Be Warned: Impacts from Cyber Attacks Not Fully Insurable

In speaking with clients or other organizations, I’m often astounded by the response I receive when I ask about cyber-attacks. Too often, the risk professional or executive I’m speaking with says something like this – “Oh, we have insurance coverage for that…”

This is cringe-worthy, like fingernails on a chalkboard cringe-worthy to me.

A recent report about a 2017 cyber-attack affecting the pharmaceutical giant Merck provides a great example of why this thinking can be dangerous. Although Merck had $1.75 billion in coverage for catastrophic risks around computer data, coding, and software, its claim was denied because their policies exclude terrorism and “acts of war.”

Since it’s believed the 2017 attack was the work of Russian intelligence services, the insurers maintain they are not obligated to cover Merck’s costs.

As a result, Merck is suing its insurance carriers. The case is significant because there is no clear definition in U.S. law as to what an “act of war” is in the context of cyber.

The targets of the attack dubbed “NotPetya” were in Ukraine, a neighboring country that has been in heightened conflict with Russia since the Maidan Revolution in 2014. However, the malware ended up affecting Merck’s servers in the country and spread to its computers and servers throughout the world.

The NotPetya attack ended up affecting hundreds of other companies as well, including FedEx and Maersk, the global shipping giant.

Regardless of whether Merck succeeds in its legal challenge, the cost of this cyber-attack will well exceed the $1.3 billion in direct costs.

In regards to cyber-attacks and data breaches, the first mistake many organizations make is to only consider the direct costs of events like this.

The fact is there are many other “costs” or risks that must be considered.

The last few years have seen a dramatic increase in the frequency and impact of cyber-attacks. Released this past summer, the Cost of Data Breach Report from IBM Security and the Ponemon Institute pegs the average cost of an attack at $3.9 million, an increase of 12% over the last five years.

This amount though doesn’t really account for business disruption, customer impacts, and other issues that can play out for years.  The out-of-pocket expense may be relatively low for some, but the impact of a cyber-attack or data breach on achieving business objectives can be significant.

In the case of Merck, the impacts of the NotPetya attack were significant to say the least.

Over 30,000 computers and 7,500 servers in sales, manufacturing, and research units were affected. For at least two weeks, employees who couldn’t access their computers sat idle. Effects on production through the remainder of 2017 forced Merck to borrow the entire emergency supply of its human papillomavirus (HPV) vaccine from the U.S. Centers for Disease Control (CDC).

One researcher claims that over 15 years of work was lost in the attack – can you imagine!?!

Do you think that 15 years of research and development work is going to be recovered quickly or completely? In other words, is data loss really insurable? No!

Of course, This doesn’t get into any impacts on intangible assets like reputation, intellectual property, trademarks, and more. Considering that these intangibles comprise an ever-increasing share of a company’s overall value, it’s not hard to see how one event can set a company back years, perhaps even destroy it altogether.

Instead of only factoring direct costs, organizations must consider how cyber-attacks, data breaches, and other technology risks impact business objectives.

This story is a great real-world example of the difference between traditional and enterprise risk management. Focusing on technology as a stand-alone, insurable risk, is an undoubtedly a traditional approach to this issue.

But in order to better understand these risks and any opportunities requires taking a holistic, enterprise-view.

In his newest book Making Sense of Technology Risk, Norman Marks explains how there are different frameworks and guides for helping organizations identify, assess, and manage these type of risks. While these standards have been useful, none of them help organizations understand how technology risks fit into the bigger picture of the enterprise around risks and opportunities, positive and negative consequences, nor do they help the organization make informed business decisions.

For example, an information security breach may not have a direct impact on earnings, but it could cause delays in processing sales orders, lost revenue, and upset customers who may take their business elsewhere.

Although cyber-attacks are on the rise, does this represent the biggest risk to achieving objectives? Should executives invest funds to protect against these threats versus committing resources toward new and disruptive technology, product development, manufacturing capability, and other opportunities?

As Norman explains:

Choices have to be made. No organization (even Apple) has unlimited resources. Its leaders need to be able to understand technology-related risks within the context of running the business and achieving its objectives.

With the world becoming more interconnected with each passing day, it’s incumbent upon organizations to not just shrug and say insurance will take care of everything. Understanding cyber-attacks and technology risk and how they impact business objectives, both positively and negatively, will be increasingly important in the years ahead.

Has your organization been the victim of a data breach, ransomware, or some other type of cyber-attack?

How does your organization consider technology risks and opportunities within the larger context of business objectives?

To share your perspective, please leave a comment below or join the conversation on LinkedIn.

Today’s article barely scratches the surface of this important topic. I do run into issues like this with my clients but have never spent much time discussing them here on the blog. With that in mind, please check back for more on technology risks and how organizations can ensure they don’t experience disruption and upheaval.

In the meantime, if your organization is struggling to understand technology risks beyond direct costs and impacts, please feel free to reach out to me to discuss your specific situation today.

Featured image courtesy of Soumil Kumar via

Posted in

Sign Up For Our Newsletter

Sign Up For Our Newsletter


Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More