Cyberattacks backed by hostile governments are increasingly a reality; companies should adopt strategies to strengthen cyber resilience.
Marsh’s 2018 Terrorism Risk Insurance Report, produced with support from Guy Carpenter, suggests that companies should implement strategies for scenario-based testing, quantifying the potential financial impact of an attack and reviewing options for transferring the financial risk from cyberattacks via insurance.
Traditionally cyberattacks were carried out by criminals and the damage they caused rarely registered as a major setback. However, in 2017, WannaCry and NotPetya incidents affected organizations in more than 150 countries and caused business interruptions and other losses worth over USD 300 million. In addition, the two incidents caused several companies reputational damage and loss of consumer data. The U.S. government attributed the WannaCry attack to hackers backed by North Korea.
Cyber insurance policies are included under the Terrorism Risk Insurance Program Reauthorization Act of 2015 (TRIPRA), as directed by the U.S. government in 2016, which provides a critical federal backstop for covered cyber-terrorism losses.
Insurance markets continue to respond to the more threatening nature of cyberattacks with insurance policy wording that offers broader coverage. Insurers and buyers are increasingly recognizing the growing vulnerability of technology systems. Many cyber policies now contain business interruption and contingent business interruption provisions. In 2017, 70 percent of U.S. cyber insurance buyers included business interruption in their cyber policies, Marsh data shows.