Businesses could face a much higher bill than they expect or are prepared for after falling victim to a cyberattack, according to research from the specialist insurance market Lloyd’s of London.
In a report entitled ‘Closing the gap – insuring your business against evolving cyber threats’, released in association with KPMG and legal firm DAC Beachcroft, Lloyd’s examines the nature of the current cyber risk landscape as well as the top threats by industry sector.
The report warns that as businesses increasingly become the target of sophisticated hacking attacks, they need to properly prepare themselves or face a hefty bill, including ‘slow burn’ costs such as reputational damage, litigation and loss of competitive edge.
The research identifies ransomware – such as last month’s WannaCry worldwide attack – as a rapidly increasing threat, together with distributed denial-of-service (DoS) attacks and chief executive (CEO) fraud.
The analysis also highlighted that financial services firms are the most targeted by organised cybercrime, but that retail is also increasingly being targeted.
“The reputational fallout from a cyber breach is what kills modern businesses,” said Inga Beale, CEO of Lloyd’s. “And in a world where the threat from cybercrime is when, not if, the idea of simply hoping it won’t happen to you, isn’t tenable.
“To protect themselves businesses should spend time understanding what specific threats they may be exposed to and speak to experts who can help handle a breach, minimise reputational harm and arrange cyber insurance to ensure that the risks are adequately covered.
“By reacting swiftly to mitigate the impact of a cyber breach once it has occurred, companies will be able to minimise the immediate costs and their exposure to subsequent slow burn costs.”
Among the report’s main findings:
• Ransomware and distributed DoS attacks are increasingly used against businesses, with healthcare and media and entertainment particularly targeted. For example, Beazley, a Lloyd’s underwriter, has seen a fourfold increase in ransomware attacks on its customers from 2014 to 2016. It predicts the number of attacks will double again this year.
• The financial services sector finds itself at the sharp end of targeted attacks by organised cyber-crime but retail is increasingly being targeted. Criminals are becoming more financially savvy, and have started to target bank systems and financial infrastructure.
• Oil and gas firms can find themselves caught up in national politics and can be the subject of espionage as well as occasional high-end disruptive attacks; they essentially become political cyber footballs.
• The public sector and telecommunications sectors are highly susceptible to espionage-focused cyber-attacks.
• There has been a major growth in targeting companies through CEO fraud, i.e. perpetrators posing as a senior executive to elicit sensitive information. This is resulting in significant financial losses.
Matthew Martindale, director in KPMG’s cyber security practice, added: “Cyber risk has moved up in the business agenda and businesses are taking measures to prepare themselves. However, they are failing to factor in the long-term damage that a breach can cause and the cost implications of it.
“Dealing with things like reputational issues and litigation in the aftermath of a breach, can add substantial costs to the overall loss. Businesses really need to start thinking about the cyber risk holistically rather than one that is currently very short sighted.”
Hans Allnutt, Partner, head of cyber & data risk at DAC Beachcroft, added: “Whilst the immediate business impact of a breach could be significant for any organisation, it may only be the tip of the iceberg when it comes to dealing with the legal consequences which may last months or even years.
“Once notified, it is not uncommon for regulatory investigations to take more than a year before they reach a conclusion. Subsequent litigation can take even longer, particularly because the law surrounding data security and privacy is a relatively evolving area. In one UK data protection case, it took three years and a failed appeal before the litigation was finally settled.”
The report’s publication coincides with a further wave of cyberattacks on Tuesday, which began in Russia and Ukraine before spreading to western Europe. Russia’s state-owned oil group Rosneft and Ukraine ban Oschadbank were among the targets.
Also hit were Danish sea transport company Maersk, British advertising group WPP and the French industrial group Saint-Gobain, which put protection protocols in place to avoid data loss.
IT experts identified the latest virus as ‘Petrwrap’, a modified version of the Petya ransomware used in attacks last year when money was demanded from victims in exchange for the return of their data.
The US Commodity Futures Trading Commission approved LedgerX as the first regulated clearing house for derivatives contracts settling in digital currencies.
The European police agency recorded an 11% increase in incidents worldwide over the 12 months to March this year.
Businesses must have a broad investment portfolio and a range of trading relationships to survive in today's volatile economic climate.
Government intervention means that new regulations pave the way for a competitive regulatory and tax regime.