Increased awareness of operational cyber risk and business interruption should increase demand for insurance cover
While the majority of headlines surrounding cyber attacks have focused on data breaches, the number of publicised cyber business interruption events will increase. Businesses can be interrupted by cyber incidents in a variety of ways, including ransomware, denial of service attacks and human error. Criminals and malicious individuals know that organisations across all sectors are now almost entirely operationally dependent on electronic systems and that they can effect a significant impact on a business through simple and publicly available cyber attack methods.
In January 2016 Lincolnshire County Council lost access to its systems for over a week due to a relatively basic cyber attack. Such incidents and accompanying publicity are set to grow and stimulate emand for business interruption cover under cyber insurance policies.
Publicly acknowledging data breaches may reduce corporate reputational damage
Increasing numbers of highly publicised data breaches and the impending mandatory breach notification requirements of the General Data Protection Regulation (GDPR) are setting the scene for companies to be more inclined to publicly acknowledge data breaches as part of a planned response to manage reputational damage.
The GDPR will come into full force and effect in May 2018 and most companies in the UK and Europe do not legally have to notify breaches until that date. (The earliest date for Brexit currently appears to be towards the end of 2018, so roughly six months after the GDPR – see the GDPR entry in the Legislation section.) However, there is an increasing desire to follow regulatory guidance and be seen to do the right thing in order to protect corporate reputation. Suffering a breach is never a good thing but it is nothing compared with the public relations disaster that will follow if it emerges later that the company chose to keep regulators or customers in the dark.
Is cyber insurance the natural home for cyber crime cover?
In the last 12 months, we have seen the number of publicised cyber crime incidents increase. These include criminals using ‘Dear CEO’ phishing emails and spoof email accounts to trick victims into transferring funds or disclosing financially sensitive information. It is notable that while these crimes are labelled as a cyber risk due to their electronic methods, they are often just traditional duping crimes that simply exploit the weakest link: the human element.
The question is whether such losses ought to be insured under traditional crime policies or whether this is a new emerging risk which ought to fall to cyber policies. It remains to be seen how insurers and brokers determine where the risk should fall.
It is a matter of when, not if, a systemic cyber event will occur
Lloyd’s, the Prudential Regulation Authority and many industry bodies have published realistic disaster scenarios in order to stress-test resilience against systemic cyber attacks and their financial effect. The ‘Business Blackout’ scenario, in which Cambridge University studied the potential financial consequences of a cyber attack on the US power grid, estimated the total financial impact on the US economy at $243 billion with a potential to rise to $1 trillion.
Despite these hypothetical scenarios being based on smaller real events, there is no publicised example of a systemic cyber event. Many cyber commentators believe that it is a matter of when, not if, an event will occur. While no-one wants to see a catastrophic occurrence such as envisaged by the ‘Business Blackout’ scenario happen, we predict that we will see a small-scale systemic cyber event in the short to medium term.
Key developments in 2015/16