2018 predictions: Companies will wake up to the reality of cyber exposure
Written by Jack Lyons, Partner, Cyber, Content & New Technology Risks, JLT Specialty
After a year of high-profile cyber incidents such as WannaCry and NotPetya, attention around these issues is not likely to abate when we look toward the year ahead. On the contrary, one of the trends we are likely to see in the next year is more and more companies and industries waking up to the realisation that cyber exposure and risk is not at all limited to ‘traditional’ data breaches. Given the ubiquitous role of technology, these issues can affect areas such as logistics, manufacturing and industrial controls, with real impact on the physical operations of the business. If the software running a key logistical system, such as an e-commerce website or a store till, is compromised then it can bring an entire business to a halt. The risk of such a halt in production is real, and the effects potentially significant.
In just one example, the partial failure of a router meant that over two thousand Southwest Airlines flights had to be grounded. No virus or hack involved, but rather a simple technological failure that ended up causing the company tens of millions of dollars. As companies rely on technology more and more, this is an area that will see increased risk, as simple logistical failures can mean huge losses. More and more companies will start paying attention to this. We can expect to see attempts to mitigate this risk by fully utilising IT controls, awareness raising and training among staff, and tailored insurance products, or ideally a combination of all three.
The risk management marketplace is evolving to support these realities as well. For example, in cases where a physical object, such as manufacturing equipment, has its software compromised, there is no actual physical damage to the property so may not be covered under a ‘traditional’ property policy. Such policies traditionally relate only to the physical objects themselves, but we can expect to see both an increase in bespoke policies as well as more comprehensive policy terms to cover cyber issues in a more holistic way. Greater volumes of incident data – as well as information on the impact costs of those incidents – will help the market to evolve and mature, as the real meaning of what can constitute a ‘cyber’ breach becomes more widely understood. With the latest estimates from the RAND Corporation indicating that the costs of cyber incidents have reached US$8.5bn a year worldwide, the stakes will continue to be high.