With shipping giant Maersk suffering the fallout from a global IT failure as part of a global ‘Petya’ ransomware cyber attack, the world’s oldest insurance market has warned the maritime industry that it needs to understand the potential scale of losses that can result from attacks.
According to Lloyd’s chief executive Inga Beale, such attacks have the ability to destroy major firms.
“The reputational fallout from a cyber breach is what kills modern businesses. And in a world where the threat from cyber crime is when, not if, the idea of simply hoping it won’t happen to you isn’t tenable,” she said.
“To protect themselves businesses should spend time understanding what specific threats they may be exposed to and speak to experts who can help handle a breach, minimise reputational harm, and arrange cyber insurance to ensure that the risks are adequately covered. By reacting swiftly to mitigate the impact of a cyber breach once it has occurred, companies will be able to minimise the immediate costs and their exposure to subsequent ‘slow-burn’ costs,” Beale said.
Insurance market research on cyber threats issued on Wednesday has found that businesses are underestimating the potential costs of such attacks.
The Lloyd’s report, which was produced in association with KPMG and law firm DAC Beachcroft, warns that there is an urgent need for firms to properly prepare themselves or face a hefty bill, including ‘slow burn’ costs such as reputational damage, litigation, and loss of competitive edge.
The research identifies ransomware, which is believed to have caused Maersk’s problems, as a rapidly increasing threat, together with distributed denial-of-service attacks and CEO fraud.
Matthew Martindale, director in KPMG’s cyber security practice, said, “Cyber risk has moved up in the business agenda and businesses are taking measures to prepare themselves. However, they are failing to factor in the long-term damage that a breach can cause and the cost implications of it. Dealing with things like reputational issues and litigation in the aftermath of a breach can add substantial costs to the overall loss. Businesses really need to start thinking about the cyber risk holistically rather than one that is currently very short-sighted.”
One leading cyber-security expert warned ransomware attacks often had a human element and companies had to look at the training and access they give staff to their systems.
International Institute of Risk & Safety Management (IIRSM) special adviser Mike Gillespie said, “Let us not forget that the vast majority of these successful ransomware attacks are only made possible as a result of human activity. Ransomware is not a cyber ‘attack’, it is an active and offensive head-on assault on our defences. It is the dangling of a poisonous and indiscriminate bait that staff then take and bring into our organisations thus facilitating this destruction. Almost all of the organisations affected will find, when they do their incident investigation thoroughly, that one of their staff has downloaded unauthorised software, or clicked on a phishing email or attached an infected USB device to their network. Without this human intervention, very little malware has any potency.”
Gillespie, who is also vice-president of the Centre for Strategic Cyberspace & Security Science (CSCSS), added, “Often businesses that have received a ransomware attack like Petya concede to the attackers’ demands because they don’t have good security, good education, and good crisis management strategies in place. Often, they feel paying up is their only option. If businesses were in a better place to begin with, they wouldn’t be held to ransom in the first place. Also, if businesses pay a ransom to get files back, they’re essentially asking the attackers how much money they want and they’re telling them they’re prepared to pay so they will likely be targeted again.”