Uncover the Hidden Costs of Your Next Cyber Attack

As senior financial executives, we’re called upon to gauge the risk of myriad hazards, and perhaps no hazard is more ominous today than a cyber attack. New research suggests many financial executives grossly underestimate the cost of a successful cyber attack on their businesses, especially the uninsured losses.

First, some context: Cyber crime will cost the world a projected US$6 trillion annually by 2021, up from US$3 trillion in 2015, according to Cybersecurity Ventures. The WannaCry ransomware attack alone cost the world an estimated US$4 billion in 2017, according to Reinsurance News. Cybersecurity Ventures predicts there will be a ransomware attack on businesses every 11 seconds by 2021.

Although financial executives have generally gotten the message about cyber risk, that doesn’t mean they understand all of its dimensions, nor are they necessarily prepared.

My company recently surveyed CFOs and other senior financial executives at some of the world’s largest companies to understand their perspectives on cyber risk. Ninety-six percent of respondents call cyber risks a moderate to major concern. Most also believe cyber security insurance is good idea with 71% of respondents reporting they have such coverage already.

Two types of cyber coverage for business

Fifty-eight percent of the financial leaders in our survey said they had both first- and third-party coverage.

First-party cyber insurance covers losses of the policyholder’s property and interruption of the policyholder’s business. Data may be considered property, and covered losses can include the cost to restore lost, stolen or contaminated data, and to offset financial losses due to an outage. The outage could occur at your premises or result from an attacked service that your company relies on, such as cloud storage or payment processing.

Third-party insurance covers the threats that most often grab the headlines: your liability to individuals and companies who are affected by a cyber event that targeted you. The classic example is a breach of financial, personal or health information. Customer notification, compensation and litigation and costs could be covered by third-party insurance.

Twenty-two percent of our survey respondents had no cyber insurance coverage at all. Another 8% didn’t know whether they had coverage.

Here’s where things got even murkier.

Most cyber-related financial losses can’t be insured

We showed the financial executives a list of potential losses stemming from a cyber attack, asking, “If your organization experienced a substantial cyber security event, what would you expect to be the likely impact(s)? (Please choose all that apply.)”

Here are the answers:

1. Degradation of their company’s brand/reputation (46% of respondents said this was a likely effect of a cyber security event)
2. Increased scrutiny from the investment community (40%)
3. Decline in revenue/earnings (38%)
4. Introduction of regulatory compliance problems (35%)
5. Decline in market share (24%)
6. Decline in share price (24%)
7. New costs to mitigate the loss (53%)

Do you notice anything about this list?

The first six of the seven described losses aren’t covered by insurance. Decline in revenue/earnings may be covered for a period of time, but only until the company is back in business. Revenue losses would not be covered in perpetuity despite the likelihood that a business disruption could easily depress revenue for an extended period of time.

The seventh item, new costs to mitigate the loss, might include expenses covered by a good insurance policy (e.g., data restoration). On the other hand, if mitigating the loss requires a multimillion-dollar advertising campaign to rehabilitate the brand, or a bigger sales team to rebuild your business, that’s not going to be covered by insurance.

A false sense of security

Despite the fact that the majority of these losses are not covered by insurance, respondents made a befuddling claim in the survey: 7 in 10 believed their insurer would cover most or all of the losses they would incur in a cyber attack (45% said they expected their insurer will cover most related losses from a cyber security event, and 26% said all). I suspect that this response may be because they understandably haven’t read their insurance policy recently, or they haven’t fully contemplated their likely loss experience.

Moreover, half the respondents predicted it would take months, quarters or years to recover financially from a cyber attack, which may push the limits of many insurance policies. In both cases (the range of losses that would be covered in a cyber attack and the length of time for which they’d be covered), expectations are inflated. As you can see, financial executives may be underestimating the impact of a cyber attack and possess a false sense of confidence when it comes to cyber security insurance.

How big could uninsured losses get? 

Uninsured losses can be categorized as:

• Customer loss: An embarrassing cyber attack and protracted business disruption could prompt customers to turn to other vendors, sometimes permanently, constituting lost revenue in perpetuity.
• Lost growth: A major disruption could halt your company’s growth at least over the short-to-medium term, and that lost growth is value you may never get back. Even if the company were to rebound to its prior growth rate, it may miss forever the lost growth and compounding effect.
• Lost investor confidence: A major disruption is suggestive of pervasive elevated risk, and that may rattle investors, thereby driving up the cost of capital. Bad news around missed growth targets can drive down a company’s stock prices.

The total losses are likely to be big.

Of course, insurance is necessary for a 21st-century company, but it’s not sufficient to make a company whole. Insured losses could be significant in a cyber attack, but the uninsured losses may outstrip them.

So do what you can to protect against cyber attacks’ far-reaching implications. Start—but don’t stop—with insurance because most cyber-related losses are preventable.

As originally published in FEI Daily.

Learn about FM Global’s Cyber Resilience Solutions

Related content:

FM Global's Cyber Risk Assessment Awarded: Wins Cyber Security Product of the Year Award from Continuity Insurance & Risk Magazine

The Power of Remembering Cyber Security Basics

Cyber Exposure in High-Hazard Industries: Discover key considerations to cyber security in power gen and chemical facilities (video)

Mitigating Physical Losses From Cyber Attacks: Damage caused by modern attacks hits harder than a traditional data breach