The bigger you are, the harder you fall. For a Fortune 500 company, the ripple effects from a cyberattack can be far-reaching and result in big losses at the time of the breach as well as later down the line.
“Just the stature and the name brand of these organizations means that from a compliance and statutory basis, there’s heightened cyber risks for organizations of that size. From a reputational risk perspective, those are the names that if somebody is going to have a cyber incident or cyber breach, you’d probably most likely hear about it,” said Dale Chow, senior vice president of professional lines for Allied World Bermuda.
Over the last two decades, as the cyber risk and insurance field has developed, a new area of exposure has opened up for the Amazons and Googles of the world.
“You’ve seen a real evolution from what was traditionally third party liability-type exposure and coverage to more of a first party notification cost and forensics to increasingly what is a business interruption exposure,” said Chow. “That is again another area where I think Fortune 500 companies, probably even more so than smaller entities, have a risk because of the amount of automation they have under the manufacturing or the digitization of [their] product or service.”
The range of losses stemming from business interruption ranges wildly, and because it’s a new enough threat, numbers have to be looked at on a case-by-case basis. The NotPetya virus, for instance, led to significant revenue losses for giants like Merck and FedEx.
“There is an appreciation that those numbers on a Fortune 500 level can be tens, hundreds of millions of dollars on a business interruption basis,” explained Chow.
Today, cyber risk is top of mind for many risk managers at F500s, resulting in resources being funnelled into people, hardware, software, and outside vendors to assist in putting protective measures and risk management strategies in place.
“These are very complex, sophisticated companies which have decades-long experience in dealing with risk mitigation and risk management,” said Chow. “One of the things that’s really changed the landscape over the last number of years is the appreciation that the cyber threat is probably number one or at least very high in the threat matrix for any organization.”
As this threat vector develops and rapid advancements in technology continue, it’s next-to-impossible for any one organization to be 100% protected, but, according to Chow, risk managers have made tremendous strides in ensuring cyber is on their list of priorities.
“We meet with dozens of our insureds on an annual basis, and the one, almost universal, message I would get from them is that when it comes to cyber security, and just cyber in general, that is an area that the board is highly interested in and probably asking about at least on a quarterly basis at board meetings, if not more regularly if they want updates between meetings,” said Chow. “Even in an environment where everyone is looking for cost controls and trying to keep spending to a minimum, it’s probably one area you almost have a blank cheque because of the potential for reputational damage, business interruption damage, fines, and penalties.”
One place where Chow foresees further evolution in managing cyber risk is intellectual property – namely, how it’s valued and how to demonstrate that intellectual property was obtained via illegal means in the first place versus being developed organically.
“For the larger organizations, generally, intellectual property is more important than it is for some smaller corporations,” he told Corporate Risk & Insurance. “From a target perspective, that intellectual property can be highly desirable for nation-state actors and more sophisticated cyber criminals.”