Constraints on Financial Impact Modeling

While we hear about the big cyber hacks, like Sony, TJ Maxx, and the massive October 21, 2016, Internet of Things (IoT)-facilitated attack on Dyn, there are many types of cyber risks that could have a materially negative impact on an organization. System failures, employee mistakes, and simple negligence, such as leaving a laptop or thumb drive in a taxi, are some of the noncriminal cyber perils that can lead to material financial economic losses. In fact, the average cost of a cyber breach ranges from $2 million to nearly $8 million, with eight incidents over $75 million and the largest losses over $300 million, according to publicly disclosed documents.⁴ (Note: All dollar values in this chapter are U.S. dollars).

However, large portions of the cyber incident studies include damage estimates of subjective intangible assets that are difficult to quantify and almost impossible to insure. For instance, brand and reputation are often cited as the largest portion of a breach loss, which are speculative and largely uninsurable. Similarly, how can one calculate the value of the trade secrets disclosed as part of the 2016 Mossack Fonseca law firm Panama Papers breach? The same issues arise for loss of confidential information regarding mergers and acquisitions from investment banks or new formulas and technology innovations such as algorithms, design plans, and secret proprietary products. The value of trade secrets, proprietary information, and patent infringement is almost impossible to quantify and is virtually uninsurable.

Modeling the Cost-Benefits of Investments in Insurance versus Cybersecurity

Until we develop quantitative models that equate the actual dollar cost of an incident with the return on investment for total mitigation on a macro-enterprise level, organizations are simply spending money on information technology security to address micro-level issues. Is antivirus software important? Yes, but it is one of literally hundreds of measures and only a small part of cyber exposure issues. Does deployment of enterprise security governance practices moderate the cost of cyber perils? Yes, but what is the marginal incremental benefit of each dollar deployed for cyber risk prevention? Can we measure the total cost of risk value to an organization buying cyber insurance compared to the total cost of risk value of information technology (IT) security in the network layer, versus detection, versus remediation, versus incident response, versus employee training and awareness? Any cyber intelligence system is only as secure as the weakest link in the system, including the people who use it. Cyber insurance underwriters expect such controls to be deployed (along with many others) and that will influence the insurance premium to be paid and scope of coverage obtained.

The CFO should consider modeling their organization’s cyber exposure frequency and severity. Figure 10.2 shows one way to frame example cyber exposures to start the quantification process.

Once completed, the CFO can compare the costs involved and perform a cost-benefit analysis of investing another dollar in IT security versus insurance. According to Aon’s actual cyber loss claims data, measurable and insurable cyber damage losses are approximately as follows⁵:

• 80 percent = Total damages < $1 million
• 15 percent = Total damages between $1 million and $20 million
• 5 percent = Total damages > $20 million (with certain events exceeding $100 million)
• Average = $3.8 million; range between $0 and $300+ million.⁶

Cyber Losses Underinsured Compared to Property Losses

How does this compare to potential losses from other organization perils, such as fires? The probability of any particular building burning down is much less than 1 percent. Yet most organizations spend multiples more in premiums for fire insurance than cyber insurance even though they state in their publicly disclosed documents that a majority of the organization’s value is attributed to intangible assets.

The Ponemon Institute conducted the first global research report⁷ to examine how entities understand and compare tangible property versus intangible information risks. Figures 10.3 through 10.6 are drawn from this report.

Figure 10.3 represents for organizations the relative value of certain tan-gible assets (property, plant and equipment) versus certain intangible assets (primarily information assets), with the implication that tangible assets are barely more valuable than intangible assets.

Figure 10.4 compares the total value of the loss that could result from damage to tangible assets versus the loss that could result from damage to intangible assets. Again, the predicted losses to tangible and intangible assets are relatively close.

Cyber-related threats are considered “intangible perils” to organizations and insurers. Figure 10.5 represents for organizations the relative potential financial statement impact of business interruption caused by tangible perils (i.e., weather, tangible asset damage) versus intangible perils (i.e., malware, hacking, system failure, etc.). These are in estimated dollar terms.

Figure 10.6 represents for organizations the percentage of losses to information assets covered by insurance compared to that for PP&E.

These Ponemon Institute results shown in Figures 10.3 through 10.6 collectively indicate that cyber losses are underinsured compared to property losses. They indicate over four times more insurance cover levels for PP&E over information assets (51 percent over 12 percent). This, despite the value of the assets and largest losses being equal and PPE accounting for only half the comparable business interruption impact ($98 PP&E vs. $207 for information assets).

Such research results also suggest a road map for CFO’s to advise their risk managers. CFO’s should advise how to appropriately allocate insurance spend on an enterprise-wide risk management (ERM) basis by considering a broader approach to their organization’s overall risk profile.⁸ Below are a few tips to consider:

• Information technology assets are 39 percent more exposed than property assets on a relative value to insurance protection basis.
• Proliferation of mobile devices, ransomware, social media, third-party vendors/cloud computing, Big Data analytics, and IoT to send cyber risk skyrocketing over next five years (e.g., projected growth in the use of Internet-connected devices will grow from 10 to 50 billion).⁹
• Thirty-seven percent of companies surveyed experienced a “material or significantly disruptive security exploit or data breach one or more times during the past two years, and the average economic impact of the event was $2.1 million.”¹⁰
• The most frequent type of incident was a cyber attack that caused disruption to business and IT operations (48 percent of respondents) followed by 35 percent of respondents who say it was a system or business process failure that caused disruption to business operations.
• Catastrophic cyber losses can result in potential D&O allegations.
  • Process and documentation of determining cyber exposures and considering alternative solutions (such as cyber insurance) could assist in satisfying D&O fiduciary duties with respect to cyber assets.
• Underwriting and purchasing of cyber insurance process can assist to:
  • Satisfy customer and partner cyber insurance contract requirements (i.e., increase sales).
  • Stabilize balance sheet, including reduce earnings volatility.
  • Address regulatory guidelines.
  • Reduce TCOR.
  • Enable organization-wide cyber risk management culture.
  • Align cyber insurance solution with enterprise-wide risk management.
  • Avoid D&O allegations.

1. Conduct Pre-Breach Education and Planning

It is important to look at pre-breach planning. Proper planning decreases the frequency likelihood and positively impacts an organization’s ability to respond to an incident. A key component of planning is organization-wide education. It is not just about the IT personnel. Education should occur from the board to the basement.

2. Develop an Incident Response Plan and Crisis Management Plan¹¹

An incident response plan escalating to a crisis management plan outlines responsibilities, procedures, and decision trees at a high level if an incident occurs that is then not contained within standard IT incident protocols. It is important to keep such plans fresh, as technology and the cybercrime landscape continue to evolve. The plans should consider issues at an enterprise-wide level, not just IT security.

3. Create a Breach Business Continuity Plan¹²

An organization is advised to take a hard look at its capability to recover from a breach. Organizations have business continuity plans in place to weather physical perils that shut down operations. The same should be in place for cyber incidents that bring operations to a halt. This means augmenting an organization’s business continuity plan to address technology breaches and the responses required to maintain operations.

4. Review or Implement Cyber Insurance

Conduct an assessment of current insurance policies, such as property and general liability, to determine the potential need for additional coverage and an insurance action plan to address same. The assessment of coverage and gaps can encourage an open dialogue about opportunities to shore up systems and procedures. It can also help identify holes in processes and protocols as well as gaps in insurance coverage that potentially could be filled with cyber insurance.

Regulatory Constraints

Organizations should continually review their cyber insurance in light of the growing number of country regulations. For example, the European Union’s General Data Protection Regulation new rules become effective May 25, 2018. Among other provisions, these require a 72-hour notification and contemplate fines for the most serious incidents of up to 4 percent of total worldwide annual turnover. Privacy and security laws are on the horizon in other jurisdictions as well.

Capacity Constraints

Several cyber insurers announced new cyber facilities in 2016 with up to $100 million limits per placement and other new cyber capacity. This has increased the generally available stand-alone cyber limits from traditional insurance carriers from approximately $200 million (pre-2015) to approximately $400 million for most organizations in most industries. Add in the potential reinsurance capacity for some large organizations seeking catastrophic coverage and the total global capacity approaches $500 million to $1 billion in select cyber insurance programs with retentions of $10 million to $200 million-plus.

However, there are cyber capacity gaps and/or lack of insurance carrier competition in a number of areas that are in the process of being considered by the insurance market players. Aon Cyber Enterprise Solution™ policy, launched in the fourth quarter of 2016, is intended to address some of the following challenges:

• Large data aggregators with massive amounts of personally identifiable information, including personal health records, such as retail, health care, financial institutions, and hospitality (e.g., hotels and restaurants).
• Organizations with the potential for bodily injury and/or tangible property damage from purely cyber perils (e.g., manufacturing, power/energy, utilities, transportation, agribusiness, driverless cars, and the IoT-connected devices);
• Unauthorized transfer of funds via some combination of hacks (e.g., malware on a system) and social engineering (e.g., employee is tricked into sending a wire transfer at the request of a fake/imposter CFO or CEO such as the $81 million heist from the Bank of Bangladesh via the Federal Reserve Bank of New York).
• Industries where business interruption is of greater concern than breach of personal information, such as transportation, agribusiness, energy, utilities/power, and manufacturing.¹⁵
• Industries where the value of the lost information is most critical, which is generally excluded from today’s cyber insurance policies, such as investment banks involved in mergers and acquisitions, defense contractors, research labs, and law firms (think Mossack Fonseca breach).

Insurance Placement Constraints

There are over 67 different cyber insurers with over 67 different applications, submission processes, underwriting, policy forms, and claims handling. The key to a successful go-to-market strategy is to tailor what best fits your organization context and to allow time before any potential incident. Figure 10.7 summarizes typical components that make up an optimal cyber insurance program.

Figure 10.8 summarizes minimum timings and insurer steps to place a cyber program. Organizations need to plan around these in order to place an optimal program and tap the global insurance market.