Just days ago, news media reported that Lloyd's of London was investigating a possible cyber-attack on its servers. And late last month, Microsoft announced a new Microsoft Exchange vulnerability that could compromise corporate email exchange servers.
These are just a couple of reminders that cyber risk has a growing impact on business and financial risk. Growing cyber risks should drive business leaders of all stripes to seek a better understanding of how cyber risk impacts financial health and capital management.
The stakes are rising. Growing cyber risk is driving changes in reporting requirements. Earlier this year the Cyber Incident Reporting for Critical Infrastructure Act was signed into law. The act requires companies in broadly defined ‘critical infrastructure’ sectors to report notable cyber-attacks and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 to 72 hours. The act was designed to enhance CISA’s ability to track, analyze, and respond to cyberattacks.
The types of activity that will need to be reported to CISA include unauthorized access to systems; denial of service attacks; attempts to gain unauthorized access to systems; notable email phishing attempts; as well as ransomware attacks. These reporting requirements will take effect once CISA defines and publishes specific rules, which could be as soon as 2023. However, business leaders should begin thinking about the impact and requirements of this new law now, as there is likely to be ambiguity regarding the timing and reporting specifics. While CISA has already published a guide to help companies understand what incidents it should be sharing with the agency, business leaders should be working now to ensure their security programs are well equipped to meet the requirements of the law.
Also, earlier this year, the Better Cybercrime Metrics Act was signed into law. This law is designed to “improve the way the federal government tracks, measures, and analyzes cybercrime.” The law seeks to create a classification system to categorize various cybercrimes, enabling the FBI and security community to obtain a more holistic picture of the cyber threat environment.
Finally, the Securities and Exchange Commission is considering a new rule to require and standardize disclosure of cyber security incidents at public companies. Specifically, the SEC is examining mandatory public disclosure of material cyber security incidents, as well as requiring periodic disclosure of a company’s security policies.
This flurry of regulatory activity may seem sudden, but senior security and financial professionals express that, perhaps, the government is a bit late to the party – playing catch up to the modern digital threats posed by cyber risk.
The fact is, we operate in a digital age, in a time in which people and businesses have become highly reliant on digital networks and assets. But for hundreds of years previous, society – and investors, insurance companies, and credit agencies – based their assessment of value and risk largely around physical assets.
In a mere 20 years’ time, things have changed dramatically. Around the turn of the millennia, in 2000, the largest companies in the world were General Motors, Ford, Boeing, General Electric, Phillip Morris and others selling physical products. In 2022, the biggest companies by market capitalization – Apple, Microsoft, Alphabet (Google), Amazon, and Meta (Facebook) – are largely or completely digital. Today, digital assets or intangibles comprise 90% of the value of S&P 500 companies.
Along with this meteoric rise in the importance and value of digital assets, we have seen a corresponding proliferation of cyber-attacks and risks.
The threat is only growing. The global pandemic rapidly expanded remote work – and the use of personal mobile devices and home networks for professional purposes. This unexpectedly expanded the potential attack surface for cybercriminals, leading to broadened business exposure and risk.
This bears out in the data. The frequency and cost of ransomware attacks are increasing, both in terms of claims and ransomware payouts. In the first half of last year alone, ransomware attacks increased more than 125%.
Increased cyber risk was already changing the way insurers, financial institutions, and credit rating firms evaluated overall business and financial risk. Paired with heightened requirements on incident disclosure, we are sure to see an increasing material impact from cyber events on the financial health and creditworthiness of businesses.
To ensure your business is well-positioned for this increased focus on cyber security, you should understand and assess its insurance coverage regarding cyber risk and ransomware. As this is an evolving sector, you should clarify if your company is clearly and adequately covered. Evaluating and underwriting cyber risk is a significant challenge for insurers. Given the challenges from recent volatility, some insurers are withdrawing from the cyber risk insurance market altogether.
Just a few years ago, cyber risk insurance was a profitable line of business with loss ratios as low as 10-15%. Rising claims have pushed this loss figure up to 50% in 2020 and, evidence suggests, well above that mark last year. There are several business risks that are mitigated only via cyber risk insurance. Without the ability to offset and transfer this risk, a business and its investors, are more highly susceptible to the financial risk and repercussions stemming from a cyber-attack.
Also consider that financial institutions and credit rating agencies may take insurance into account in their assessments of a business, particularly in higher exposure sectors like technology, financial services, retail, and energy/utilities. Even before the new regulations and reporting requirements, some financial institutions and credit rating agencies publicly warned that cyber risk would be a higher area of priority in their analysis going forward.
Evaluation of a particular company’s cyber risk can be difficult to quantify – and financial institutions and credit agencies are employing advanced analytical models to assess the risk. Business leaders need to realize that these firms will increasingly be well-versed in cyber risk and interested in cyber security policies and a company’s cyber risk track record.
Cyber-attacks typically succeed because the targeted business failed in one basic, but specific area of cyber security, and lenders and credit agencies know this. Most commonly, Business Interruption (BI) and recovery costs are responsible for the lion’s share of financial losses, so credit agencies will particularly consider if a businesses’ data is fully backed-up when evaluating them for financial or credit risk. Those companies that give cyber security planning a priority, particularly those with a solid response and recovery plans, can create a material credit positive for themselves.
Evaluation and quantification of cyber risk analytics is a complex and evolving business science. Best-in-class insurance, financial, and credit firms are focusing on building risk models that intake a high volume of data and look beyond historical and static data to include behavioral data. These firms know that knowledge of past attacks is likely insufficient to fully inform of future attacks and outcomes. Therefore, they are developing and implementing programs to build cyber risk predictive capabilities into their evaluations. Your insurers and credit rating agencies may provide deeper insight into their requirements and evaluation processes and criteria.
As we enter a new era of financial and credit evaluation, one that will rely more heavily on cyber risk, your business should understand what components it will be evaluated on in the future. Bringing the financial and IT/cyber security sides of your business together to discuss the implications of cyber strategy on financial and capital management is essential.
Cyber security has an increasingly vital role and impact on the business – and business executives should seek to understand the tightening relationship between cyber risk and financial and credit health.