changed relative to evolving cyber risks?
A: As cyber threats evolve from theft of personal information to more sophisticated attacks that can impact business operations, organizations need to evaluate whether they can bounce back from a cyber incident. FM Global's approach is designed to assess the client's company culture, preparedness, response capability and resiliency in the event of a cyber attack.

Ultimately, organizations want to understand their exposure and be in a position to quantify their cyber risk. They are looking to their insurance carriers not only to provide coverage, but also to help them expand their knowledge on the subject, assess and understand their cyber risk, and provide them with practical mitigation solutions so they can recover after a cyber incident. It is all about being resilient.


Read more about FM Global's cyber coverage