Cyber losses: How far can they reach?

When reviewing cyber security, it makes sense to look at your own exposure first. Are all the security patches up to date? What's the plan if there's a distributed denial-of-service (DDoS) attack? While it is vital to keep your own house in order, it's just as important to keep tabs on the bigger picture. 

The explosion in interconnectivity means a cyber-attack on one company can carry over to its partners and customers. This can be particularly damaging for certain sectors, for example financial companies which hold a lot of sensitive information, or the utilities industry as it provides crucial services. If a cyber incident has a knock-on effect causing physical damage or business interruption to a third party, who is liable and how likely are they to be insured against such a risk?

Companies need to identify and mitigate their potential for third-party liability. The first step is to establish what could go wrong and with what impact. For example, if a company has a lot of highly confidential data it should restrict that information to specific servers with extra layers of security. Supply chain control is another potential minefield, as more information is being stored in the Cloud. As a result, companies have less direct control of their data but they are still liable in the event of a data breach. Data security in the supply chain is becoming a major issue as ecosystems grow.

Employee engagement is another key action point. If the staff are aware of potential third-party liability issues, they will help speed up the recognition of problems or (even better) pre-empt security breaches. Bringing cyber risk out into the open by encouraging discussion of incidents and organising training courses will raise employee awareness of what is at stake. This engagement should also be extended to customers and business partners, and possibly organised on an industry basis.

A recent company survey carried out by Swiss Re and IBM® reveals that most companies (52% of respondents) believe that third-party risks will outstrip their first-party counterparts by 2025. It's time to act. If you're sitting on a time bomb, it's in your interests to start defusing it.

A data breach doesn't mean game over. After a cyber-attack we get you back in business.

Learn more about our Cyber insurance solutions.