Skip to main content

The High Costs of Cyber Attacks



On July 17, 2017, Lloyd’s, the legendary London-based insurance market, released its forecasts of the potential costs of two types of cyber attacks.  The results were headline grabbing:  The July 18, 2017, Financial Times reported that “Lloyd’s warns of $120 billion bill from cyber attack on cloud provider.”  “Extreme assault,” the headline continued, “may outstrip a natural disaster.”

For the past several years, the news media has been full of reports on cyber hacks:  The 2013 theft of credit and debit card data from Target, the 2014 release of stolen emails from Sony Corporation, the alleged 2016 cyber-based interference with U.S. elections now being investigated by Congress, and this year’s WannaCry and Petya ransomware attacks name only a few.  There is no doubt that businesses, nonprofit organizations, and governments benefit from interconnectivity—by access to new markets, client support, shared information, and interpersonal communications.  There is also no doubt that connectivity brings risks and that all firms need to anticipate those risks and consider how to address them.

 When company officials make decisions on where to put resources—which risks to take to build a business and which risks to avoid to sustain a business—they should try to quantify the downside risk as well as the upside potential.  Because cyber technologies are rapidly developing and because potential interconnectivity appears to be endless, it’s particularly hard to quantify all likely cyber risk costs.  This is where the Lloyd’s study becomes helpful.

Lloyd’s, in conjunction with Cyence, a security and economic data modeling firm, assessed two dramatic scenarios.  For a hack that takes down cloud-service providers and their customers, Lloyd’s forecasts direct losses of $5 billion-$53 billion and possible broad economic losses of $16 billion-$121 billion.  For the inadvertent release of vulnerability factors in widely used software, Lloyd’s forecasts possible direct costs of $10 billion-$29 billion.  Real money, real costs.

The value of this study goes beyond its stated goal of helping insurance risk managers better prepare.  It also identifies many risk factors that most companies should consider when developing their own cyber risk plans and deciding on risk mitigation—including insurance, employee training, and technological solutions.  Risks include direct losses and, of course,  replacement/upgrade costs.  Importantly, this study also highlights reputational risks that can damage the ability to retain and develop business.
 
Identifying risks.  Quantifying risks.  Assessing which risks to take and how to avoid other risks.  All great topics worthy of discussion.

If you live or work in the greater New York City metro area, including Westchester County and southern Connecticut, help guide that discussion by answering a very short survey on what risk topics have value to you and your organization here.
 
Watch this space for upcoming articles on current risk management topics as well as important new programs from the Institute for Managing Risk at the Manhattanville School of Business where we help you develop your risk savvy!

Michele Braun
Director, Institute for Managing Risk
Manhattanville School of Business
michele.braun@mville.edu

Comments

Popular posts from this blog

The Marketing Success of Mailchimp

Today in the October 5th New York Times there was a wonderful article published about the success of a small business called MailChimp and how they accomplished this while taking the road less traveled. According to the article there are two ways to create a business.  The first is the typical way a business gets started; a young entrepreneur comes up with an innovative idea, next is the creation of a prototype along with participating in a start-up boot camp. This then leads to small investors hopping on board; which leads to the creation of a Kickstarter. If everything works out and the product is successful it’s time for the founders to enter the haphazard mode called expansion. This usually translates to selling off the company piece by piece for huge chunks of money from venture capitalists. Then, once a few years have passed, if all goes well, the founders hit it big time and then BANG their set.  The second and less well known option is just ...

Why Study Risk Management?

As I read the newspapers, listen to news radio, watch TV news, stream business and general news, one of the words that shows up most frequently is “risk.”   Risky decisions, risk-weighted analyses, risk-focused audit, cyber risk, climate change risk, to name a few examples.   Several business people have told me they just want to run their enterprises and, unless risk taking is explicitly part of the business model (as for an investment fund or insurance firm), they just don’t have time to worry about risk.   This preference, while understandable, appears to be at odds with the frequent media references, so I decided to consult some experts.   The 2018 International Standard on Risk Management ( ISO 31000 ) says that t he purpose of risk management is “the creation and protection of value.   It improves performance, encourages innovation and supports the achievement of objectives.” Another widely recognized industry initiative ( COSO 201...

Communicating Organizational Change

Organizational change is a common occurrence in today’s work environment.   In your career, you will probably have to lead the organization through changes such as mergers and acquisition, restructuring and layoffs and new management and strategy implementation. One of the key ingredients for successful leadership during periods of organizational change is a well-planned and executed communication strategy.   The change will not be successful if it is not communicated effectively. Carefully consider the following six steps when communicating an organizational change: 1.     Consider the audience. Gilda Bonanno As with any communication, first you have to consider your audience.   Who will be on the receiving end of this communication?   In most cases, you will have several groups, including the managers, individual contributors, support staff and others impacted by the change.   Each group has its own needs and you have t...