Cyber security continues to evolve at a rapid pace with new issues surfacing almost daily. Most businesses today use their computer networks for efficient storage and management of highly confidential data including Personal Identifiable Information (PII) of their customers and patients, the details of proprietary business strategies and plans, and email communications. With these network systems, however, come increased cyber security risks that can result in costly data security impacts.
"Cybersecurity incidents have begun to evolve beyond data security and privacy"
In 2015, more than 700 million data records were lost or stolen according to the Gemalto 2015 Breach Level Index; and the Ponemon Institute reported in its 2016 Cost of Data Breach Study, the average consolidated total cost of a data breach in the United States is $4 million.
High profile breaches in recent years—including a major retailer—more than 50 million records compromised; a global financial services firm—nearly 80 million records compromised and a leading hospital system—over four million records compromised—have brought the severity of cyber security risks to the forefront.
The good news is the business community is beginning to take heed. Zurich’s 2016 Advisen cyber survey of U.S. risk managers revealed that 85 percent of C-suite executives view cyber security as a significant threat and awareness has expanded beyond the IT department. C-suite executives are asking how to protect themselves in the event of a data security breach and are adopting mindsets of resilience by putting risk management protections in place to help ensure quick recovery once a security breach occurs. In addition, many are now asking for guidance from their insurance carriers in balancing between risk mitigation and the transfer of risk through the purchase of insurance.
However, the bad news is that cybersecurity incidents have begun to evolve beyond data security and privacy. Currently there are 30 billion interconnected devices worldwide and it is estimated that there will be 50 billion interconnected devices by 2020. These interconnected technologies bring quality of life benefits to all of us and profits to businesses.
With these conveniences, however, come increased cyber security risks that result in costly impacts. With the rapid growth of the Internet of Things (IoT) the potential for many new types of cyber related losses, including property damage, bodily injury and business interruption, are emerging. New technologies and interconnected networks, designed to drive real efficiencies for facility operations, represent potential entry points to facility IT networks. When an unauthorized user is able to send bogus instructions to the device it can cause damage. Larger companies including manufacturers and those in the energy sector increasingly are vulnerable to this type of hacking that can result in equipment shut down, fires, destruction of goods, and even harm to employees and customers.
The threat has already been realized. In late 2014, significant damage was caused to a German steel mill after hackers forced a blast furnace to malfunction. More recently, hackers with ties to Syria infiltrated a water utility’s control system in an undisclosed U.S. location and changed the levels of chemicals used to treat tap water. In December 2015, the first confirmed hack to take down a power grid infiltrated a Western Ukraine power station shutting down electricity to 225,000 customers. Just as alarming, a security demonstration conducted in 2013 used a Jeep Cherokee to illustrate how bad actors can compromise the Wi-Fi features of a moving vehicle to take over the controls including the braking and steering systems.
Businesses tell us that it can be difficult for them to keep track of these new risks let alone the solutions. But they do need to be prepared to understand the full scope of their exposures and how best to protect themselves and their customers.
For its part, the insurance industry should invest resources of time and expertise to make thoughtful decisions on the development of additional risk mitigation and insurance solutions to the most complicated emerging risks and large losses as the needs of its customers evolve.
Insurers should think of cyber as a peril similar to flood, earthquake and fire and undertake comprehensive analysis—industry by industry—to identify new resilience techniques; and to refine its understanding of the exposures, where there is coverage and where there are gaps in coverage for losses resulting from cyber related incidents.
The cyber related challenges we face will not be solved by the insurance industry alone and are already benefiting from public private partnerships with collaboration between the insurance industry, governments, academia and other think tanks around the world to establish standards, encourage information sharing, build resilience and create adequate global governance. Similar to other emerging risks throughout history, risks from new technologies will continue to evolve and create new exposures for businesses. It is up to all of us to stay abreast of emerging exposures and create new solutions to help businesses understand and protect themselves from cyber related risk.