Business interruption losses accounted for 60% of cyber insurance claims in the past five years, according to a recent report by Allianz Global Corporate & Specialty SE. According to the report, losses resulting from external incidents, such as DDoS attacks or phishing and malware/ransomware campaigns, account for 85% of the value of claims analyzed.
This comes against a backdrop of a sharp increase over this period in the number of cyber-related claims for Allianz Global Corporate & Specialty SE. Claims numbered just over 400 in 2018 while through 9 months of 2020 claims have already exceed 770.
Of these three issues the report highlights as posing significant challenges (rising cost of interruptions, frequency of attack, regulatory fines), the financial and economic cost of business disruption and the rising frequency of incidents are far and away the most pressing.
As we noted recently, ransomware events can be far more difficult for companies than most realize. And the cost of business interruptions can be verifiably quantified. How? Just like poor cybersecurity, these incidents appear on the corporate balance sheet and are reflected in share prices. Across all 11 industrial sectors, it is true 100% of the time that companies we rate as ’highest risk’ on our Cyberhedge CyFi™ (cyber-financial) metric experience declining financial performance on net and operating Income in subsequent quarters.
Market performance also takes a hit. Among some of the highest profile incidents (see chart) the average shareholder value loss of all of the above companies that experienced ransomware attacks = −24%. Some companies (Finablr) do not recover at all, others have yet to recover (PBI, Norsk Hydro), and others (ISS) are still early in their costly recoveries, months after their breaches.
The coverage gap between what insurance covers and the actual financial damage from an attack will only continue to grow in 2020. Partially to blame for this gap is one key ingredient that is missing in the cyber insurance market—insurance companies’ ability to accurately price cyber risk like they price other insured risks such as property and casualty. Until accurate risk pricing is adopted by the market, the prevalence of the gap will grow for more impacted companies—to the detriment of shareholders.
A mix of policy and market-based solutions are needed. This is why the Cyber Solarium Commission was right to recommend the Federal Government initiate a federally funded research and development center to work with state-level regulators to develop certifications for cybersecurity insurance products. Only a mix of smart policy/regulation and the right market-based incentives will address the flaws in the market and systemic risks that persist.