Insights from a Cyber Risk Specialist

by James Sorenson

From a cyber risk perspective, companies continue to take on more risk each day. At a high level this can be attributed to two forces; companies striving to become more digital and reliant on technology, while simultaneously confronting an increased cyber threat environment. According to Ponemon’s 2017 Ransomware report, 51% of respondents surveyed experienced a ransomware attack, and of those, 49% did not report it fearing damaging publicity.

Despite the underreporting of attacks, we can glean from numerous sources that the threat environment is increasing. Symantec recently published the number of “ransomware families” between 2015 and 2016 increased over 200% indicating significant attention is being placed on the development of malware. The subsequent increase in the malware supply has ultimately led to a lower cost and easier access for cyber criminals to enter this space. Another factor at play, and likely a more concerning threat, is an increase in the sophistication of malware available. Ultimately, this impacts the severity of loss and may easily lead to greater disruption and subsequent financial loss to businesses.


While the average ransom companies paid was relatively low, the reverberations of ransomware had a far greater impact on businesses

$5 Billion

The amount in damages that Cybersecurity Ventures estimates is the global cost of ransomware

Disruption (lost productivity, diversion of resources, and distraction from business strategy and operations) along with the additional security required to prevent a future attack, comes at a significant cost. Interestingly, another firm, Cyence, estimated the cost of one attack in 2017, “WannaCry” at $4B globally. Another cost that many businesses incur, even after a successful decryption key, is the cost to reproduce lost data. Ponemon’s 2017 Ransomware report cited 48% of respondents affected by ransomware actually paid the ransom, and of those over 50% stated a portion of data could not be recovered. Needless to say, the potential severity of loss is substantial and growing as companies realize the effects of downtime throughout their supply chains.

The strength of your network is only as strong as your weakest link.

An important consideration for all companies is the need for a proper vendor risk management program. A common misconception amongst all businesses is that by outsourcing operations you are outsourcing the risk. The reality is that in addition to contemplating your own network security, you also need to understand how your vendors and cloud service providers are protecting themselves. While attempts to contractually transfer liability may be in place, they provide no guarantee that an organization will be immune to adverse financial consequences or liability resulting from an attack on a vendor or cloud service provider. Given the uncertainly, many businesses have turned to insurance in an effort to supplement their overall cyber risk management framework.

Cyber risk transfer products are becoming increasingly important as companies grapple with network security.

Fortunately, insurance products specializing in cyber risk are evolving in stride with the ransomware/malware epidemic. Coverage continues to expand in scope while premiums are becoming more palatable for companies. Two factors contributing to the improved cyber insurance landscape: more companies are purchasing cyber insurance, thus further spreading the risk, and secondly, more insurance companies are offering coverage, thereby increasing competition. Overall, the current market conditions are favorable for companies looking to transfer cyber risk. However, given the volatility and uncertainly surrounding aggregation of risk, insurance companies’ appetites could change overnight.

Continue Reading: