Zurich: Today’s control may not be adequate for tomorrow’s threats

Zurich: Today’s control may not be adequate for tomorrow’s threats

Zurich: Today’s control may not be adequate for tomorrow’s threats Corporate concern about cyber might be waning despite the evolution of cyberattacks to include ransomware and malware.

According to Zurich Insurance’s seventh annual Advisen cyber survey, only 60% of the risk professionals surveyed said executive management view cyber risk as a significant threat to their organization, compared to 85% in 2016.

The survey also found that only 53% of respondents knew of any changes to their companies’ cyber security systems in response to high profile attacks that took place this year, and that growth in the purchase of cyber insurance has supposedly gone stagnant after a steady six-year increase from 35-65%.

Celebrate excellence in insurance. Join us for the Insurance Business Awards in Chicago.

“These are the most startling results in seven years of doing the Advisen cyber survey,” said Erica Davis, head of Specialty E&O for Zurich North America. “The results suggest that some executive leaders and C-Suites might need more education about the business continuity threats and the cyber exposures that their businesses face.

“It could mean that organizations are feeling more confident in their cyber security control. It’s great if these businesses believe they’ve made a good investment and improved their cyber resilience, but I would caution that today’s control may not be adequate for tomorrow’s threats.”

2017 has been a year of several high profile cyber events, including WannaCry, Petya and Equifax. Cyber criminals are targeting consumers’ personal information and are using malware and ransomware attacks to sweep through organizations and shut down network systems.

Business interruption costs are on the rise. Last year the average cost of a cyber-related business interruption loss reached $3.7 million in the healthcare industry alone, according to 2017 Ponemon Institute ‘Cost of a Data Breach Study’.

“The findings may indicate that businesses are not up to speed on the magnitude of impact that business interruption losses are beginning to have on businesses. Some still view business continuity in a less serious light than the more traditional data integrity and privacy driven exposures,” Davis told Insurance Business.

“One of the stats that came out of the survey was that only 10% of those who did purchase cyber had business interruption cover as their primary reason for purchasing. What may happen is that as businesses start to understand the magnitude and impact of a business interruption loss, we may find cyber take-up rates start to increase again, and that business interruption cover will have more sway over those purchases.”

Effective cyber resilience needs to extend beyond the four walls of an organization, according to Davis. Those organizations with robust cyber security controls are paying attention to the cyber controls of the vendors and business partner who have access to their systems.

“A positive development that came out of this year’s survey is that organizations are starting to engage in comprehensive reviews of business partner relationships, including how vendors and business partners approach their own exposures and controls and how the vendors’ supplier approach fits into their overall resilience plan,” Davis added.

“Moving forward, it’s important to educate businesses not just about current losses and threats, but really about what that next wave of threats may be. Brokers have to educate people on how to prepare for emerging risks and how to remain protected and operationally resilient.”


Related stories:
Burns & Wilcox announces new cyber extortion product
Zurich emphasizes importance of environmental sustainability