In speaking with clients or other organizations, I’m often astounded by the response I receive when I ask about cyber-attacks. Too often, the risk professional or executive I’m speaking with says something like this – “Oh, we have insurance coverage for that…”
This is cringe-worthy, like fingernails on a chalkboard cringe-worthy to me.
A recent report about a 2017 cyber-attack affecting the pharmaceutical giant Merck provides a great example of why this thinking can be dangerous. Although Merck had $1.75 billion in coverage for catastrophic risks around computer data, coding, and software, its claim was denied because their policies exclude terrorism and “acts of war.”
Since it’s believed the 2017 attack was the work of Russian intelligence services, the insurers maintain they are not obligated to cover Merck’s costs.
As a result, Merck is suing its insurance carriers. The case is significant because there is no clear definition in U.S. law as to what an “act of war” is in the context of cyber.
The targets of the attack dubbed “NotPetya” were in Ukraine, a neighboring country that has been in heightened conflict with Russia since the Maidan Revolution in 2014. However, the malware ended up affecting Merck’s servers in the country and spread to its computers and servers throughout the world.
The NotPetya attack ended up affecting hundreds of other companies as well, including FedEx and Maersk, the global shipping giant.
Regardless of whether Merck succeeds in its legal challenge, the cost of this cyber-attack will well exceed the $1.3 billion in direct costs.
In regards to cyber-attacks and data breaches, the first mistake many organizations make is to only consider the direct costs of events like this.
The fact is there are many other “costs” or risks that must be considered.
The last few years have seen a dramatic increase in the frequency and impact of cyber-attacks. Released this past summer, the Cost of Data Breach Report from IBM Security and the Ponemon Institute pegs the average cost of an attack at $3.9 million, an increase of 12% over the last five years.
This amount though doesn’t really account for business disruption, customer impacts, and other issues that can play out for years. The out-of-pocket expense may be relatively low for some, but the impact of a cyber-attack or data breach on achieving business objectives can be significant.
In the case of Merck, the impacts of the NotPetya attack were significant to say the least.
Over 30,000 computers and 7,500 servers in sales, manufacturing, and research units were affected. For at least two weeks, employees who couldn’t access their computers sat idle. Effects on production through the remainder of 2017 forced Merck to borrow the entire emergency supply of its human papillomavirus (HPV) vaccine from the U.S. Centers for Disease Control (CDC).
One researcher claims that over 15 years of work was lost in the attack – can you imagine!?!
Do you think that 15 years of research and development work is going to be recovered quickly or completely? In other words, is data loss really insurable? No!
Of course, This doesn’t get into any impacts on intangible assets like reputation, intellectual property, trademarks, and more. Considering that these intangibles comprise an ever-increasing share of a company’s overall value, it’s not hard to see how one event can set a company back years, perhaps even destroy it altogether.
Instead of only factoring direct costs, organizations must consider how cyber-attacks, data breaches, and other technology risks impact business objectives.
This story is a great real-world example of the difference between traditional and enterprise risk management. Focusing on technology as a stand-alone, insurable risk, is an undoubtedly a traditional approach to this issue.
But in order to better understand these risks and any opportunities requires taking a holistic, enterprise-view.
In his newest book Making Sense of Technology Risk, Norman Marks explains how there are different frameworks and guides for helping organizations identify, assess, and manage these type of risks. While these standards have been useful, none of them help organizations understand how technology risks fit into the bigger picture of the enterprise around risks and opportunities, positive and negative consequences, nor do they help the organization make informed business decisions.
For example, an information security breach may not have a direct impact on earnings, but it could cause delays in processing sales orders, lost revenue, and upset customers who may take their business elsewhere.
Although cyber-attacks are on the rise, does this represent the biggest risk to achieving objectives? Should executives invest funds to protect against these threats versus committing resources toward new and disruptive technology, product development, manufacturing capability, and other opportunities?
As Norman explains:
Choices have to be made. No organization (even Apple) has unlimited resources. Its leaders need to be able to understand technology-related risks within the context of running the business and achieving its objectives.
With the world becoming more interconnected with each passing day, it’s incumbent upon organizations to not just shrug and say insurance will take care of everything. Understanding cyber-attacks and technology risk and how they impact business objectives, both positively and negatively, will be increasingly important in the years ahead.
Has your organization been the victim of a data breach, ransomware, or some other type of cyber-attack?
How does your organization consider technology risks and opportunities within the larger context of business objectives?
To share your perspective, please leave a comment below or join the conversation on LinkedIn.
Today’s article barely scratches the surface of this important topic. I do run into issues like this with my clients but have never spent much time discussing them here on the blog. With that in mind, please check back for more on technology risks and how organizations can ensure they don’t experience disruption and upheaval.
In the meantime, if your organization is struggling to understand technology risks beyond direct costs and impacts, please feel free to reach out to me to discuss your specific situation today.
Featured image courtesy of Soumil Kumar via Pexels.com
