Allianz Risk Barometer - Business interruption

Allianz Risk Barometer 2020 - Cyber incidents 

(e.g. cyber crime, IT failure/outage, data breaches, fines and penalties)

 

January 14, 2020

Cyber risk tops the Allianz Risk Barometer for the first time with businesses facing a number of challenges such as larger and costlier data breaches, more ransomware incidents and the increasing prospect of litigation after an event. The playing out of political differences in cyber space also ups the ante while even a successful M&A can result in unexpected problems.

In 2020, cyber incidents (39% of responses) ranks as the most important business risk in the Allianz Risk Barometer. Compare this with 2013, when it finished 15th with just 6% of responses and it is clear how quickly awareness of the cyber threat has grown, driven by companies’ increasing reliance on their data and IT systems.

Cyber risks continue to evolve. A significant increase in the number of ransomware incidents is helping to drive up the frequency of losses for companies. Overall, cyber-attacks are becoming more sophisticated and targeted as criminals seek higher rewards with multimillion dollar extortion demands.

  • 2020: 1 (39%)
  • 2019: 2 (37%)
  • 2018: 2 (40%)
  • 2017: 3 (30%)
  • 2016: 3 (28%)
  • 2015: 5 (17%)
  • Austria
  • Belgium
  • France
  • India
  • Malaysia
  • South Africa
  • South Korea
  • Spain
  • Sweden
  • Switzerland
  • UK
  • USA
  • Aviation
  • Financial Services
  • Government & Public Services
  • Professional Services
  • Technology
  • Telecommunications
“The costs of a cyber incident are rising across the board, a product of growing complexity, more stringent regulation and the damaging consequences to a business from a loss of data or critical systems,” says Marek Stanislawski, Deputy Global Head of Cyber at AGCS. “In particular, the cost of large data breaches continues to increase, as data protection and privacy regulation widen in scope and geographical reach and class action litigation also starts to impact the cost of dealing with a breach. Meanwhile, when an incident leads to significant business interruption, losses are typically high.”

“More and more events – from leaving a laptop with confidential data on a train to losing a customer list – can constitute a data breach,” says Marek Stanislawski, Deputy Global Head of Cyber at AGCS.

“It is estimated that anywhere between 50% and 90% of breaches are caused or abetted by employees, be it by simple error or by falling victim of phishing or social engineering.

Welltrained and vigilant employees can become an extension of a company’s cyber security team and help form a much firmer perimeter around the company’s assets.”

Source: Allianz Global Corporate & Specialty. Figures represent the percentage of answers of all participants who responded (1,071). Figures don’t add up to 100% as up to three risks could be selected.
A mega breach now costs an average of $42mn. Picture: Adobe Stock 

As companies collect and use ever greater volumes of personal data, data breaches are becoming larger and costlier. In particular, so-called mega data breaches (involving more than one million records) are more frequent and expensive. In July 2019, Capital One revealed it had been hit by one of the largest ever breaches in the banking sector with approximately 100 million customers impacted. Yet this breach is by no means the largest in recent years.

Data breaches at hotel group Marriott in 2018 and credit score agency Equifax in 2017 were reported to have involved the personal data of over 300 million and 140 million customers respectively. Both companies faced numerous law suits and regulatory actions in multiple jurisdictions – the UK’s data protection regulator intends to fine Marriott £100mn ($130mn) for the breach, among the earliest and largest fines under the EU’s new privacy laws to date.

In the same month – July 2019 – British Airways was provisionally fined £183mn ($240mn) for a data breach impacting 500,000 customers in 2018. 

The General Data Protection Regulation (GDPR) rules that came into force across Europe in 2018 will likely bring further fines in 2020. The European Data Protection Board (EDPB) released a preliminary report [1] stating that of the 206,326 cases reported under the GDPR across 31 countries in the first nine months of its implementation, the national data protection agencies had only resolved around 50% of them. As shown above, as regulators have worked through this backlog, more fines of greater amounts have been recorded.

A mega breach now costs an average of $42mn [2], according to the Ponemon Institute, an increase of nearly 8% over 2018. For breaches in excess of 50 million records, the cost is estimated to be $388mn (11% higher than in 2018).

According to the EU’s law enforcement agency, Europol, ransomware is the most prominent cyber crime threat. Already high in frequency, incidents are becoming more damaging, increasingly targeting large companies with sophisticated attacks and hefty extortion demands. “Five years ago, a typical ransomware demand would have been in the tens of thousands of dollars. Now they can be in the millions,” says Stanislawski.

The consequences of an attack can be crippling, especially for organizations that rely on data to provide products and services. Extortion demands are just one part of the picture. Business interruption brings the most severe losses from ransomware attacks and in some cases ransomware is a smoke screen for the real target, such as the theft of personal data. Industrial and manufacturing firms are increasingly targeted but losses tend to be highest for law firms, consultants and architects, for which IT systems and data are their life blood.

Incidents such as those featuring the Ryuk malware have emerged as a key driver for cyber insurance claims in recent years. Named after a fictional manga character, it was first reported in August 2018 and has been responsible for multiple attacks against large companies, hospitals and local governments globally.

The consequences of an attack can be crippling, especially for organizations that rely on data to provide products and services. Picture: Adobe Stock
Business email compromise (BEC) attacks are increasing in frequency. Picture: Adobe Stock

Business email compromise (BEC) – or spoofing – attacks are increasing in frequency. BEC incidents have resulted in worldwide losses of at least $26bn since 2016 according to the FBI in the US.

Such attacks typically involve social engineering and phishing emails to dupe employees or senior management into revealing login credentials or to make fraudulent transactions.

 

Many large data breaches today spark regulatory actions, but they can also trigger litigation from affected consumers, business partners and investors. When they do, legal expenses can add substantially to the cost.

Data breach litigation in the US is a developing situation. A number of large breaches have triggered class actions by consumers or investors – in July 2019, Equifax reached a $700mn settlement for its 2017 mega breach. US courts have been battling the questions of “legal standing” – whether claimants have the right to sue – but the trend appears to be favoring plaintiffs. Statutory and regulatory changes could also facilitate compensation for data breaches. The California Consumer Privacy Act, for example, provides a mechanism for consumers to sue businesses and – in a first for the US – sets statutory damages for data breaches.

Outside the US, a number of countries have expanded group action litigation rights. For example, in Europe, the GDPR makes it easier for victims of a data or privacy breach to seek legal redress. In addition, claimant law firms and litigation funders are actively looking to bring class actions for data breaches in Europe and elsewhere – a class action against British Airways following its 2018 data breach was recently given the goahead in the UK courts. Consumer groups are also looking to test the GDPR and challenge some organizations’ interpretation of the new law.

The GDPR makes it easier for victims of a data or privacy breach to seek legal redress. Picture: Adobe Stock
Ultimately, considering potential cyber vulnerabilities and exposures needs to become a higher priority for businesses during M&A. Picture: Adobe Stock

Cyber exposures have emerged as a hot topic in mergers and acquisitions (M&A) following some large data breaches. For example, the 2018 Marriott breach was traced to an intrusion in 2014 at Starwood, a hotel group it acquired in 2016. Even the best protected companies will be exposed if they acquire a company with weak cyber security or existing vulnerabilities. The acquiring firm could be liable for any damage from incidents which pre-date the merger.

Ultimately, considering potential cyber vulnerabilities and exposures needs to become a higher priority for businesses during M&A, as many companies are not doing enough due diligence in this area. At the same time, once a deal has been completed many companies do not address any weaknesses in acquired systems quickly enough.

The involvement of nation states in cyber-attacks is increasing risk for companies, which are being targeted for intellectual property or by groups intent on causing disruption or physical damage. For example, growing tensions in the Middle East have seen international shipping targeted by spoofing attacks in the Persian Gulf while oil and gas installations have been hit by cyber-attacks and ransomware campaigns.

Sophisticated attack techniques and malware may also be filtering down to cyber criminals while nation state involvement is providing increased funding to hackers. Even where companies are not directly targeted, statebacked cyber-attacks can cause collateral damage. In 2017 the NotPetya malware attack primarily targeted the Ukraine but quickly spread around the world.

Even where companies are not directly targeted, statebacked cyber-attacks can cause collateral damage. Picture: Adobe Stock
“Purchasing cyber insurance should be one of the final points in a company’s plan to enhance its cyber resilience,” says Marek Stanislawski, Deputy Global Head of Cyber at AGCS. “Insurance has a vital role to play in helping companies recover if all other measures are insufficient but it should not replace strategic risk management. Investing in employee awareness, together with updating and continuous monitoring of systems should definitely be at the top of any company’s cyber to-do list.”
Source: Allianz Global Corporate & Specialty. Figures represent the percentage of answers of all participants who responded (1,071). Figures don’t add up to 100% as up to three risks could be selected.

Preparation and training are the most effective forms of mitigation and can significantly reduce the likelihood or consequences of a cyber event. Many incidents are the result of human error, which can be mitigated by training, especially in areas like phishing and business email compromise, which are among the most common forms of cyber-attack.

Training could also help mitigate ransomware attacks, although maintaining secure backups can also limit the damage from such incidents. Business resilience and business continuity planning are also key to reducing the impact of a cyber incident, although response plans need to be tested, practiced and regularly reviewed.

[1] European Data Protection Board, First Overview On The Implementation Of The GDPR And The Roles And Means Of The National Supervisory Authorities.
[2] IBM Security, Ponemon, Cost Of A Data Breach Report, 2019.

 

The Allianz Risk Barometer is our annual report identifying the top corporate risks for the next 12 months and beyond, based on the insight of more than 2,700 risk management experts from over 102 countries and territories.


Keep up to date on all news and insights from AGCS
Allianz operates as an international insurer on almost every continent. Find Allianz in your own country/region.
With the Allianz network AGCS provides services in over 200 countries and territories.