Cybercrime costs the UK an estimated £27 billion a year, according to a recent government report. Globally, experts have predicted financial losses range from $375 billion to $575 billion.
From high-profile hacking scandals, to mass breaches in data privacy, cyber has been dominating headlines around the world and was ranked by Airmic members as the top stay-awake-at-night issue in 2016.
The concerns around cyber are only set to grow with the increasing influence of the Industrial Internet of Things (IIoT) - the network of interconnected physical objects that can collect and exchange data.
Reports have recorded that there are currently 6.1 billion interconnected devices and it is predicted that this number will increase to 50 billion by 2020. The number of interconnected objects provides businesses with an excellent opportunity to increase operational efficiency, but also creates cyber risk exposure.
Cyber risk is continually shifting and developing. In order for companies to mitigate against its risks they need a comprehensive understanding of what is covered in their insurance policy in the event of loss, as well as an appreciation of the steps they can take to minimise the likelihood of loss.
Understanding your insurance policy
Loss due to a data breach can be broken down into two categories: 1) Loss of third party data/ intellectual property; and 2) physical damage to data and resultant property damage.
So what does this mean? Loss of third party data or intellectual property occurs when data has been compromised, copied, stolen or exposed. Significant liabilities and fines can be associated with the theft of data, particularly for organisations that store third party information, for example customers' personal records or credit card details.
Attempted theft of intellectual property is nothing new. Industrial espionage has been around for centuries, although the fully connected cyber environment we now work in represents significant exposure. There are many cyber insurance products on the market today offering variations on this theme and the key for any insurance buyer is to carefully study what is covered and to what limit.
Physical damage constitutes corrupted, altered/distorted, erased or destroyed data. The costs to restore, recreate or re-engineer data, programmes and software can prove to be very costly and time-consuming. In the meantime, an organisation could face significant additional expenses to continue running their operations or revenue losses especially if they transact business electronically.
A cyber-attack could also cause physical damage to property and resultant business interruption. There have been a number of examples in recent years of hackers overcoming industrial control systems and damaging equipment (e.g. over speeding power turbines to destruction). In some cases, this has led to multi-million dollar equipment losses and business interruption.
Challenge your insurer
Some cyber policies provide cover for restoring the damaged data but exclude resultant damage, and the majority of property markets have cyber exclusions. However, there are one or two commercial property markets that consider data to be physical property, thus allowing such cyber losses to be recoverable including resultant damage and business interruption (BI). Again, it's important that insurance buyers check their policies for overlap or data/cyber exclusions including for resultant property damage and BI.
Ultimately, in the event of a data breach, companies want to be safe in the knowledge that their cover is robust enough to respond and ensure they remain resilient in the face of such threats. Organisations should look to challenge its insurance carriers to offer the kind of cyber/data covers they need.
Insurers must help clients alleviate the risks
The importance of tackling the rapidly-emerging threat of cyber is clear. We work with many companies in high risk industries such as pharmaceuticals and power generation, where the consequences of a system failure could result in an emergency or life-threatening situation.
Cyber is a challenge for all in the market, but there are certain steps insurers can take to help their clients. Such steps include treating data as property, broadening cover for denial-of-service attacks, and providing recovery for loss due to interruption of cloud and data services - all steps we have taken at FM Global through a variety of products.
Benedict McKenna - FM Global
For business in 2016, cybersecurity risk is like an iceberg. Hidden in the depths are cyber security perils that could really bring down suppliers, partners, and systems. However, if businesses and their insurers work closely together to combat the risks, they can enhance their reputation - as well as their market share, revenue and shareholder value.
Benedict McKenna is operations vice president and operations claims manager, at FM Global.