Cyber Risk

Cyber is one of the most pressing risks for business and private persons in the world. The Allianz Risk Barometer 2020 (, for example, ranks cyber as the most important business risk (even though the report was compiled and published before the global Covid-19 pandemic).

Despite its importance and a noticeable increase in awareness in the last few years, cyber is still an elusive risk. In the following, we provide you with an overview of the definition and cyber risks, its core characteristics and a short summary of major cyber events.

Especially in the insurance context, a clear definition of cyber risks is necessary to provide an as precise as possible wording of the underlying peril of a policy. We will, therefore,  follow along the insurance industries definition of cyber, even though not all cyber damages, like the loss incurred by a rival company using the stolen intellectual property of a breached competitor, are insurable. 

A great discussion and synthesis of the varying definitions of cyber risks is , and we highly advise it as an introduction to cyber risks as a whole to any interested party. Based on the guiding regulatory frameworks for the banking and insurance sector, Basel II and Solvency II, the authors classify cyber as “operational risks to information and technology assets that have consequences affecting the confidentiality, availability, or integrity of information or information systems.” Operational risks are defined by Solvency II as “the risk of a change in value caused by the fact that actual losses, incurred for inadequate or failed internal processes, people and systems, or from external events (including legal risk), differ from the expected losses”, or in colloquially, operational risks are risks that arise outside from the core business activity.

Sources of Cyber Risk ()

Non-criminal Sources

Act of Nature

Power outage after a natural catastrophe, destruction of servers or computer facilities by flooding, fire, etc.

Technical Defects

Hardware failure, e.g., data loss after a head crash of the harddrive or a computer crash; bug in software

Human Failure

Unintentionally disclosure of information on webpage, false report

Criminal Sources (Cyber Crime)

Physical attacks

Physical data theft, e.g., theft of confidential bank data by an
employee

Hacker attacks

Espionage of customer data or sabotage of company processes,
e.g., DoS attack, key logger, or malware5 (virus, worms, spammails, Trojan horses)

Extortion

Threats by internet, e.g., Mexican drug cartel

Based on the Vocabulary for Event Recording and Incident Sharing (VERIS, see ), a framework for the collection of security incident details, the report classifies seven categories of cyber threats. In addition, the VERIS Project is an active research project that classifies new cyber incidents and makes them available to the interested public.

Cyber Risks (VERIS Framework)

MALWARE

Malware is any malicious software, script, or code run on a device that alters its state or function without the owner’s informed consent. Examples include viruses, worms, spyware, keyloggers, backdoors, etc.

HACKING

Hacking is defined within VERIS as all attempts to intentionally access or harm information assets without (or exceeding) authorization by circumventing or thwarting logical security mechanisms. Includes brute force, SQL injection, cryptanalysis, denial of service attacks, etc.

SOCIAL

Social tactics employ deception, manipulation, intimidation, etc to exploit the human element, or users, of information assets. Includes pretexting, phishing, blackmail, threats, scams, etc.

MISUSE

Misuse is defined as the use of entrusted organizational resources or privileges for any purpose or manner contrary to that which was intended. Includes administrative abuse, use policy violations, use of non-approved assets, etc. These actions can be malicious or non-malicious in nature. Misuse is exclusive to parties that enjoy a degree of trust from the organization, such as insiders and partners.

VERIS classification note: There is an action category for Hacking and for Misuse. Both can utilize similar vectors and achieve similar results; in Misuse, the actor was granted access/privileges (and used them inappropriately), whereas with Hacking, access/privileges are obtained illegitimately.

PHYSICAL

Physical actions encompass deliberate threats that involve proximity, possession, or force. Includes theft, tampering, snooping, sabotage, local device access, assault, etc.

ERROR

Error broadly encompasses anything done (or left undone) incorrectly or inadvertently. Includes omissions, misconfigurations, programming errors, trips and spills, malfunctions, etc. It does NOT include something done (or left undone) intentionally or by default that later proves to be unwise or inadequate.

ENVIRONMENTAL

The Environmental category not only includes natural events such as earthquakes and floods, but also hazards associated with the immediate environment or infrastructure in which assets are located. The latter encompasses power failures, electrical interference, pipe leaks, and atmospheric conditions.

VERIS classification note: Natural hazards and power failures are often classified under physical threats. We include such events in the Environmental category and restrict the Physical category to intentional actions perpetrated by a human actor. This is done for several reasons, including the assessment of threat frequency and the alignment of controls.

Another, more technical and detailed taxonomy of cyber threats is the MITRE ATT&CK Framework (), which classifies adversary tactics and techniques for enterprises.

To fit the holistic view of cyber risks, we have integrated the section on the absolute global cyber damages in the Cyber Market Statistics.

There are several excellent reports that provide comprehensive statistics on data breaches. While we highly advise to seek out other reports, e.g. under 1.1.1 Cyber-Damages & -Claims Statistics in our library, we will follow mostly the excellent Verizon Data Breach Report (), that has been annualy published since 2015. Using the VERIS Framework described in the block on cyber threats above, in its 2020 version, the Verizon Data Breach Report analyzed more than 150,000 cyber security incidents, of which 32,000 possessed the necessary quality (completeness of records, sensible description of the incident, etc.) to warrant further investigation. Out of those 32,000 records, about 4,000 were actual data breaches, which the report defines as incidents that result in the confirmed disclosure – not just potential exposure – of data to an unauthorized party, compared to cyber security incidents which include all events that compromise the integrity, confidentiality or availability of an information asset. In the 2020 version, the data is also broken down for industrial sectors and geographical regions and make it well worth a read.

The report features many interesting statistics and we highly recommend to any interested party to read the report in its entirety, not only for data but a very clear description of the utilized methodology of tracking incidents (Page 35 ff., Page 105 ff.) and the inherent biases when sampling cyber incidents (Page 16, Page 105 ff.). In addition to the report itself, the authors provide an interactive tool to go through the data in more detail. One of the most important statistics on cyber threats is the frequency of attacks, i.e. the share of each of the seven VERIS categories of the overall confirmed data breaches. The following chart shows the share of attacks since 2010.

Cyber Attack Vectors ()

About a third of attacks in the last three years stemmed from hacking incidents. The share of Malware attacks is gradually decreasing since 2014, while the share of errors is quickly increasing, climbing from 3% in 2014 to 18% in 2019. 

The Verizon report gives not only a total breakdown of the involvement of the top level categories, but a dynamic view of the involvement of each of the attacks in the different stages of an attack. For example, while most data breaches in the dataset start with a social engineering attack, they often end with a malware infection (Page 33).

Cyber incidents have caused billions of damages in the last decades. The following is table is just a short list of some of the most high profile incidents and insured cyber losses so far. In our library, you will find under 3.1 datasources and -sets with additional information.

#YearIncidentEconomic LossInsured LossSources
12004I-Love-You WormUSD 15 Bn-
22017NotPetya Ransomware AttackUSD 10 BnUSD 3 Bn+
32007Conficker AttackUSD 9.1 Bn-
42017WannaCry Ransomware AttacUSD 4 BnUSD 50 - 60 Mil
52017Equifax Data BreachUSD 1.17 BnUSD 125 Mil
62018Marriot Data BreachUSD 200 - 300 Mil (?)USD 102 Mil
72019Hydro Norsk USD 70 - 80 MilUSD 20 Mil

References

Allianz. 2020. Allianz Risk Barometer 2020. https://www.agcs.allianz.com/news-and-insights/reports/allianz-risk-barometer.html (January 17, 2020).
Eling, Martin, and Jan Hendrik Wirfs. 2016. Cyber Risk: Too Big to Insure? Risk Transfer Options for a Mercurial Risk Class. St. Gallen: Institute of Insurance Economics I.VW-HSG, University of St. Gallen. https://www.ivw.unisg.ch/~/media/internet/content/dateien/instituteundcenters/ivw/studien/cyberrisk2016.pdf.
Mitre. “MITRE ATT&CK Framework.” https://attack.mitre.org/ (December 5, 2020).
VERIS. 2020. “VERIS Community Database.” http://veriscommunity.net/vcdb.html (February 3, 2020).
Verizon. 2020. 2020 Data Breach Investigations Report. https://enterprise.verizon.com/resources/reports/dbir/?CMP=OOH_SMB_OTH_22222_MC_20200501_NA_NM20200079_00001.