Cybercrime is one of the fastest evolving risks for businesses, with a report from Cybersecurity Ventures predicting that by 2019 ransomware alone will breach a businesses’ cyber security every 14 seconds.
The 2017 Crime Report by Cybersecurity Ventures also identified the “cybercrime epidemic” as the greatest threat to every company in the world, suggesting it could cost the world $6 trillion annually by 2021.
The Equifax data breach and the WannaCry ransomware attack in 2017 exemplified the magnitude of the impact that cyber attacks can have, in terms of both finance and business interruption.
Not only is the attack surface widening as the number of interconnected devices worldwide increases, with the internet of things predicted by Cisco to reach 50 billion by 2020, but the volume and variety of threats posed by cyber risk is also growing.
Jeff Sharer, senior manager in the insurance and actuarial services practice of Ernst & Young, explains: “Cyber risk is not exposure to one specific risk; instead, it is exposure to a group of risks, which differ in technology, attack vectors, means.”
He says: “As the cyber threat landscape evolves exponentially as firms become digital, the cyber risks that were once considered unlikely are now becoming regular occurrences. Meanwhile, the cyber risks that were once unimaginable must now be viewed as a potential occurrence.”
Companies are beginning to take cyber risk increasingly seriously, but there appears to be a gap between awareness and action.
Aon’s Global Risk Management Survey 2017 found that while cyber risk was perceived by the participating companies as the the fifth top risk (number two for participants with annual turnover of over $1 billion) just 33 percent had purchased cyber insurance.
Anup Seth, managing director of Aon’s Global Risk Consulting practice, says that this is due to a lack of coverage available.
Historically, cyber risk coverage has focused on data loss, however, with the cyber threat landscape changing, the type of coverage required by companies is broadening making it difficult for the commercial market to keep up.
Seth explains: “It’s because the product that was available until the middle of last year wasn’t really covering the exposures that they had. If you look at who was buying cyber it was what we would call the data holders.”
“The product that was available, let’s call it cyber 1.0, was really covering the loss of data. Other companies have other exposures relating to cyber and they felt that that particular product wasn’t addressing their exposures and their needs.”