As cyber risk grows, resilience is critical for all
By Evan Fenaroli, Cyber Product Manager, Philadelphia Insurance Companies
The saying, "Time is money," has never been more apt when applied to cyber events. Increasing interconnectivity is expanding organizations' exposure to direct as well as contingent cyber losses. Cyber incidents that shut down an organization's own operations or disrupt its suppliers' businesses raise an important question: How long can an organization afford to be offline?
For many, the answer is "Not long." Whether a shutdown lasts minutes, hours, or even longer, the expense clock starts ticking from the moment a cyber incident disrupts normal business operations. That reality is a major reason that investments in cybersecurity are skyrocketing. Cybersecurity Ventures predicts that global spending on cybersecurity between 2017 and 2021 will exceed $1 trillion. One of the main drivers is the increasing frequency and severity of ransomware attacks.
Held for ransom
Smaller businesses and nonprofit organizations are especially vulnerable to ransomware, and its effects can be devastating. Restoring compromised systems often entails significant extra expenses and can take weeks. For example:
- Three hospitals in an Alabama healthcare system had a ransomware attack in early October that forced them to turn away noncritical patients for more than a week.
- The city of Riviera Beach, Florida agreed to pay hackers a ransom worth $600,000 after an attack in late May. It took the city, whose population is less than 35,000, nearly a month to recover its computers and data.
- Also in May, a ransomware attack destroyed data and forced the city of Baltimore, Maryland to rebuild its entire computer system, at a cost expected to exceed $18 million. Atlanta experienced a similar attack in 2018 that is estimated to cost more than $17 million to resolve.
These and other attacks were directed at the affected entities. But it's not difficult to imagine that such attacks can also have an impact on other businesses that provide services to the municipalities or hospitals. Contingent business interruption is unfortunately a growing area in cyber risk.
The cyber insurance industry has developed effective solutions for data privacy risks and breach response. Similarly, the industry offers a strong portfolio of options for addressing operational risks. But the nature of cyber events is evolving, and the overall industry's pace of innovation is still catching up.
Despite continuing news reports of large data breaches, not every cyber incident involves data exposure. The NetDiligence 2019 Cyber Claims Study found that "recordless" claims accounted for 63% of the claims in its dataset, up from 39% a year earlier. Examples of recordless cyber claims include ransomware, distributed denial of service, and social engineering involving wire transfer fraud. In the NetDiligence study, recordless claims for small and midsize enterprises, or those with $2 billion or less in revenue, ranged from $1,000 to $2.6 million in 2018. Among large companies, such claims ranged from $58,000 to $505,000.
These incidents are especially costly for smaller organizations, which tend to have fewer resources dedicated to cybersecurity. Preventing cyber events is one part of the solution. Equally important is improving resilience and recovery.
Eyes on resilience
The increasing sophistication of cyber criminals means that new types of attacks will emerge. There are already many ransomware variants from different sources, some of which destroy data and hardware, and some that only encrypt data. In either case, an organization's ability to quickly restore its systems and recover from the attack can mean the difference between a temporary inconvenience and a prolonged financial nightmare.
A critical starting point in improving cyber resilience is for organizations to understand how long they can afford to be offline. Most small and medium-size organizations have not spent enough time thinking about this or analyzing the impact of a shutdown at their own operations or elsewhere in their supply chains.
Here is a scenario that illustrates the risk of contingent cyber business interruption and which involves a type of small business that is more risk-aware than most: an insurance agency. If the agency's cloud-based agency management system has an outage, whether due to an attack or a non-malicious cause, the effect is the same - the agency cannot operate if it cannot access its customers' data. Philadelphia Insurance Companies' Cyber Security Liability policy is designed for this kind of risk, which offers peace of mind.
The solution to managing cyber business interruption risk? Thinking through the exposure, implementing mitigation tools, deploying strategies to improve resilience, and having cyber coverage that can respond to this emerging risk.
To learn more about managing risk and resources to improve cyber resilience, please visit www.phly.com.
Evan Fenaroli is Product Manager of Cyber Security Liability at Philadelphia Insurance Companies.
The information and suggestions presented by Philadelphia Indemnity Insurance Company is for your consideration in your loss prevention efforts. They are not intended to be complete or definitive in identifying all hazards associated with your business, preventing workplace accidents, or complying with any safety related, or other laws or regulations. You are encouraged to alter them to fit the specific hazards of your business and to have your legal counsel review all of your plans and company policies.