MetricStream’s Piyush Pant looks at the complexities of measuring cyber risk and the shortcomings of cyber insurance.
Business risks encompass any factors that can have a negative impact on a company’s performance, operations, revenue and growth. The Brexit vote provides a timely reminder of the impact of these risks and why they must be managed. Many, including the UK Government, were surprised by the leave vote and hadn’t adequately planned for it, creating mass uncertainty across the globe. Multinational corporations remain unsure whether they will relocate staff to other countries in order to ensure access to the single market, for instance, and that hesitation continues to impact the UK’s and global economies.
The Brexit vote is a seismic, once in a generation event but far more common risks can be just as devastating to the companies involved. Indeed, in 2016 there is one type of risk that weighs heavily on every business leader in the world, against which traditional forms of business insurance seem to be no match – cyber risk.
Despite the growing frequency of cyberattacks and data breaches, there is a lack of familiarity surrounding cyber risk. It’s still a relatively new threat and, while businesses and decision makers may have a theoretical sense of the potential effects, most are yet to experience it first-hand – at least not to the same degree as Target, Sony and TalkTalk et al – all of which are now synonymous with data breaches.
It’s a challenge that becomes even more complex when the multi-dimensional nature of cyberattacks is considered. The risk can’t just be analysed from one perspective. A cyber threat can involve infrastructure, data, processes and other combinations and be manifested as theft, corruption or manipulation of capabilities simultaneously. Therefore, cyber risk doesn’t just threaten one business function, but all of them at the same time. Furthermore, as the sophistication of cyberattacks continues to increase, detection and education are still very much reactive processes.
To counteract the uncertainty many have turned to cyber insurance. It’s an industry that’s growing quickly, with global investment reaching £4.8 billion by 2020, according to PWC, fueled by the headline grabbing cyberattacks on high-profile companies like those mentioned above. However, when compared with other insurance markets, the overall cyber insurance offering is still remarkably undeveloped.
With a lack of consistent historic data points required to establish a familiarity with the potential fallout from a cyberattack or breach, insurers mitigate the risk to themselves through their pricing. This results in wildly fluctuating prices and, for many businesses, means that shelling out for cover doesn’t always make economic sense. It’s for the same reason that most don’t purchase catastrophe insurance for rare events.
Therefore, cyber insurance should never be relied upon as the primary responsive cyber risk measure, it must only ever be part of a more holistic strategy. This is made up of preventative measures – which lower the risk of hackers getting in and causing too much damage in the first place – and also a comprehensive crisis management strategy that prioritises business continuity and managing reputational risk. With a detailed plan of action, firms avoid acting like headless chickens in the immediate aftermath of an event and can take steps to protect the vital functions that would otherwise take the most damage.
Business continuity refers to a company’s ability to keep delivering goods and services following a disruptive event. This involves determining what is absolutely essential for the company to keep functioning. Everything from employees and materials, to machinery and processes must be evaluated, so a firm knows exactly how much it can ‘strip back’ to save costs in the worst case scenario.
A company’s reputation is an intangible asset that helps it to attract customers. Each business decision and action will have an impact on stakeholder perception. After a cyberattack, it must be seen to be taking relevant action to rectify any damage caused. If a company doesn’t have a plan in place, then a post cyberattack insurance pay-out wouldn’t necessarily help them anyway.
For example, following its data breach in 2013, Target did not communicate the situation with affected customers, an action that vilified the company further. Insurance cover may have helped with the numerous settlements and other remedial costs, but it didn’t stop the brand from being viewed so negatively by the media. Alongside the inevitable impact on sales, there were employee casualties too as Gregg Steinhafel resigned as CEO.
Ultimately, companies cannot simply purchase cyber insurance cover and believe that they have a cyber risk ‘get out of jail free’ card. The market and the industry is still undeveloped and insurance can’t always mitigate risks to business continuity and reputation, the two functions that keep an organisation operating successfully. Companies with a comprehensive crisis management strategy can respond immediately should a cyberattack or data breach happen, lowering the risk of it causing irreparable damage.
Piyush Pant is Vice President of Strategic Markets at MetricStream