Recent reports have found growing awareness and concern for business interruption (BI) related to cyber incidents, an area of continual product development for insurers.
Strikingly, cyber incidents were ranked as the most feared business interruption trigger in the Allianz Risk Barometer Report, more so than fire and explosions, natural catastrophes or the failure of a supplier. According to Allianz, this finding represents a significant shift in the perception of business interruption risk and reflects the escalation in cyber incidents over the past 18 months, which has seen a number of disruptive ransomware attacks and distributed denial of service attacks, such as the one that took down internet infrastructure provider Dyn in October 2016.
Overall, cyber risk climbed to second place in the 2018 Risk Barometer, up one place on 2017, but a big leap from 15th place five years ago. Cyber was ranked as the top concern in 11 countries, including the US, UK and Australia and is considered the top risk in the entertainment, technology and telecoms sectors, as well as in financial and professional services.
Cyber risks, like cyber crime, IT failure and data breaches, are now neck and neck with the top ranked risk in the Barometer, business interruption (ranked highest by 42% or respondents compared with 40% for cyber). Business interruption was considered the largest loss driver followed by a cyber incident, according to the survey.
Traditional causes of business interruption, like fire and explosion, remain relevant, but new triggers created by increased dependency on technology are emerging, yet come with high financial loss, according to Allianz.
In fact, Allianz says that business interruption, cyber and concern for new technologies (ranked seventh) are interlinked. The impact of new technology was one of the fastest rising concerns in the index, and is the second top long-term risk after cyber incidents. Allianz predicts that the vulnerability of machine failure or malicious cyber acts will increase in future, potentially causing significant disruption to critical infrastructure.
A separate report from the World Economic Forum in January, based on its Annual Global Risks Perception Survey, found that cyber threats are also growing in importance. Large-scale cyber attacks are now ranked the third most critical risk in terms of likelihood, and rising cyber-dependency ranked the second most significant driver shaping the global risk landscape during the next decade.
According to Allianz, cyber business interruption incidents are already increasing, resulting from hacker attacks, such as ransomware incidents, but more frequently from technical failures and employee error. The insurer also found that business interruption is perceived as the main cause of economic loss after a cyber attack, way ahead of reputational damage and third party liability.
Business interruption can arise from a wide range of cyber incidents, including those with and without property damage. One area that is of particular concern and that could give rise to very large losses is business interruption related to an outage of internet infrastructure, such as a cloud service provider.
Allianz also draws attention to the increasing risk of a "cyber hurricane" event, where hackers are able to disrupt large numbers of companies through common internet infrastructure dependencies.
Companies and other large organisations have been shifting away from traditional in house IT (with computers and servers on their own premises) in favour of cloud computing, where computing resources are accessed over the internet. According to McKinsey & Company, 77% of companies relied on traditional IT, a figure that is expected to drop to 43% this year.
However, cloud services do suffer periodic outages. In February 2017, an Amazon cloud storage service suffered an outage for four hours, impacting a number of internet services, websites and other businesses. The outage, reportedly caused by human error, is estimated to have cost those companies dependant on Amazon's services approximately USD 150 million, according to Cyence Risk Analytics.
A cloud downtime event could occur as a result of natural causes as well as human error or malicious intent. Notable past outages have been caused by power failures, software bugs, faulty upgrades and lightning strikes.
Recent analysis from Lloyd's estimated that the failure of a top three cloud service provider could affect as many as 12.4 million US businesses, at a cost of USD 15 billion in business interruption. Currently, only around USD 2 billion of the loss is thought to be covered by insurance.
Such a loss will significantly impact the manufacturing and retail trade industry, due to their heavy reliance on cloud services. Lloyd's calculated that Fortune 1000 companies would carry almost half of the insured losses.
Lloyd's concludes that cyber events have the potential to cause catastrophic losses, impacting multiple policyholders at the same time. Incidents with widespread impact like the Dyn attack and last year's WannaCry ransomware attack will become more frequent, it predicts.
Such recent incidents only increase insurers concerns for the potential for extreme accumulated losses from a cyber event, be it from an attack on a cloud provider, a power grid attack or a massive data theft aggregation event. Lloyd's argues in its report that insurers need to adopt more detailed accumulation methods. This will become even more important with the growth of the cyber market, and in particular the development of cyber business interruption cover, Lloyd's says.
Business interruption cover in the cyber insurance market has evolved significantly in recent years. There is now a greater choice of insurers offering cyber business interruption capacity and most buyers are now able to secure broad cover with adequate limits.
It is now possible to arrange cyber insurance for a wide range of business interruption cyber loss scenarios, including those caused by malicious cyber attacks, system outages and supply chain disruption.
However, the business interruption cover on offer in the market varies considerably between insurers. For example, systems failure business interruption is not a clearly defined term in the market and cover differs greatly by insurer, with some policies offering much broader cover than others.
In order to secure broad cyber business interruption cover, organisations need to identify and understand their high impact cyber business interruption scenarios. This will become easier with the development of tools that allow organisations to better map dependencies and measure cyber resilience of supply chains.
Buyers that are best able to illustrate technology, data and supply chain dependencies will find they are able to get the broadest cover.
Sarah Stephens - head of cyber, content, and new technology risks team, JLT