There is no doubt that businesses, nonprofit organizations, and governments benefit from interconnectivity—by access to new markets, client support, shared information, and interpersonal communications. There is also no doubt that connectivity brings risks and that all firms need to anticipate those risks and consider how to address them.
Guest Post by Michele Braun, Director, Institute for Managing Risk, Manhattanville School of Business (Originally Published on August 9, 2017)
On July 17, 2017, Lloyd’s, the legendary London-based insurance market, released its forecasts of the potential costs of two types of cyber attacks. The results were headline grabbing: The July 18, 2017, Financial Times reported that “Lloyd’s warns of $120 billion bill from cyber attack on cloud provider.” “Extreme assault,” the headline continued, “may outstrip a natural disaster.”
For the past several years, the news media has been full of reports on cyber hacks: The 2013 theft of credit and debit card data from Target, the 2014 release of stolen emails from Sony Corporation, the alleged 2016 cyber-based interference with U.S. elections now being investigated by Congress, and this year’s WannaCry and Petya ransomware attacks name only a few. There is no doubt that businesses, nonprofit organizations, and governments benefit from interconnectivity—by access to new markets, client support, shared information, and interpersonal communications. There is also no doubt that connectivity brings risks and that all firms need to anticipate those risks and consider how to address them.
When company officials make decisions on where to put resources—which risks to take to build a business and which risks to avoid to sustain a business—they should try to quantify the downside risk as well as the upside potential. Because cyber technologies are rapidly developing and because potential interconnectivity appears to be endless, it’s particularly hard to quantify all likely cyber risk costs. This is where the Lloyd’s study becomes helpful.
Lloyd’s, in conjunction with Cyence, a security and economic data modeling firm, assessed two dramatic scenarios. For a hack that takes down cloud-service providers and their customers, Lloyd’s forecasts direct losses of $5 billion-$53 billion and possible broad economic losses of $16 billion-$121 billion. For the inadvertent release of vulnerability factors in widely used software, Lloyd’s forecasts possible direct costs of $10 billion-$29 billion. Real money, real costs.
The value of this study goes beyond its stated goal of helping insurance risk managers better prepare. It also identifies many risk factors that most companies should consider when developing their own cyber risk plans and deciding on risk mitigation—including insurance, employee training, and technological solutions. Risks include direct losses and, of course, replacement/upgrade costs. Importantly, this study also highlights reputational risks that can damage the ability to retain and develop business.
Identifying risks. Quantifying risks. Assessing which risks to take and how to avoid other risks. All great topics worthy of discussion.
If you live or work in the greater New York City metro area, including Westchester County and southern Connecticut, help guide that discussion by answering a very short survey on what risk topics have value to you and your organization here.
Watch this space for upcoming articles on current risk management topics as well as important new programs from the Institute for Managing Risk at the Manhattanville School of Business where we help you develop your risk savvy!
About the Author
Michele Braun is the Director for the Institute For Managing Risk at the Manhattanville School of Business. For more information on IMR email Michele.Braun@mville.edu