It will have been hard to have missed the reports of the recent surge in high profile cyber attacks – whether in relation to the Kaspersky Labs $1bn cyber robbery, points stealing from British Airways' air-miles accounts or the Sony Pictures hack following controversy over the film The Interview. The level of threat that such attacks pose was highlighted recently when the World Economic Forum identified technological risks, in the form of data fraud, cyber attacks or infrastructure breakdown, as one of its top 10 risks facing the global economy in its 2015 Global Risk Report.
Such attacks create a constant battle for companies, faced with fighting increasingly sophisticated attackers who are developing ever more innovative ways of breaking through their defences, resulting in potentially catastrophic losses.
The rising number of attacks and their cost implications has led to a fast-growing cyber insurance market for insurers and reinsurers. Not only is there a demand to develop cyber coverage models to meet these new threats, but there is also a need to educate and advise clients in advance of attacks, in order to reduce the potential risk. Although many cyber breaches are seemingly impossible to prevent, raising awareness of the threat and responding promptly in the event of an attack can have a huge impact on the cost implications for an insured.
Until now, cyber insurance has been viewed as a predominantly US business, driven by numerous high profile and well-publicised attacks, and unsurprisingly, the US market is the biggest and most developed globally, with approximately $2bn of premium in 2014. Although this figure contrasts significantly with the approximate €150m ($167.8m) of premium in Europe's emerging cyber insurance market, the awareness of cyber threats here is rapidly growing. A recent UK government-backed cyber governance health check of FTSE 350 companies indicated that 88% of those companies now include cyber-risk in their risk management and risk register, compared to only 58% in 2013.
Growth in this sector is expected to continue and the London market stands to benefit significantly from this increasing demand. Tom Reagan, US cyber practice leader at Marsh in New York, has said: “We are counting on London. Cyber insurance is going to be a bigger and bigger market, but it’s going to be volatile and require the underwriting skills of London.”
In an increasingly digitised world however, the scale of the cyber threat and changing nature and complexity of the risks mean that the potential level of insurance cover which companies require is rocketing. It is not just data breaches driving the cyber insurance market anymore, with other cyber events resulting in business interruption and property or casualty damage.
As a result, industry experts have called for the government to step in and provide cover. Stephen Catlin, the founder of Catlin (the largest Lloyd's of London insurer which has recently agreed to a takeover by New York-listed rival XL), recently warned that cyber attacks constituted “the biggest, most systemic” risk he had seen and should be covered by governments as insurers’ balance sheets were not large enough.
Despite recent significant growth in the cyber insurance market, the restrictions on cover and tendency to charge high premiums illustrate the reservations amongst insurers about underwriting cyber security risks. Not only are such risks difficult to model, but, as Stephen Catlin pointed out, they can also have a systemic nature, which can result in simultaneous, potentially huge payouts for insurers to absorb.
Whether any such state-backed scheme will be established remains to be seen, but in any event, cyber security is certainly not a threat to be ignored and companies need to be reviewing their risk management processes to protect themselves, as much as they can, against this ever increasing and evolving threat.