Businesses have changed their view of cyber risk over the past few years. The size and frequency of attacks grew markedly. The nature of attacks evolved from theft of personal data to highly disruptive and public incidents causing material and lasting damage. Businesses are operating in a new landscape, and the stakes are continuing to grow.
“Cyber as a threat vector now cuts across all business units within an organization,” said Reid Sawyer, senior vice president of Cyber Analytics at JLT Specialty. “It is having balance sheet impacts and organizational impacts. Cyber today can be an existential threat,” he noted.
“We are at an inflection point, and the new landscape is a call to action for organizations to change their vantage point to view cyber as a strategic risk,” Sawyer said. He added that three developments characterize this new environment:
- Global contagion risk. More than 100 countries were affected by cyber events in recent ransomware attacks, he noted. “The systemic nature of these attacks require that companies adopt a natural catastrophe-like approach to modeling cyber risk,” Sawyer advised. “In the WannaCry and notPetya attacks, businesses didn’t have to be the target to be a victim.”
- Scale of attacks in size and power. The Equifax breach, impacting more than 144 million Americans, is “only the latest example of large-scale attacks that present significant business impacts to shareholder value. Likewise, brute-force distributed denial of service attacks of 650 gigabytes per second to more than 1 terabyte per second have put businesses in a new position of vulnerability,” he said.
- Nation-state activity. “’We’re seeing a movement into unprecedented activity by nation-states, introducing an era where the focus is on destroying or disrupting economy capacity. Simply put, you don’t have to be the target to be a victim of such attacks,” Sawyer cautioned.
Among other cyber events, “Maersk reported a global IT shutdown due to a ransomware attack. The impact on Maersk is estimated at $300 million, an occurrence that could change a company’s entire investment curve for the following year,” Sawyer said. “These are strategic issues that can impact market capitalization and share price.”
Businesses should be thinking about reputational risk from cyber events in three ways, he suggested. “Many organizations stop at the first level of analysis, the B2C (business-to-consumer) implications, which are about how consumers view the event,” Sawyer said. “However, it is the B2B (business-to-business) implications that are undervalued, where a cyber incident impedes contractual fulfillment and creates downstream business impact. The value at risk is greater here than in the B2C space given lost business opportunities. People tend to focus on the B2C implications, missing the B2B ones,” he explained. “The third is investor confidence. A loss of confidence from investors following a cyber incident can deprive organizations of needed capital.”
Shannon Groeber, senior vice president of Cyber/E&O at JLT Specialty, agreed that the consequences of cyber incidents are much more significant in this new landscape. “Executives are losing their jobs after cyber events are publicized – it’s becoming an expectation in the response life cycle post cyber incident. That hadn’t happened as frequently in the early generations of publicized cyber incidents. And the accountability and responsibility is expanding beyond just the CISO (chief information security officer),” she said. “We’ll see more demands for accountability of the the C-suite and the board following cyber incidents.”
Several significant cyber events have become milestones in the risk’s evolution, according to Groeber:
- Target data breach, 2013. More than 40 million customer credit card numbers and 70 million email addresses were exposed in an attack that the retail giant disclosed cost the company more than $200 million. “This was a turning point, and it prompted a visceral reaction from the public. People loved the brand but felt betrayed,” she said.
- Sony Pictures hacking, 2014. The movie studio faced a devastating, sophisticated cyber attack that not only stole confidential corporate data but erased a significant volume of files. Sony’s attackers then leaked the confidential information in batches following the event, keeping the company, and embarrassing revelations, in the public eye. “Most attacks of this nature had previously been kept confidential, because there was no obligation or benefit to reporting publicly. This was an extortion demand to change behavior, with a business interruption network, suspected to be carried out at the direction of a nation state – a trifecta of urban legend in the cyber world. Sony’s breach proved that organizations face cyber risk beyond just the theft of payment card information and that a business interruption event can be debilitating and costly. Previously, there was no reason to publicize these types of events. With an expanding recognition that cyber risk is actually a business risk, we now see cyber incidents disclosed in annual reports,” Groeber said.
A similar attack was the HBO extortion attack, noted Sawyer. “Every company needs to ask themselves how much they would pay if an attacker stole terabytes of their sensitive data and threatened to release it. This new model of extortion attack signals that businesses are operating in a new landscape,” he said.
- Anthem data breach, 2015. This attack on the health care insurer exposed the personal information of nearly 80 million members and employees. “This event connected a number of different organizations and opened people’s eyes to how widespread an event can be when sharing information with vendors and service providers,” Groeber said.
- Bangladesh Bank cyber heist, 2016. An attack on the central bank of Bangladesh via an official’s computer orchestrated the fraudulent transfer of $81 million through the SWIFT system of secure financial messaging services. Most of these funds have not been recovered. “The SWIFT transfer of funds in this event has generated a lot of questions from our insureds regarding coverage for intentionally transmitting funds to an unintentional recipient,” she said.
WHAT DOES THE FUTURE HOLD?
The future does not look encouraging if businesses continue to view cyber risk narrowly or as solely a function of technology. A dynamic and growing threat requires a strategic approach, Sawyer and Groeber advised.
“We’re going to see scaled attacks, where a number of organizations are connected,” said Groeber. “Many people think of the Internet of Things as the future. We are in the Internet of Things now, and we will see vulnerable devices used in larger attacks, with connected devices used as bots to carry out large-scale attacks.”
Attacks that that had been contained are likely to be repeated, but at a much wider scale. “Ransomware attacks have been very damaging. The impact of WannaCry and nonPetya would have been exponentially more damaging if they continued to spread outside of Eastern Europe and the Ukraine,” Groeber asked.
“Cyber is an overwhelming risk. You can’t just scratch the surface and feel confident that you’ve addressed it,” Groeber said. “It can be overwhelming to evaluate cyber risk throughout every facet of the organization if it’s a new way of viewing the risk. Organizations that recognize the advantage of collaborating across functions to agree on a holistic strategy are in the best position to minimize the impact of cyber risk. Cyber risk is a business risk that is only going to intensify. It is not going away.”