Cyber attacks against companies and governments are becoming more common and more costly. According to data from HSBC, the total number of cyber attacks jumped by 38 per cent in 2022, with more than 1,100 being carried out every week in the final quarter of the year. Meanwhile, the average cost of a data breach has risen by a fifth since 2017 to $4.35mn (£3.5mn).
For investors, there’s another problem: most cyber incidents and breaches are not publicly reported or acknowledged, and companies are reluctant to disclose details of their security policies for fear of attracting unwanted attention. Assessing the investment risk, therefore, is extremely difficult.
This year, however, some companies have been forced to spell out the cost of cyber crime. Outsourcing group Capita (CPI) reported an “unauthorised intrusion” in April, which resulted in data being leaked from around 0.1 per cent of its servers, affecting pension funds and other clients. The group expects to incur exceptional costs of £15mn-£20mn, comprising professional fees, recovery and remediation costs and cyber security investment.
Morgan Advanced Materials (MGAM) was similarly stung in January, when a number of its data storage systems were targeted. The manufacturing group expects to spend £15mn recovering its systems, and has warned that its operating profit will be 10-15 per cent lower than analysts predicted at the start of the year.
The impact on other companies has been less severe. Metal engineering company Vesuvius (VSVS), for example, declared that an incident in February – which prompted it to shut down its systems – had only had a “modest” effect on trading. One-off costs are expected to be between £3mn and £5mn.
Meanwhile, International Distributions Services (IDS), the parent company of Royal Mail, has yet to reveal the financial damage inflicted by a prolific criminal gang that struck in January, although leaked transcripts from its discussions with the hackers showed a rejected demand for $80mn.
Emerging trends
The companies above represent a handful of high-profile hacking victims. However, wider trends are starting to emerge. Research by UK cyber security group Sophos found a “clear correlation” between annual revenue and the likelihood of experiencing a ransomware attack. 56 per cent of organisations with turnover of $10mn-$50mn experienced a ransomware attack in the past year, rising to 72 per cent of those with revenue of more than $5bn. In other words, the bigger the company, the bigger the risk.
Management teams are also paying “considerably more” in ransom payments, according to Sophos. During a ransomware attack, companies are denied access to their IT systems, and hackers demand a ransom payment for the decryption key. If the target refuses to pay, data may be leaked online. The average ransom payment has almost doubled from $812,380 in 2022 to $1.54mn in 2023.
This, of course, does not account for reputational damage, interrupted operations, regulatory fines, professional fees and possible litigation.
The exposure of different sectors to cyber attacks is trickier to assess. As shown in the chart below, the European Union Agency for Cybersecurity found governments to be a favoured target, as well as digital service providers. Healthcare firms and banks are also vulnerable given the personal data they hold.
However, both Sophos and Check Point – an American-Israeli IT company – identified education companies as popular targets too. “Education traditionally struggles with lower levels of resourcing and technology than many other industries, and the data shows that adversaries are exploiting these weaknesses,” Sophos concluded.
Similarly, the media, leisure, and entertainment sector was found to have “widespread security gaps” in this area. In contrast, Sophos said that IT, technology, and telecoms groups reported the lowest level of attack (50 per cent), “indicating a higher level of cyber readiness and cyber defences”.
Trying to pinpoint which company will be struck next is a fool’s game. One thing does seem clear, however: the cost of cyber attacks and data breaches is rising, and is outpacing growth in cyber security spend.
Indeed, Japanese bank Nomura argued that cyber security will be the next major environmental, social and governance (ESG) consideration for investors, reflecting a company’s overall governance structure. “Going forward, the systematic integration of cyber security risks in investment analysis will create demand for more material cyber-security-related disclosures,” it said.
Beyond paying up for the best security systems (and training for staff liable to leave digital doors open), companies are also facing an insurance system less likely to pay out when hackers do get in.
Who pays?
The growth in both the frequency and cost of cyber security incidents has sent the cost of cyber insurance soaring in recent years, at the same time as buyers complain that coverage is being diluted (Capita's insurance covered some but not all of the costs).
Elevated claim levels since the onset of the pandemic have continued to push prices higher, according to broker Marsh’s latest UK cyber insurance trends report. And although price growth peaked in the final quarter of 2021, increases have since slowed rather than abated.
With absolute pricing levels remaining higher, many organisations decided to reduce coverage limits in 2022 to manage costs, the broker said. It estimated that the global cyber security insurance market now pulls in $13.5bn a year in premiums.
In a recent survey of 3,000 companies from 14 countries, Sophos found 47 per cent had standalone cyber insurance, while 43 per cent had coverage as part of a wider policy.
Yet the value of such cover is being questioned as providers limit their exposure. Insurance marketplace Lloyd’s of London recently instructed syndicates to introduce exclusions in cyber policies covering state-backed attacks, given the “potentially systemic risks” arising from them.
This decision has irked the corporate clients who pay for such cover, though. Last week, the Federation of European Risk Management Associations (Ferma) said that without a better balance between the level of cover required by firms and insurers’ appetite to provide it, cyber insurance could become “an unviable product”.
“Why pay what some consider expensive premiums for increasingly limited coverage when further investment in cyber security is viewed as a more effective way of managing the risk,” Ferma’s deputy president, Philippe Cotelle, asked in an interview in the Financial Times this month.
Cyber warfare
A Lloyd’s spokesperson said it “did not take this decision lightly”, but that it was committed to it.
Tim Smith, a partner at law firm DWF (DWF), said that some in the industry were being more anxious than necessary.
Exclusions for war already exist in traditional insurance policies. Lloyds' changes merely update these, to state that when two countries are at war “anything they do in cyber space counts" as part of that, meaning any knock-on damage caused can be excluded.
From the insurers’ part, it’s understandable why they want to make this explicit.
When the NotPetya cyber attack (later attributed by UK authorities to the Russian military) targeting Ukrainian institutions in 2017 eventually caused billions of dollars of damage to systems in companies including German pharma group Merck (DE:MRK) and food giant Mondelez International (US:MDLZ), insurers refused to pay out, citing an act of war. Both sued, though, and Merck had its $1.4bn claim upheld by a New Jersey appellate court this month. Mondelez reportedly reached a settlement in a $100mn case it brought against insurer Zurich last year.
Smith thinks exclusions will only be used sparingly, such as when there is an accompanying threat to the state, so that even major ransomware attacks like the one that disabled Colonial Pipeline's infrastructure in 2021 would still trigger payouts.
“The number of situations where a claim would not be covered is going to be pretty modest,” he said.
Moreover, destructive actions by states or their proxies tend to be rare, argues Tim Rawlins, a security director at NCC Group (NCC).
Generally, the goal of states and their proxies is espionage, where the aim is to carry on stealing secrets undetected, but once wars break out there can be unintended consequences.
For instance, when ground infrastructure connecting to Viasat’s (US:VSAT) KA-SAT satellite was knocked out on the eve of Russia’s invasion of Ukraine last year, it disabled satellite broadband systems not only to customers in that country but to thousands of others across Europe, including Bigblu Broadband (BBB) customers in the UK. It also disabled a system that monitored thousands of wind turbines in Germany.
“The cost of cleaning up after an incident can be considerable,” Rawlins said.
