Ransomware Isn’t Just About Data: The Rising Risk of Cyber Business Interruption
April 20, 2022
As the frequency of ransomware attacks increases, organizations must consider that it’s not just data that hackers are targeting. There is an increasing risk of business interruption (BI). This growing digital peril has presented new challenges to business continuity and security.
“The landscape has changed the cyber risk,” says Bianca McKenzie, head of claims preparation, advocacy and valuations U.K. at Aon. “With ransomware becoming commonplace, we’ve gone from it being oriented around liability to a focus on disruption. That is the cyber criminals’ new goal: to disrupt businesses rather than just to extract data.”
While organizations are used to considering business interruptions related to circumstances like property damage, the threats of cyber BI can have much wider ramifications. For a business with operations in multiple sites — even multiple countries — the BI impact of a ransomware attack can reach beyond a single property and disrupt operations worldwide.
“Before ransomware like that was unfathomable,” says McKenzie. “You couldn’t imagine that operations could be disrupted to an extent that it would financially impact clients at a global level.”
According to Aon’s 2021 Cyber Security Risk Report, ransomware attacks have become more complex and business interruption increasingly likely.
Ransomware attacks exploded in number and frequency during 2020. As the number of attacks grew, so did their cost: the Aon report projected business costs associated with ransomware attacks to total $20 billion in 2021. To mitigate financial loss, organizations should prepare to address cyber BI before a disruption occurs.
Preparing for Cyber BI
For businesses, the task of preparing for cyber BI risk includes several imperatives:
• Improving information technology security to prevent disruptive attacks
• Developing a sound business continuity plan to help respond to and recover from an attack
• Accurately assessing the cyber business interruption risk in order to transfer risk effectively to cyber insurance markets or other
• Developing a plan for accurately documenting BI-related loss and financial impact to efficiently file an accurate claim with cyber insurers
“In principle, it’s really not that different from a property BI claim to a cyber BI claim, except for the fact that with cyber BI you might not know which policy applies, and you want to have the team lined up in advance,” says Jill Dalton, managing director in Aon’s U.S. Property Risk Consulting Group. “Make sure you know who’s going to be doing the cyber preparation. Get that team lined up in advance, because the biggest issue in the cyber claim is tackling it right away.”
Understanding the Risk
To properly address a cyber BI threat — including maximizing the ability to transfer risks — businesses must fully understand their exposures. With insurers demanding more detailed information from prospective cyber insurance buyers, businesses should invest in analyzing their exposures to determine what a probable cyber BI loss might look like.
“Now is the time to really tighten up your understanding of what your cyber BI risk really is,” says McKenzie. “Given the insurance market and the challenges that some are face in terms of actually transferring their cyber risk, it’s important to invest in understanding what a more probable cyber BI loss would look like when it comes to renewing a cyber policy or purchasing a cyber policy for the first time.”
Cyber BI Threats Along the Supply Chain
Businesses also must consider the possibility that their supply chains could also be interrupted by cyber BI.
“It’s a huge issue, because if a supplier has a cyber attack that prevents them from getting you their product, then you’re experiencing a contingent business interruption loss as a result of the cyber event,” says Dalton. “It’s important for companies to do good due diligence in selecting and managing suppliers.”
Businesses exposed to cyber BI risks in their supply chains should also consider using multiple suppliers and develop backup plans to address potential disruptions.
Assessing the Loss
Calculating the losses incurred in a cyber business interruption can be challenging — particularly for a multinational business with operations in different locations possibly facing varied impacts.
“There needs to be an appreciation for that complexity and due care in gathering the supporting data,” says McKenzie. “Quantifying the impact, close management of the claim and working with the insurer and their representatives to recover insured losses is a many-faceted process. It requires expert time and resources.”
The challenge is heightened by the fact that the process of determining the losses takes place while the company is experiencing a cyber BI and is in “crisis mode.”
“Businesses should try to be ahead of the curve and be as prepared as possible before an event,” McKenzie says. “They should understand what sort of information they’ll need to capture and how they’ll collect it.”
The Cyber BI Threat Is Real, Preparation Is Essential
The threat of cyber attacks continues to grow and, with it, the risk of cyber business interruptions. By analyzing exposures, taking steps to address risk and establishing a strategy for assembling a claim quickly and accurately, businesses can better prepare themselves for the threat of cyber BI.