Background - 10.10.2022 - 00:00 

Cyberattacks as the biggest business risk

Cybercrime has grown massively in recent years. HSG insurance economist Martin Eling is researching how financial losses from digital attacks can be calculated. As one of the first researchers to address the topic, Eling's expertise is now in demand worldwide. His latest project: An international project on the issue of whether it makes sense to pay a ransom in cases of digital blackmail.

10 October 2022. Cyberattacks on companies, state institutions and private individuals are on the rise: In 2020, cybercrime caused $1,000 billion in damage worldwide - a 40 per cent increase compared to 2018. "In recent years, cybercrime has become industrialised. You can now book such attacks with providers even if you don't have extensive IT knowledge," says Martin Eling, professor and director at the Institute of Insurance Economics at the HSG (I.VW-HSG).

As an insurance economist, Eling is primarily interested in what financial losses can be expected in the event of cyberattacks. "If decision-makers in politics and business are aware of the potential damage, it allows them to be more specific in how they manage the risks," he says. Insurers can also use these fig-ures to assess which digital risks can be insured at all.

The health sector is exposed

Eling, together with Mauro Elvedi (HSG) and Greg Falco (John Hopkins University, Baltimore), devel-oped a model to calculate the range of potential costs of six extreme digital damage scenarios in the US. The model also takes so-called spillover effects into consideration: These occur when an attack on one sector of the economy (e.g. energy supply) has an impact on other sectors. For example, these effects cause the potential damage amounts to increase significantly in almost all attack scenarios - a result that also reflects the globalised and networked world economy.

Eling's team at I.VW-HSG has now expanded the study published in the renowned North American Actuarial Journal in March 2022 with figures for Switzerland, Europe and China. For the first time, ex-treme cyber risks were calculated for different regions of the world using the same analytical framework. "Among other things, the figures show that in Switzerland, as in the USA, it is primarily the health sec-tor, public services and control systems in industry that are very exposed in terms of possible follow-up costs," says Eling. In these areas, cyber risks must therefore increasingly be included in planning activi-ties. "Especially because some of these are critical infrastructures for the public." It is clearly noticeable that the figures for the USA and Switzerland hardly differ in relative terms. According to Eling, this is due to the similar service-based economies of both countries.

A study on dealing with digital blackmail is planned

Eling is globally networked as one of the leading researchers in the field of measuring damage from cyberattacks. This is why he was invited to an interdisciplinary conference organised by the Massachu-setts Institute of Technology (MIT) together with the US Federal Reserve at the beginning of September. Researchers from various disciplines as well as representatives from the financial industry and the US government discussed current issues in the field of cybersecurity and the measurement thereof. As a result, Eling has planned further collaboration with MIT researchers on the topic.

Eling is also currently working on a research project in cooperation with the New York insurance broker and risk management provider Marsh. This project is looking into whether it makes sense to pay a ran-som in the case of blackmail in connection with cyberattacks. Marsh is providing the HSG researchers with an extensive, anonymised amount of data for this purpose. This is a privileged position for the re-searchers, because very little data on cyberattacks and their consequences is available. "Most companies and institutions have no interest in disclosing data on an attack," explains Eling.

Yet there are attacks of this kind all the time - "in Switzerland, too, SMEs in particular are attacked every day in the digital world, but there is hardly any perception of this by the public," says Eling. And this apparently also applies to the companies themselves: As a representative study published by the insur-ance company AXA at the end of August shows, two thirds of Swiss SMEs rate the risk of a digital attack as low. Eling says in response: "The risk management of many SMEs is relatively underdeveloped. But a cyberattack represents one of the biggest business risks nowadays."

Attacks on Ruag and Stadler Rail

There have also been some startling digital attacks on companies in Switzerland in recent years: In April 2021, hackers published a video purporting to show how they viewed various data records of the federal-ly owned technology group Ruag International without any problems. An investigation by the National Council's Business Audit Commission found no evidence of a hack. However, it did criticise "serious deficiencies" in Ruag International's information security. "The case of Ruag International is an example of how no or only unclear information and data about suspected cyberattacks are made public," says Eling.

The train manufacturer Stadler, on the other hand, pursued an aggressive information policy: In May 2020 it stated that its IT network had been hacked and that the attackers were demanding a ransom of six million US dollars in Bitcoin for the return of sensitive data. Stadler Rail confirmed that it did not intend to pay this money. The hackers did then actually publish stolen data on Twitter and the Darknet. "Com-panies need a model for dealing with hackers," says Eling. So far, recommendations for action have been rather theoretical, but the aforementioned research project of the HSG with Marsh should provide some serious information on what measures attacked companies can take.

It is unlikely that Eling will run out of research questions on this topic. "New challenges in the area of cyber-risks are constantly appearing. Unlike natural disasters, we are dealing with man-made challeng-es here. Which means the attackers are constantly developing new strategies and threats."

Discover our special topics