Cyber risks are more than an IT problem

The Allianz Risk Barometer 2017 ranks cyber risks among the ten biggest risks for companies for the fourth year in a row. Companies of all sizes are facing increasing complexity and speed of change. Unlike traditional risks such as natural disasters or fire, cyber risks do not usually cause physical damage. However, lost or incorrectly transmitted data and downed systems can bring services or production to a standstill and shake the confidence of investors, customers and other stakeholders.

Identify insurance gaps
New threats can often lead to gaps in coverage in terms of risk management and insurance. Cyberattacks pose a variety of risks related to the confidentiality, availability or integrity of data and systems. Contrary to popular belief, cyber incidents are generally not fully covered by classic insurance policies such as loss of earnings, liability or loss of confidence. So far, cyber risk solutions have been offered mainly by international insurers such as AIG, Allianz, Chubb or Zurich. It should be noted that the threat of cyber risks goes far beyond hacking, data breaches or data theft. A technical failure of the infra-structure or human error can also lead to serious damage. According to a study by the Institute of Insurance Economics at the University of St. Gallen, insurers' current policies cover the following causes: Hacker attack, blackmail, human error and, in some cases, technical error. The covers usually include directly attributable costs such as forensics (clarification, identification, securing evidence), restoring the website or customer data, as well as the costs of business interruption or legal disputes. Specific examples include ransom payments for encryption Trojans, consulting fees for crisis management, costs to inform customers, and expenses to reconstruct lost or damaged data. The amounts covered vary between CHF 5 and 50 million.

Loss of reputation is not insurable
However, many companies are even more concerned about the consequential costs: the damage to the company's image often leaves behind just as great an economic loss as the interruption of operations or loss of data. But hardly any insurer covers reputational damage or loss of market value as a result of image damage. Usually only the fees of PR consultants are covered. The main reason for this is that insurers do not cover damage caused by

"In insurers' parlance, 'accumulation losses' loom."

It is not possible to put a figure on the loss of reputation. "There are too many other uncertain factors at play here," explains Dr. Carin Gantenbein, Head of Professional Liability and Cyber at Zurich Insurance. Estimability has always been a key criterion for insurability. If there are only a few empirical values about the type, frequency and extent of damage, the uncertainty of diagnosis and prognosis is high. Experience values regarding cyber risks are hardly accessible, as many victims are reluctant to provide information about corresponding incidents. Furthermore, cyber risks are subject to a high risk of change, for example with regard to data protection guidelines. Hyperconnectivity is also critical from the point of view of cyber damage modelling. Due to global networking, several companies are usually affected by a cyber incident. If it is discovered too late, the damage potential increases exponentially. In the jargon of insurers, "accumulation losses" are imminent, which in turn necessitates a premium surcharge. The more uncertain the estimate, the higher the premiums and deductibles and the lower the sums insured. Prevention and precaution are therefore all the more important.

raise awareness of the problem
Anyone who considers cyber risks to be purely a matter for IT is making a fundamental mistake. The responsibility for this cannot be delegated to experts. Everyone in the company must be aware of the risks. A detailed risk analysis forms the basis for identifying and understanding the most important hazards. Many companies resort to scenario analysis to identify the affected data and systems, possible causes and potential perpetrator groups, and to play out the possible effects. The most fundamental protective measure is professional "IT hygiene", which protects data and systems and quickly detects errors and attacks. The Federal Office for Si-

"If the worst comes to the worst despite precautions, crisis and contingency planning should kick in."

The German Federal Office for Information Security (BSI) publishes recognized minimum standards ("BSI standards") that can serve as orientation.

Well forged emails are difficult to detect. This is shown, for example, by the e-mails sent in the name of Ricardo or UBS. This is shown, for example, by the e-mails sent in the name of Ricardo or UBS, with which fraudsters tried to obtain customers' bank details. Targeted attacks on companies often try to gain access via employees. Therefore, the risk awareness of employees is essential and must be promoted by means of training. If, despite precautions, the worst comes to the worst, a crisis and emergency plan should be in place that includes employees, customers and suppliers and thus limits the damage. It is important that a risk management process does not remain a one-off project, but is anchored in the company. This requires regular test runs, work-shops, communication as well as monitoring and updating across departmental boundaries and hierarchies. Strengthening resilience to cyber incidents depends on understanding that cyber risks affect the entire company and are everyone's problem.