Your Company as a Cyber Target or Collateral Damage

The Bloomberg Markets story, “Asymmetric Warfare,” begins with a cyberattack on pharmaceutical giant Merck & Co. in June 2017. The attack, eventually linked to Russia’s military intelligence agency, crippled 30,000 laptops and 7,500 servers at the company, affecting sales, research and manufacturing operations. Ironically, Merck was not the target, it was Ukraine; Merck was collateral damage. The company’s entire network was taken down by a server in its Ukraine office that ran an infected tax software application, causing losses the company estimated at $1.3 billion. The story then takes an unexpected twist. 

When Merck turned to its 30 insurers and reinsurers, through which the company had $1.75 billion in coverage after a $150 million deductible, it was shocked to discover that the carriers denied coverage, claiming that the attacks were an act of war, which was not covered by Merck’s policies. Was the attack the modern version of war? The courts are still deciding that issue, which will determine whether the insurers in the Merck case will have to pay (a few have settled with the company). But corporate giants are taking notice and are worried. The story quotes Bob Dudley, BP’s chief executive, saying that aside from the transition away from fossil fuels, a catastrophic cyberattack is the thing he worries about most.

According to a recent report from a group including Lloyd’s of London, the cost to businesses and insurers of a single global ransomware attack could be as much as $193 billion, with 86% of that uninsured. Some are estimating that total annual business losses from data breaches could hit $5 trillion by 2024.

Manufacturers are particularly vulnerable, says Andrew Morrison, who leads Deloitte & Touche’s Cyber Strategy, Defense and Response practice. Taking down a manufacturing facility and a supply chain have dramatic effects, he says, and manufacturers aren’t well-prepared because they often are using legacy equipment that’s very difficult to secure — especially given the proliferation of interconnected devices embedded in their systems. 

The story’s takeaway isn’t heartening: given the rising cybersecurity threat and insurers’ increasing efforts to protect themselves, companies have no choice but to step up their own defenses.