A Cyber Risk Mentality Shift in the Midst of a Pandemic

This blog series bridges the connection between cybersecurity and insurance, providing an overview of how the two can work together to more effectively reduce risk exposure.

Preparing for low probability yet high impact cyber events might have been controversial before Covid-19. Now, it’s the new normal for risk management. In 2021 professionals are thinking about cybersecurity holistically, understanding the importance of balancing investments in technology with their insurance portfolio.

It’s all about the shift in risk management mentality

There were “risk outliers” in 2020. One such example is the All-England Lawn Tennis Club (organizers of the Wimbledon tournament). After the SARS outbreak of 2003, the organization began paying $2M/year for pandemic insurance. Industry insiders didn’t find this expense prudent given the low probability of the risk being realized relative to the high premium. Pandemic insurance was usually reserved for much larger organizations such as the International Olympic Committee.

Fast forward seventeen years to April 2020.

The world is in various stages of lockdown because of Covid-19. Many sporting events are canceled. Billions of dollars of revenue are lost. Fortunately, the organizers of the Wimbledon tennis tournament are ensured business continuity because of their pandemic insurance policy. They will recoup $140M of the losses they incurred for being forced to cancel the event.

The All-England Lawn Tennis Club’s decision of being prepared for low probability/high impact events has forced a paradigm shift in risk management mentality.

In 2021 cyber risk is the digital equivalent of a pandemic in regard to business resilience

COVID-19’s occurrence on the world and the economy draws parallels to how a low-probability cyber event that can cripple, possibly destroy a company. These types of significant cyber events lead to numerous consequences including disruption of business, loss of revenue, destruction of equipment and in the worst circumstance – the loss of a human life.

Low probability/high impact scenarios inject doubt and uncertainty into cybersecurity effectiveness

Let’s take a look at a cyber risk we recently brainstormed here at Axio. Imagine a cargo ship transporting automobiles across the Atlantic Ocean from Europe to North America. It’s possible for a hacker somewhere far away, perhaps in an office building in the Ukraine, China, or Iran, to modify the course of the ship’s direction via its satellite GPS, cause an accident, explosion, loss of goods, and in the worst case, human life.

In this scenario, defensive technology alone was not able to prevent the attack. We’ve seen situations like this play out in real life, not just as a simulation in a controlled environment. And even worse, the impacts realized were much more than a loss of property and equipment. These scenarios resulted in environmental damage and even liability claims to the directors and officers of the company.

These dangerous outcomes have led to an increase in executive liability. Gartner predicts that by 2024, 75% of CEOs will be held personally liable for cyber-attacks. These CEOs will not only be facing reputational damage but also financial damage. This prediction sets the tone of the importance in cybersecurity.

At the tail end of 2020, the SolarWinds hack victimized many organizations including government agencies, companies, universities and hospitals. This attack left many vulnerable, many not sure how they were specifically impacted. We expect to learn more details as the year progresses, but the current outlook is very grave.

Does your company have the ability to recover?

Cybersecurity is a business decision impacting more than the profit and loss statement. Realized risks can deplete assets, increase liabilities, and devastate shareholder equity. Defensive technology will not prevent cyber-attacks alone. In the unpredictable reality we are living in, cyber-attacks often bypass a strong collection of security controls. The threats of social engineering and malicious insiders are difficult to prevent, just to name a few.

To make matters even more complex, a cyber-attack does not have a defined timeframe of liability. Long after an event transpires, the question of the businesses ability to recover is up in the air. Is there a path to safety or is the enterprise permanently damaged and a sinking ship?  There’s also the associated activity of repentance to calculate and prepare for, as there may be parties claiming loss, some of them immediately apparent.

Axio’s 4 quadrant approach to cyber risk impact

For a comprehensive understanding of cyber risks, Axio takes a 4-quadrant approach. The 4 quadrants include first-party financial, first-party tangible, third-party financial and third-party tangible impacts. These quadrants impact more than just your profit and loss statements. You need to consider all business units that may be impacted as well as all the stakeholders involved. Having the dollar impact of cyber events informs leaders on which business investments and decisions to prioritize. Axio360 arms quantification with transparency so that you can stand behind the decisions you make and provide profound reasoning. From the quantified cyber risk scenarios, you can upload and compare your insurance coverage to see where you are lacking protection. This thorough approach will help protect your organization and stakeholders. Cybersecurity is undoubtedly a business decision and requires a business approach.

In the next series of posts, we will dive deeper into the specifics of insurance and how it relates to managing cyber risks.