According to Allianz’s Risk Barometer 2017, Cyber Incidents is a top global business risk in the UK and Germany in 2016 while Business Interruption (related to supply chain risk and interdependencies) is the top business risk in the United States and France (with cyber incidents, the 2nd top issue in US and France)
Cyber incidents such as attacks and breaches have grown in frequency. Breaches hit a new record in 2016, soaring to 1,093 and accounting for 37 million records, up from 780 incidents in 2015 per the Insurance Information Institute (III). According to a new report from the Institute, there have been 774 breaches in 2017 so far with 12.4 million records exposed.
Meanwhile other forms of cyber risk issues are making their way into the business lexicon. Business email compromise (BEC), also known as phishing and a form of invoice/financial fraud is an emerging global threat according to data from the FBI. These attacks occur when a fake email is sent from a company CEOs account, asking a company accountant to transfer funds to a supplier.
According to recent data from the FBI’s Complaint Center IC3 , more than 7,000 U.S. companies have been targeted by such attacks with total dollar losses exceeding $740 million.
Large companies, aware of the risks from their smaller business partners and suppliers are increasingly asking for compliance, not least because of the infamous Target data breach (systems hacked via an equipment vendor) but also due to increasingly legislation. While getting cyber insurance is one form of compliance, having data and systems integrity and strong HR policies governing data management both in and out of the workplace is much more prudent.
While a number of insurers offer cyber insurance policies, a lack of historical actuarial data and the interconnected nature of cyber relationships make it difficult for insurers to assess the likelihood and severity of a cyber incident issue. Yet, insurance is not a catch all for loss of reputation and business interruption. As large enterprises continue to amass more volumes of data stored, with fluid movement and attrition of employees and continued reliance on third parties (and subcontractors that are not known), better proactive approaches need to be in place to govern cyber risk.