Risks of the Cyber-Hurricane

When we think of big, costly catastrophes, we typically think of hurricanes, earthquakes and acts of terrorism.

By Patricia Vowinkel

Not many of us would think about the possibility of a catastrophic information technology or infrastructure collapse.

Maybe we should.

Tracking Travel (05/01/13)
Helping to Close the Gap (03/01/13)
All U.S. Nuclear Reactors Flawed (NY Times) (04/10/13)
Broadening the Risk, Increasing the Yield (05/21/13)
Catastrophe Management: Through the Eyes of a Partner (04/16/13)

Cyberthreats to the Internet jumped 1,000 percent between 2006 and 2008, according to a new report by the Internet Security Alliance (ISA) and the American National Standard Institute (ANSI), which cited Symantec, a provider of security software, for those figures.

The report, "The Financial Management of Cyber Risk," was released in late March with the objective of bringing cybersecurity to the attention of residents of corporate C-suites.

Although these cyberthreats have not managed to paralyze the information technology infrastructure of business and industry on a wide scale as of yet, they are a concern, said Robert Parisi, national practice leader for technology, network risk and telecommunications at Marsh.

"For the government folks, they don't care about the liability of this, they care about what happens if you have a cyber-hurricane that knocks out a lot of companies," he said.

Government officials are also worried about increasing cyber-attacks on infrastructure.

Critical infrastructure owners and operators are under repeated cyber-attack, often by high-level adversaries, according to a McAfee study titled "In the Crossfire: Critical Infrastructure in the Age of Cyberwar" released earlier this year. The study questioned 600 information technology and security executives from critical infrastructure enterprises across seven sectors in 14 countries all over the world.

On average, respondents in the McAfee study estimated that 24 hours of down time from a major attack would cost their own organization $6.3 million.

And who pays for these losses?

Many companies believe the insurance industry would bear the cost of a major cyber-incident.

These executives may be in for an unwelcome surprise, according to the ISA/ANSI report.

One third of corporate chief technology officers confessed to not knowing for sure if they had insurance to cover cyber-events and, more alarmingly, another third believed they had cyber-insurance coverage and were wrong, according to an Ernst & Young study cited in the study done by ISA/ANSI.

"The government is saying we see potential for a huge disaster and the insurance market has not been responding as quickly as we would like it and the private sector has not been availing itself of the insurance that is available to them--and that's troubling," Parisi said.

Insurance for cyber-risks has been available for some time, but the market has developed and evolved over the years to better address the exposures some companies face.

Some companies explored the cyber-insurance market several years ago, found it lacking, and have not returned, Parisi said.

But the exposures have changed and so have the policies.

An information technology failure could lead to lost income, business interruption losses and reputational damage, as well as lawsuits and investigations by regulators. In addition, there is the potential for directors' and officers' exposure as well, according to the ISA/ANSI report.

PATRICIA VOWINKEL has worked for national media outlets for more than 20 years.

June 1, 2010

Newsletter Sign-up