Insurance is only part of a robust cyber loss mitigation and prevention strategy
Senior financial executives at the world’s biggest companies expect their cyber insurance to cover the negative business impacts of a cyber attack. In many instances they will not, and their businesses could face an unexpected and sizeable bill in the wake of a malicious cyber event.
FM Global canvassed opinions from 105 of the most senior financial executives at firms with global revenues in excess of $1bn. The research identified a gap between what they thought their cyber insurance would pay for and what, in the event of a loss, it would typically cover.
For example, 46 percent said damage to brand reputation was likely following a cyber attack, while 40 said believed it would lead to increased scrutiny from the investment community. Over a third – 38 percent – felt it could lead to a decline in revenue/earnings.
Almost a quarter – 24 percent – thought a cyber attack could result in a reduced market share. Again, 24 percent thought it could have a negative impact on the share price.
The senior financial executives thought their cyber insurance policies would cover these contingent losses, but typically they would not.
Kevin Ingram, executive vice president and chief financial officer at FM Global explains: “While insurance is an essential part of the risk management formula, there are losses related to a cyber attack that insurance cannot cover – like damage to a company’s reputation, lost market share, missed growth opportunities, decreased valuation, and losses stemming from increased cost of capital.”
Increasing cyber exposure
Understanding and identifying the limits of a cyber insurance programme is a commercial priority given the scale of potentially uninsured losses.
The drive towards Industry 4.0 is also moving commercial cyber exposures beyond data loss, as industrial control systems become more connected and create the potential for additional operational losses.
By understanding the scale and scope of these potential losses, companies can take the requisite action required to manage, mitigate and in many cases prevent them happening in the first place.
A patented approach to risk assessment
To help companies identify their cyber exposures and pinpoint their vulnerabilities, FM Global has developed a patented Cyber Risk Assessment tool for its clients.
The assessment focuses on three areas. First it examines physical security and the safeguards in place to prevent unauthorised physical access to data, workstations and networks.
Second, it evaluates the effectiveness of existing measures to protect data, software and intellectual property, and a firm’s ability to respond to and recover from a cyber attack.
Third, the assessment investigates industrial control and building automation systems to identify potential exposures to facilities, equipment and operations from a malicious cyber event.
The detailed insight generated from the assessment enables companies to prioritise capital expenditure on risk mitigation measures that will generate the most valuable improvements in organisational resilience.
Looking beyond cyber exposures
Company exposures are not limited to cyber attacks and many property and liability risks can also drive financial losses not typically covered by insurance policies.
To increase corporate resilience and deliver a better understanding of these vulnerabilities, FM Global has also developed a Total Financial Loss Modelling tool for clients.
To help financial and risk management executives get a tight handle on where these vulnerabilities lie, the tool measures the total impact of potential losses and demonstrates where risk management and mitigation improvements could deliver value.
The valuation-based tool enables companies to understand the total financial impact of a loss, even after insurance recoveries are considered. It also provides return-on-investment calculators to validate the business case for measures that mitigate and often prevent:
- Reputation damage
- Lost market share
- Missed growth opportunities
- Negative investor sentiment
Insurance policies are not a catch-all solution to the exposures borne by businesses. Detailing insured and uninsured losses more accurately enables companies to design insurance and risk management programmes that dovetail more effectively and create a more resilient safeguard to the exposures they face.