Cyber-crime loss potential analysis

Cyber security has long since arrived on the management floor of SMEs. Budgets are being increased, the outsourcing of IT services is becoming increasingly popular and the training of IT employees is being promoted. The essential aspect of cyber security, i.e. raising awareness among employees with relevant training courses, is increasingly becoming a standard element of training plans.

However, the number of successful cyber attacks is on the rise, which is also due to the increasingly sophisticated methods, especially in relation to manipulating employees with social engineering, and the more aggressive behaviour of the attackers. Cyber attacks still have a very high success rate for criminals, with minimal effort and a low probability of being caught.

Comprehensive risk assessment

GrECo offers you a 360° support for cyber risks and advises you comprehensively from the identification and evaluation of possible cyber risks to the customized coverage of cyber insurance.

Risks are identified and assessed along the risk management cycle in order to objectively define a strategy to manage these risks, including costs and benefits.
A comprehensible and transparent risk assessment is essential for using existing resources where they have the greatest impact, especially given the rising need for investment in cyber security.

GrECo Risk Engineering – GrECo’s subsidiary specialised in risk management – evaluates the following losses as part of the cyber loss potential analysis.

1. First-party loss potential analysis

A key part of the analysis of first-party loss is the impact of a potential cyber incident on business interruption or business restriction. This is especially important for manufacturing companies due to the increasing dependence on functioning IT processes. The analysis includes evaluating the impact on bottleneck systems and production-critical, infrastructure facilities. However, the IT systems used for production management or warehouse logistics are also an important part of the analysis.

The availability and integrity of data play an essential role for service providers and local authorities. Other internal cost positions are intra-company friction costs incurred from finding the causes of damage, determining the damage and repairing the damage. First-party losses also include the costs for obligations to provide information to authorities and customers, possible penalties and contractual penalties or blackmail payments. The first-party loss potential is also supplemented by reputational damage and theft of trade and business secrets, the monetary valuation of which poses a particular challenge.

Providing proof of damage and losses to the insurance company may also involve considerable costs. The burden of proving the existence of a cyber incident lies with the companies.

2. Third-party loss potential analysis

Assessing third-party losses that may essentially result from risks of liability to third parties is very important. These losses may have a significantly greater impact than the first-party losses and are often more difficult to assess, as company stakeholders such as customers, suppliers and its own employees must be taken into account in the analysis. The applicable legal situation also plays a key role, as it is necessary to clarify individually whether there is a liability and to what extent. The legal situation may very different in specific countries. According to the General Data Protection Regulation, the parties affected by a data breach are entitled to compensation for pecuniary or non-pecuniary damages. However, the final supreme court decisions that can serve as precedents have yet to be made.

3. External cost positions

The costs for external consulting services for damage forensics, damage repair (e.g. restoring data) and for crisis communication, legal consulting costs or the reduction of reputational damage which may represent a significant cost factor for cyber damage and often be underestimated, are assigned to the external cost positions. Internal personnel are often not able to perform these services due to a lack of expertise or a lack of resources.

Assessing the loss potential is an important prerequisite for taking out cyber insurance both in terms of defining the sum insured and for the design of a risk-adequate scope of cover.

Related Insights

Johannes Vogl, General Manager GrECo Risk Engineering

Johannes Vogl

General Manager GrECo Risk Engineering

T +43 5 040411160