In a recent FT article, Janet Williams, the lead on cybercrime initiatives for the Association of Chief Police Officers, commented that insurers should agree only to provide cover against cyber attacks to companies that meet a minimum cyber defence Kitemark standard.
Cyber crime attacks have now been upgraded to a “tier one” national security threat. Government statistics have estimated that cyber attacks cost businesses approximately £21bn a year and high profile commercial victims of cybercrime include Sony and Lockheed Martin, the military supplier. More recently, the website of the Serious Organised Crime Agency (SOCA) was subjected to a Distributed Denial of Service (DDoS) attack, which overloads a site with data requests with the aim of making it inaccessible to users.
In November 2011, the police central e-crime unit worked with various UK banks to convict members of an international cybercrime outfit who used a computer virus to steal £3m from online banking customers. This kind of collaboration signals an effort from businesses and financial institutions to discuss attempted cyber attacks to help the police combat cybercrime and to improve their own risk management procedures.
Another area of exposure to cyber attack will be operations for the London 2012 Olympic Games this summer: the organisers are already gearing up to deal with cyber disruption based on the experience of the 2008 Beijing Games, where operators reportedly received 12 million cyber attacks a day despite extensive firewall protection against computer viruses.
Insurers have responded to the notion of establishing minimum security standards to prevent cyber attacks through the launch of The Cyber Insurance Working Group. The Group comprises technology insurers including Liberty, Zurich and CNA Europe, plus specialist technology insurance broker Oval. Other insurers selling cover for cyber attacks and security/data breaches could be keen to participate.
The Group plans regular meetings to develop a framework of recommended information security practices and procedures, including adequate business continuity plans and corporate information security policies.
The aim is that insurers providing security cover will be able to demand a specific structured demonstration of commitment from their insureds and ultimately avoid the costly fall out from claims, particularly in circumstances where there is little scope for insurers to make any significant recoveries in the event of a loss. Cyber attacks involving a complex web of data/security breaches and multiple individuals can be difficult to prosecute through the criminal courts and whilst companies and insurers may want to pursue civil cases against cyber offenders, it remains to be seen whether these actions would suffer from the same obstacles.
The benefit to insured businesses implementing the minimum standard will be a strengthened infrastructure and cyber risk mitigation.