As businesses increasingly become the target of sophisticated hacking attacks, Lloyd’s warns them that they need to properly prepare themselves or face a hefty bill, including ‘slow burn’ costs such as reputational damage, litigation and loss of competitive edge.
The research identifies ransomware – such as the WannaCry worldwide ransomware attack last month – as a rapidly increasing threat, together with distributed denial-of-service attacks and CEO fraud.
The analysis also highlighted that financial services firms are the most targeted by organized cyber-crime, but that retail is also increasingly being targeted.
The findings were part of a new report released by Lloyd’s in association with KPMG and legal firm DAC Beachcroft, which looks at the nature of the current cyber risk landscape as well as the top threats by industry sector.
“The reputational fallout from a cyber breach is what kills modern businesses. And in a world where the threat from cyber-crime is when, not if, the idea of simply hoping it won’t happen to you, isn’t tenable,” says Inga Beale, CEO of Lloyd’s.
“To protect themselves businesses should spend time understanding what specific threats they may be exposed to and speak to experts who can help handle a breach, minimize reputational harm and arrange cyber insurance to ensure that the risks are adequately covered.
“By reacting swiftly to mitigate the impact of a cyber breach once it has occurred, companies will be able to minimize the immediate costs and their exposure to subsequent slow burn costs.”
Matthew Martindale, Director in KPMG’s cyber security practice, adds: “Cyber risk has moved up in the business agenda and businesses are taking measures to prepare themselves. However, they are failing to factor in the long-term damage that a breach can cause and the cost implications of it.”
Martindale noted that dealing with things like reputational issues and litigation in the aftermath of a breach, can add substantial costs to the overall loss. Businesses really need to start thinking about the cyber risk holistically rather than one that is currently very short sighted.”
Hans Allnutt, Partner, Head of Cyber & Data Risk at DAC Beachcroft, commented that “whilst the immediate business impact of a breach could be significant for any organization, it may only be the tip of the iceberg when it comes to dealing with the legal consequences which may last months or even years.
“Once notified, it is not uncommon for regulatory investigations to take more than a year before they reach a conclusion. Subsequent litigation can take even longer, particularly because the law surrounding data security and privacy is a relatively evolving area. In one UK data protection case, it took three years and a failed appeal before the litigation was finally settled.”
The report’s headline findings are:
- Ransomware and distributed denial-of-service attacks are increasingly used against businesses, with healthcare and media and entertainment particularly targeted. For example, Beazley, a Lloyd’s underwriter, has seen a fourfold increase in ransomware attacks on its customers from 2014 to 2016. It predicts the number of attacks will double again this year.
- The financial services sector finds itself at the sharp end of targeted attacks by organized cyber-crime but retail is increasingly being targeted. Criminals are becoming more financially savvy, and have started to target bank systems and financial infrastructure.
- Oil and gas firms can find themselves caught up in national politics and can be the subject of espionage as well as occasional high-end disruptive attacks; they essentially become political cyber footballs.
- The public sector and telecommunications sectors are highly susceptible to espionage-focused cyber-attacks.
- There has been a major growth in targeting companies through CEO fraud, i.e. perpetrators posing as a senior executive to elicit sensitive information. This is resulting in significant financial losses.