The Breach Calculator: A Useful Tool or Past Its Prime?
Analyzing Cyber Risk with Breach Calculators
Cyber risk has become notoriously difficult to quantify.
Gone are the days of a monolithic IT stack managed by a single department with on-premises hardware. With cloud-based IT services and new kinds of software being deployed by any and every department -- not to mention the ever-increasing amount of data being stored -- it’s nearly impossible for any one person to have a handle on an organization’s entire IT footprint. Meanwhile, the tactics of cybercriminals adapt faster than IT defenses.
In this climate, any tool that can provide some clarity for policyholders about the financial risk posed by their IT security is welcome.
In this respect, breach calculators have become a common tool for risk managers and those working in cyber insurance. After a spate of high-profile breaches in recent years, it’s clear that organizations of all types should quantify the potential costs associated with the exposure records in their control. When it comes to buying and selling insurance, breach calculators help brokers and their clients get a sense of the scale of the financial risk involved in their data, helping them make decisions about coverage.
What Does a Breach Calculator Measure?
The direct costs of a breach stem from fines and lawsuits regarding the mishandling of data, and the costs of investigation and remediation that occur as a result of the breach. The amounts are driven by the number and type of records: more records, and more sensitive records, such as those containing personally identifiable information or health records, will drive costs higher. By putting information about these factors into a breach calculator, we can estimate how much a breach would cost any business. The cost estimates are driven by data on claims and survey results. A detailed calculator is available from Net Diligence (accessible in the Corvus Risk Management Portal for our Cyber and Tech E&O clients) and there are a number of simpler calculators available on the web.
While useful, a broker seeking to help a client understand their risk and their total financial exposure to cyber risk may find it limiting to focus on the results of a breach calculator.
Data Breaches Are on the Rise
Breaches remain common, and financial risk is still increasing as more of the world’s information is digitized. But if your clients are looking at the headlines this year, they are likely seeing reports of attacks that involve more than the stealing and re-selling of sensitive data. In fact, according to one report, breach incidents were down in 2018 after years of steady growth.
In turn, Ransomware attacks have reportedly increased at hundreds of percentage points over the past year. These attacks often involve the interruption of business operations, or at least the threat of BI, to encourage a ransom payment. It’s not a new concept, but since the global-scale Petya/Notpetya attacks in 2017, cybercriminals have embraced the approach because of the immediate impact it can have on organizations of all kinds.
While data breaches can be costly and disruptive for the organization, they don’t frequently stop an organization in its tracks, and they depend on a strong market for the sale of sensitive information for the crime to pay off. A great return is not guaranteed. Ransomware, on the other hand, provides an instant hit.
This is where breach calculators can come up short: even if they’re accurate at predicting breach-related costs, the costs of business interruption or contingent business interruption during a ransomware attack or other form of sabotage can quickly add up. They can quickly even exceed those of a breach, depending on the type and size of the business.
Be Sure Your Risk Assessment Is Comprehensive
Ransomware can include a variety of nefarious activities to disrupt a business. It can knock out business-critical systems that control warehouses, factories, or logistics. It can “brick” thousands of employee laptops, rendering the employees incapable of working for days until their hardware can be replaced. To get a sense of how catastrophic these attacks can be, imagine 20,000 appointments canceled at the UK’s NHS, a large section of the Port of Los Angeles shutting down because of an attack on a single company, or an entire division of a multinational manufacturer being shuttered for days.
These are examples that made news for their sheer scale and the brazenness of the attackers. But for millions of smaller enterprises and municipal or other governmental entities, attacks fly under the radar. They are, relatively, more destructive because these entities are unlikely to have a balance sheet that’s ready to absorb the costs or in-house expertise in handling such crises. Criminals are currently wreaking havoc on small municipal governments in the U.S, for example.
Brokers should be prepared to inform clients about the risks of shutdowns or ransom situations as part of a complete risk assessment. This assessment should include a scan of the organization’s footprint, as simple questions that determine risk are unlikely to yield a complete picture, given the complexity of modern IT footprints. Take particular note of what dependencies the business has on third parties -- the contingent business interruption risk -- what impact to operations might occur in the case of a critical vendor being attacked, rather than the client’s organization itself?
Use a breach calculator to determine the risk exposure of their data, but don’t overlook the costs that the client would bear if their operations were completely shut down for days on end. Traditional Business Interruption worksheets are a good place to start. And of course, be sure that the cyber insurance policies you recommend include coverage for Business Interruption and Contingent Business Interruption.
So are breach calculators past their prime? Not as long as data breaches still occur by the hundreds every year, which doesn’t look likely to change any time soon. But they are far from the end-all, be-all of risk assessment.
Dynamic Loss Prevention from Corvus
Your clients have questions. Corvus Dynamic Loss Prevention Reports have actionable answers. See how the DLP evaluates cyber vulnerabilities using our interactive tool.
The rise of remote work and growing concerns over ransomware acted as partners-in-crime to get organizations to hone in on risk mitigation efforts over the past couple years. Through compiling our Risk Insights Index, we found that with certain initiatives — safer or reduced usage of RDP, growing use of email security tools, and other measures taken to limit the impact of threat actors — businesses are more prepared than a year before and ready to play defense. Those efforts are borne out in our finding that the rate of companies who pay a ransom when attacked with ransomware fell by half within a year.
The whisperings of “firming rates” start first, quietly in business meetings, then published in industry reports. Soon to follow, rumblings of a “hard market” are brought to the conversation. It’s cyclical in nature, and we see it across all insurance lines at one point or another. For years, Cyber Insurance stretched far and wide with “soft” market conditions, remaining highly profitable. Now that period of growth, with exceedingly available coverage and inviting terms, has stalled in the face of a hard market.