Skip to main content
Article

Examining cyber-attack costs - what should organisations do?

Cyber Risk Management
N/A

November 25, 2020

Exploring losses from recent data breaches claims, matched to local risk trends, can assist organisation with their cyber security strategy.

Australian and New Zealand businesses are seeing rapid changes across the data privacy and cyber security landscape. New regulatory actions, complex supply chain cyber-attacks, heightened legal obligations, COVID-19 impacts and evolving contractual liabilities have drastically increased the technology risks organisations face.

A critical factor is the increasing frequency of cyber claims being brought against organisations. Just six years ago Willis Towers Watson clients experienced 50 significant notified breaches. By of the end of 2019, this figure increased to over 400 and by late 2020, given the increased claims notifications from our client base, we anticipate incident figures will be even higher.

From 2013 to 2019, cyber claims notifications have increased from less than 100 to more than 500 per year
Figure 1: Cyber claims notifications by year

One of the best ways to understand cyber risks is by examining the loss and harm caused to organisations by real, recent data breaches claims. When this claims data is matched to local risk trends and developments it can provide deep insights to assist risk managers and stakeholders gain confidence in their cyber security mitigation strategy. To provide you with cutting edge analysis and advice on these issues, Willis Towers Watson’s global 2020 cyber claim analytics report (“the report”) examined over 1150 global cyber incidents. Using that information, this report seeks to examine current trends in the local market regarding cyber breaches, root causes, associated costs, and how insurance can be leveraged to maximise coverage and incident response support.

The cost of cyber claims

Where a client suffers financial harm as a result of a cyber incident, the report found that the average total loss amounts to an estimated A$6.9 million. While enough to cause a scare, average incident loss figures are rarely a useful marker for understanding cyber events, give the wide variance in loss severity across incidents ranging from a small DDoS attack to a catastrophic cyber extortion incident. Further, the most severe 10% of the reported claims represent 72% of the losses analysed.

Claims of $50m+ make up 3% of claims and 63% of total cost.
Claims of $2.5m – $5m make up 6% of claims and 9% of total costs.
Claims of $1m – $2.5m make up 19% of claims and 17% of total costs.
Claims of $250k – $1m make up 9% of claims and 6% of total costs.
Claims of $50k - $250k make up 25% of claims and 4% of total costs.
Claims of less than $50,000 make up the largest percentage of claims at 38%, with 1% of total costs.
Figure 2: Cost of claims

Contrasting this, smaller losses (less than A$350,000) were recorded in 60% of all reported incidents. The spread in data highlights that many of the cyber incidents an organisation is likely to experience will only likely to result in modest losses. Catastrophic and high severity events however will result in exponentially worse loss outcomes (as reflected in the reported in the top 10% of claims). This highlights the critical importance for companies to ensure their cyber security and resilience strategies will address catastrophic potential cyber exposures as well as more common and minor cyber incidents.

Figure 2 also highlights the need to focus on the individual circumstances of each business when examining quantum risks and assessing cyber insurance limits. Scenario and contextual loss analysis provide far more robust insights for a business and give greater confidence to stakeholders that cyber risks have been understood and managed appropriately. In our experience, benchmarking and generic assessments using only industry average costs inputs provide very limited value.

We have helped numerous clients concerned with quantum risk obtain a stronger understanding of their cyber-related financial exposures by working with them to analyse hypothetical incidents and how they are likely to impact their IT systems, business objectives, financial drivers and subsequent recovery strategies. Scenario modelling using this approach can provide strong benefits and be completed in a quick and efficient manner.

Human error and supply chain

Our report found the two most common causes of data breaches were errors by employees and supply chain cyber incidents caused by third parties. This is reflected in the advice of local commentators such as the Office of the Australian Information Commission and the Australian Cyber Security Centre.

Managing supply chain cyber risk should be a specific area of focus for organisations. Our report identified that 38% of the recorded cyber claims were caused by a supply chain third party. Making up this figure, security breaches at a third party occurred in 24% of claims, third party accidental disclosure occurred in 11% of matters and IT system failure caused by a third party occurred 3% of the time. Supply chain risks must also be considered holistically, given the most frequently notified social engineering event is the impersonation of a vendor/supplier.

Willis Towers Watson has helped numerous clients strengthen their approach to supply chain cyber risk management and we have found that many clients can meaningfully reduce exposure by taking steps to improve procurement processes, enhance vendor oversight, strengthen contractual controls, reduce privacy risks and use tailored insurance solutions.

What are the most expensive cyber incidents?

Much of the discussion on cyber security in Australia and New Zealand focuses on privacy notification, and the loss that directly results from unauthorised access and exfiltration of personal and sensitive data. Willis Towers Watson’s experience is that whilst data breaches are significant, they are often not the costliest cyber events.

Our report concluded that the two most expensive incidents companies face are ransomware attacks and business interruption events. Ransomware costs have exploded in the last 24 months, driven by the marked increase in ransom demands being made against organisations and a greater focus by malicious actors on destructive actions which increase the length of outages caused by these attacks. Ransomware attacks now regularly exceed A$1 million and our report found for every day an organisation experiences a ransomware attack it incurred an average loss of around A$930,000.

Organisations must also focus on potential business interruption consequences of cyber incidents. Recent local breaches such as Landmark White and Toll Holdings have highlighted that cyber-attacks can have catastrophic impacts on an organisation’s ability to continue operating and to generate revenue. Reflecting this, the report highlighted that per day, a business interruption claim can cost a company over A$2 million.

In addition to quantification advice, Willis Towers Watson has also helped clients reduce business interruption risks by enhancing their resiliency capabilities. Ultimately one of the best ways to manage business interruption risk is for an organisation to develop frameworks and structures which allow it to recover from cyber events as quickly as possible.

Breaking down business interruption cyber loss

Our report found that the most significant component of business interruption losses are operational costs, which Figure 3 breaks down further.

Loss of profits/revenue makes up the largest portion of operational costs components at 63%. Increased cost of working is 36% with Replacement equipment 1%.
Figure 3: Operational cost components

While loss of profit is the largest business interruption element, another significant loss component is caused by the additional resources and costs an organisation will incur to continue operating and reduce the impact of IT system outages. These additional costs may not be considered under some loss calculation methods. We recommend organisations carefully consider how they anticipate responding to a significant cyber event so that increased costs of working can be included when examining cyber quantum exposures.

The importance of cyber insurance

Our report found that 75% of all recorded direct losses from data breaches incidents fell within the coverage provided by dedicated cyber insurance policies. In Australia and New Zealand, our experience is that coverage percentages are even higher for local cyber incidents, particularly where an experienced broker advocate is engaged to manage incident response vendor approvals and navigate coverage determinations.

The makeup of costs covered by cyber insurance is outlined in Figure 4.

Forensics costs amount to 21% of all data breach losses claimed. Defense costs were the second highest at 18% with ‘Other costs and expenses’ at 12%.
Making up the remainder of data breach claim funds were:
Legal advice (non-defense costs) 8%
Privacy notification costs 7%
Credit monitoring 7%
Identity theft protection services/assistance 7%
Fines and penalties 5%
Cyber security experts 5%
Crisis management costs 5%
Call centre costs 2%
Settlement costs 2%
Figure 4: Data breach claim funds

The report’s finding that forensics costs amount to 21% of all data breach losses claimed also reflects our own local experiences. Across claims in Australia and New Zealand, the fees to retain independent forensic experts to investigate and triage cyber incidents are regularly the largest component of client losses. While globally defence costs are the second most expensive loss category, in the ANZ region the need to incur defence costs has been limited to date. We are noticing marked increases in this space due to more active actions being taken by privacy and data security regulators and an increased focus on privacy and data security related litigation.

Benefits of a strategically designed cyber insurance policy

Our report highlights the scope of cyber risk management challenges organisations face and the critical benefit they can obtain from a comprehensive and strategically designed cyber insurance policy. By partnering with an expert, cyber insurance solutions can be engineered to mitigate financial harms, provide access to leading incident response providers, and leverage the insurance market’s deep claims knowledge to strengthen an organisation’s own incident response capabilities.

Perhaps of even greater value, cyber insurance will help organisations manage the cash flow impacts of a major cyber event. As shown in the report’s figures, complex cyber incidents typically create hundreds of thousands of dollars in expenses in the months immediately following an incident primarily due to incident response, notification and stakeholder costs. Business interruption and ransomware attacks can also create catastrophic and immediate loss exposures, which can be covered by cyber insurance.

Insurance is however only one part of an effective cyber resilience strategy. Our expectation is that organisations who develop a multi-disciplinary approach across technology, people, processes and awareness will obtain the best risk mitigation outcomes.

If you have any queries on our cyber report or would like further assistance on insurance coverage or cyber resilience support from Willis Towers Watson do not hesitate to reach out to us.

Authors

Cyber Specialist Australia and New Zealand - FINEX Australasia

Account Executive, FINEX Australasia

Related content tags, list of links Article Cyber Risk Management

Related Solutions

Contact Us