The costs of cyber incidents are rising and can include financial, reputational and, increasingly, criminal liability. IBM estimates that the average cost of a single data breach is US$ 4.35 million, up 12.7 percent since 2020. (IBM Security, 2022) The costs to society are high as well. The cybersecurity firm McAfee and the Center for Strategic and International Studies estimate that cybercrime and espionage cost global society over US$ 1 trillion in 2020 — a 50 percent increase since 2018. (Smith, 2020)
Cyber insurance is more challenging to obtain as cyber insurers’ losses jumped 300 percent from 2018 to 2021. Cyberattacks are happening so frequently, and carry such unanticipated costs, insurers are stopping coverage, increasing the costs of coverage, or instituting carveouts for cross-sector or government-sponsored hacks (Zang, 2022).
It is unclear whether property and casualty (P&C) insurance will cover physical damage caused by a cyber incident on an OT system that leads to physical injury or the loss of life. Many insurance companies are rewriting insurance policies to exclude coverage from a cyber incident resulting in an impact on human health or property. For example, Merck experienced US$1.3 billion in losses due to the Russian NotPetya cyberattack on Ukraine in 2017. Merck invoked its P&C insurance to recover some of its losses, but, these insurances had “war exclusions” that barred coverage for damages caused by states’ “hostile or warlike” actions. Given that geopolitical tensions are on the rise and state-organized hacks will be more common, companies will have difficulty covering cyber risks via insurance (Bateman, 2020).
CEOs face the risk of greater personal liability. Gartner and a recent case from Finland highlight the risks to CEOs stemming from cyber-physical incidents. Gartner estimates that 75 percent of CEOs risk being held personally liable for cyber-physical breaches. Gartner argues this risk is based on leadership’s lack of security focus and ensuing misalignment of spending on risk mitigation and remediation.
CEOs used to be able to hide behind ignorance of the cyber risks facing their organizations or could transfer cyber threats over to insurers (Moore, 2020). This is no longer the case. National authorities are increasing their alerts and information campaigns in critical infrastructure industries. CEOs are being held to account as a result. In Finland, a CEO was given a three-month suspended sentence for his company not following cybersecurity and GDPR practices, which led to a massive data breach.
Cybersecurity risks are at the top of building owners’ agendas. They should also be on FMs’ agendas. In 2022 and 2023, surveys of real estate owners conducted by PwC identified cybersecurity as one of the leading disruptors to the real estate industry alongside digital transformation (PwC, 2023). Building owners and facility managers have both a physical liability risk and an asset valuation risk for a cyber incident that can strike immediately without warning. Attempting to transfer cyber OT risk to insurers does not remove the liability of building owners for the safe operation of a building and the responsibility for any incident that results in a loss of life or property.