Ransomware isn't just about data: The rising risk of cyber business interruption
Johannesburg - As the frequency of ransomware attacks increases, organisations must consider that it's not just data that hackers are targeting. There is an increasing risk of business interruption (BI). This growing digital peril has presented new challenges to business continuity and security.
"The landscape has changed the cyber risk," says Bianca McKenzie, head of claims preparation, advocacy and valuations U.K. at Aon. "With ransomware becoming commonplace, we've gone from it being oriented around liability to a focus on disruption. That is the cyber criminals' new goal: to disrupt businesses rather than just to extract data."
While organisations are used to considering business interruptions related to circumstances like property damage, the threats of cyber–BI can have much wider ramifications. For a business with operations in multiple sites — even multiple countries — the BI impact of a ransomware attack can reach beyond a single property and disrupt operations worldwide.
"Before ransomware like that was unfathomable," says McKenzie. "You couldn't imagine that operations could be disrupted to an extent that it would financially impact clients at a global level."
According to Aon's 2021 Cyber Security Risk Report, ransomware attacks have become more complex and business interruption increasingly likely.
Ransomware attacks exploded in number and frequency during 2020. As the number of attacks grew, so did their cost: the Aon report projected business costs associated with ransomware attacks to total $20 billion in 2021. To mitigate financial loss, organisations should prepare to address cyber-BI before a disruption occurs.
Preparing for Cyber-BI
For businesses, the task of preparing for cyber-BI risk includes several imperatives:
- Improving information technology security to prevent disruptive attacks
• Developing a sound business continuity plan to help respond to and recover from an attack
• Accurately assessing the cyber business interruption risk to transfer risk effectively to cyber insurance markets or other
• Developing a plan for accurately documenting BI-related loss and financial impact to efficiently file an accurate claim with cyber insurers
"In principle, it's really not that different from a property BI claim to a cyber-BI claim, except for the fact that with cyber-BI you might not know which policy applies, and you want to have the team lined up in advance," says Jill Dalton, managing director in Aon's U.S. Property Risk Consulting Group. "Make sure you know who's going to be doing the cyber preparation. Get that team lined up in advance, because the biggest issue in the cyber claim is tackling it right away."
Understanding the Risk
To properly address a cyber-BI threat — including maximising the ability to transfer risks — businesses must fully understand their exposures. With insurers demanding more detailed information from prospective cyber insurance buyers, businesses should invest in analysing their exposures to determine what a probable cyber-BI loss might look like.
"Now is the time to really tighten up your understanding of what your cyber-BI risk really is," says McKenzie. "Given the insurance market and the challenges that some are face in terms of actually transferring their cyber risk, it's important to invest in understanding what a more probable cyber-BI loss would look like when it comes to renewing a cyber policy or purchasing a cyber policy for the first time."
Cyber-BI Threats Along the Supply Chain
Businesses also must consider the possibility that their supply chains could also be interrupted by cyber-BI.
"It's a huge issue, because if a supplier has a cyber-attack that prevents them from getting you their product, then you're experiencing a contingent business interruption loss as a result of the cyber event," says Dalton. "It's important for companies to do good due diligence in selecting and managing suppliers."
Businesses exposed to cyber-BI risks in their supply chains should also consider using multiple suppliers and develop backup plans to address potential disruptions.
Assessing the Loss
Calculating the losses incurred in a cyber business interruption can be challenging — particularly for a multinational business with operations in different locations possibly facing varied impacts.
"There needs to be an appreciation for that complexity and due care in gathering the supporting data," says McKenzie. "Quantifying the impact, close management of the claim and working with the insurer and their representatives to recover insured losses is a many-faceted process. It requires expert time and resources."
The challenge is heightened by the fact that the process of determining the losses takes place while the company is experiencing a cyber–BI and is in "crisis mode."
"Businesses should try to be ahead of the curve and be as prepared as possible before an event," McKenzie says. "They should understand what sort of information they'll need to capture and how they'll collect it."
The Cyber-BI Threat Is Real, Preparation Is Essential
According to Cyber Solutions Client Manager at Aon South Africa, Zamani Ngidi, managing cyber risk within the realms of South Africa's legislative framework proves to be a challenge for many organisations. "Business is faced with requirements to comply with various policies which speak to I.T. governance, cybercrime and data privacy, while data on the business impact of the risk in the local context is not readily available," says Zamani.
"While spend on cybersecurity increases yearly, the return on investment only really comes to the fore when a cyber event occurs that has the potential for major business disruptions. Decodifying the risk as it pertains to each individual business is a complex journey for which Aon has developed a number of solutions to meet this evolving client need, such as the Cyber Impact Analysis, Cyber Threat Simulation/Tabletop and BCM for Cyber Risk. Many of these tools are able to assist South African companies that may not have the requisite internal resources and data to conduct such exercises with any reasonable amount of certainty," Zamani explains.
The threat of cyber-attacks continues to grow and, with it, the risk of cyber business interruptions. By analysing exposures, taking steps to address risk and establishing a strategy for assembling a claim quickly and accurately, businesses can better prepare themselves for the threat of cyber business interruption.