Cyber security is a prominent issue currently preoccupying the businesses world. There is a realisation that rather than just being a “tech industry issue” it has the potential to be an issue for all.
Whilst recent statistics show that 81% of large businesses and 60% of small business suffered a security breach in 2014, not only do many business leaders not know that insurance has the potential to cover cyber risks, only 2% of large firms have explicit cyber cover and 0% of small firms have any such cover.
For this reason, in March 2015, HM Government released a report (which provided the above statistics) on the threat of cyber security to UK businesses and the role of insurance in managing and mitigating the risk.
The report highlights how cyber-attacks occur, whether it be by attacking vulnerabilities in the IT infrastructure or whether by attacking the vulnerability in the human capital of the business by ‘social engineering techniques (such as phishing)’ in order to obtain personal credentials that will provide access to target IT systems. It also goes on to point out the potential damage caused from IP theft (generally the biggest fear of the larger firms) to physical personal harm which is an increasing concern given the increasing interconnectedness of everyday life through the Internet of Things. The most talked about source of damage is, however, reputational damage. One does not have to cast one’s mind too far back to remember two global online video platforms that were attacked by ‘hacktivists’, causing outrage, huge costs to the businesses and a severe drop in confidence in the respective companies.
A key focus of the report is the increasing importance of the role of insurance and how it not only may financially protect a business after an attack, but how it can also motivate and assist in businesses proactively avoiding becoming the victim of such malicious incursions to their virtual environment and intellectual property.
Issues for businesses…
The report outlines how firms can “get to grips with cyber risk”, as many businesses are unaware of how to initiate change implementing cyber security management. With this in mind, the Government has launched a Cyber Essentials scheme assisting businesses in this respect. It was noted that cyber-attacks can be ‘rapid, highly damaging, and public, potentially leading to a vicious cycle of declining investor and customer confidence and therefore cash availability’ and as such, businesses need to consider a risk management system overhaul reflecting the dynamic and fast-paced nature of cyber security including the implementation of appropriate insurance cover.
The value of insurance…
Three hypotheses were outlined which briefly underlined the value in insurance to companies:
- A financial incentive (through a reduction in premiums) may better one’s cyber security protocols and systems;
- Education and training from insurance companies can assist businesses through the insight and information the insurers gather from across their client-base and
- The experience of insurers in business recovery from natural disasters can be applied in a similar fashion to business recovery after a cyber-attack.
Businesses should also be encouraged to perceive good cyber-security as an additional “selling point” as well as a risk-limiting necessity.
From the report, it is clear to see that the Government is keen to convey that the UK has world-leading cyber security expertise and services.
Issues for insurers...
The report goes on to highlight that insurers themselves have much to do in assisting businesses. Many businesses do not regard insurance as a necessity or a tool to combat cyber-attacks and those who do, do not have the cover they believe they have. Much of this is down to the insurers themselves. Unclear pricing methods may lead to little understanding of the value of insurance from the business’ point of view. Furthermore, insurance contracts are complex and laborious and inevitably include many disclaimers and exclusions.
A question that arises often is the quantification of the risk. Identifying how sources of funding will respond from the impact of a cyber-attack is vital to the liquidity of a business. If businesses focus solely on the absolute loss (the more traditional method), although this will be important in the long run of the business, it will not be so relevant in a cash crisis.
Added to this, little price differentiation across firms and premiums set at three times the amount of those for other business-disruptive disasters, undermines the confidence businesses have in the pricing strategies of the insurers due to the perception that the insurers cannot adequately calculate the risks. This may result in complacency on the part of the businesses.
An issue for the insurers is the lack of data gathered about cyber damage resulting in less information upon which they can set their prices. This comes not only from the nascent characteristic of the cyber problem but also from the problem of non-reporting by the businesses who do fall victim to cyber-attacks.
Initiatives driven by the Government, the Association of British Insurers and Lloyd’s, as well as EU initiatives, are underway to address these concerns in order to help insurers clarify their policies and develop adequate data and insight exchanges with the aim of helping insurers provide appropriate cover.
So what about the insurance policies on offer…
As mentioned previously, the complexity of the policies offered by the insurers has the potential to be a hindrance to full-scale take up of cyber insurance. The report highlights that common gaps in traditional insurance policies can include:
- Exclusions removing cyber-attacks and explicit triggers of physical-asset damage;
- Damage to software and data not being covered (as it is deemed as an intangible form of property);
- Cyber-attacks that do not cause physical damage;
- Exclusions of unauthorised disclosure of personal information;
- Cover may be restricted to liability claims from customers only; and
- Others, such as computer virus transmission.
The report states that it is a necessary response for insurers to develop tailor made and dedicated policies that address the key risk factors of the clients whether this be bolt-on policies or stand-alone policies. It has be suggested that the insurers should provide a ‘statement of cyber assurance’ which would outline precisely what the policy covers and what it does not.
The role of the UK…
The UK is rapidly cementing itself as being at the forefront of all things tech. This has been confirmed by the newly appointed Whitehouse CTO, Megan Smith, stating that the US is years behind the UK when it comes to digital tech in government. London, in particular is emerging as a dominant force in the cyber security-focussed industries due to having the ability to tackle the complexity and the dynamism of the issues faced. Lloyd’s and UK Trade & Investment have collaborated to promote London’s virtues further around the world including the financial, legal, advisory and technical services that the Capital offers.