Uncover the Hidden Costs of Your Next Cyberattack

by Kevin Ingram

Although financial executives have generally gotten the message about cyber risk, that doesn’t mean they understand all of its dimensions; nor are they necessarily prepared.

©ohishiistk/iStock/Getty Images Plus

As senior financial executives, we’re called upon to gauge the risk of myriad hazards, and perhaps no hazard is more ominous today than a cyberattack. New research suggests many financial executives grossly underestimate the cost of a successful cyberattack on their businesses, especially the uninsured losses.

First, some context: Cybercrime will cost the world a projected $6 trillion annually by 2021, up from $3 trillion in 2015, according to Cybersecurity Ventures. The WannaCry ransomware attack alone cost the world an estimated $4 billion in 2017, according to Reinsurance News. Cybersecurity Ventures predicts there will be a ransomware attack on businesses every 14 seconds by the end of 2019. 

Although financial executives have generally gotten the message about cyber risk, that doesn’t mean they understand all of its dimensions; nor are they necessarily prepared.

My company recently surveyed CFOs and other senior financial executives at some of the world’s largest companies to understand their perspectives on cyber risk. Ninety-six percent of respondents call cyber risks a moderate to major concern. Most also believe cybersecurity insurance is good idea with 71 percent of respondents reporting they have such coverage already.

Two types of cyber coverage for business 

Fifty-eight percent of the financial leaders in our survey said they had both first- and third-party coverage.

First-party cyber insurance covers losses of the policyholder’s property and interruption of the policyholder’s business. Data may be considered property, and covered losses can include the cost to restore lost, stolen or contaminated data, and to offset financial losses due to an outage. The outage could occur at your premises or result from an attacked service that your company relies on, such as cloud storage or payment processing.

Third-party insurance covers the threats that most often grab the headlines: your liability to individuals and companies who are affected by a cyber event that targeted you. The classic example is a breach of financial, personal or health information. Customer notification, compensation and litigation and costs could be covered by third-party insurance.

Twenty-two percent of our survey respondents had no cyber insurance coverage at all. Another 8 percent didn’t know whether they had coverage.

Here’s where things got even murkier.

Most cyber-related financial losses can’t be insured

We showed the financial executives a list of potential losses stemming from a cyberattack, asking, “If your organization experienced a substantial cyber security event, what would you expect to be the likely impact(s)? (Please choose all that apply.)”

Here are the answers:

  1. Degradation of their company’s brand/reputation (46% of respondents said this was a likely effect of a cybersecurity event)
  2. Increased scrutiny from the investment community (40%)
  3. Decline in revenue/earnings (38%)
  4. Introduction of regulatory compliance problems (35%)
  5. Decline in market share (24%)
  6. Decline in share price (24%)
  7. New costs to mitigate the loss (53%)

Do you notice anything about this list?

The first six of the seven described losses aren’t covered by insurance. Decline in revenue/earnings may be covered for a period of time, but only until the company is back in business. Revenue losses would not be covered in perpetuity despite the likelihood that a business disruption could easily depress revenue for an extended period of time.

The seventh item, new costs to mitigate the loss, might include expenses covered by a good insurance policy (e.g., data restoration). On the other hand, if mitigating the loss requires a multimillion-dollar advertising campaign to rehabilitate the brand, or a bigger sales team to rebuild your business, that’s not going to be covered by insurance.

A false sense of security

Despite the fact that the majority of these losses are not covered by insurance, respondents made a befuddling claim in the survey: seven in 10 believed their insurer would cover most or all of the losses they would incur in a cyberattack (forty-five percent said they expected their insurer will cover most related losses from a cybersecurity event, and 26 percent said all). I suspect that this response may be because they understandably haven’t read their insurance policy recently, or they haven’t fully contemplated their likely loss experience.

Moreover, half the respondents predicted it would take months, quarters or years to recover financially from a cyberattack, which may push the limits of many insurance policies. In both cases (the range of losses that would be covered in a cyberattack and the length of time for which they’d be covered), expectations are inflated. As you can see, financial executives may be underestimating the impact of a cyberattack and possess a false sense of confidence when it comes to cybersecurity insurance.

How big could uninsured losses get? 

Uninsured losses can be categorized as:

  • Customer Loss: An embarrassing cyberattack and protracted business disruption could prompt customers to turn to other vendors, sometimes permanently, constituting lost revenue in perpetuity.
  • Lost growth: A major disruption could halt your company’s growth at least over the short-to-medium term, and that lost growth is value you may never get back. Even if the company were to rebound to its prior growth rate, it will may miss forever the lost growth and compounding effect.
  • Lost investor confidence: A major disruption is suggestive of pervasive elevated risk, and that may rattle investors, thereby driving up the cost of capital. Bad news around missed growth targets can drive down a company’s stock prices.

The total losses are likely to be big.

Of course, insurance is necessary for a 21st-century company, but it’s not sufficient to make a company whole. Insured losses could be significant in a cyberattack, but the uninsured losses may outstrip them.

So do what you can to protect against cyberattacks’ far-reaching implications. Start – but don’t stop – with insurance because most cyber-related losses are preventable.

Kevin Ingram is executive vice president and chief financial officer of FM Global.