At a glance
- Reliable statistics on cyber crime are hard to come by
- Cyber crime is costing companies billions of pounds a year and is now seen as a catastrophic risk
- Insurance industry practitioners urged to shape the debate and encourage a competitive cyber insurance market
This article counts towards accumulating your annual CII CPD structured learning hours for Emerging Risks.
By reading this article, and correctly answering the three questions underneath, you will have achieved the following learning outcome: Summarise how the insurance market is responding to emerging risks.
Visit the CPD Hub to log in and begin accumulating CPD hours.
The true cost of cyber crime has been estimated to be on average £300-400 billion a year.
And like major weather events and terrorism, cyber attacks can now be classed as a catastrophic risk. Businesses, too, are beginning to perceive cyber security risks as greater than other traditional risks such as natural disasters, fires and earthquakes.
Hackers are always on the lookout for weak points in a security system and no single technology exists that will prevent a cyber attack and, even if there were, there is always likely to be an unavoidable lag between the onset of new threats and the development of new technology to prevent it.
The need for cyber control
Cyber insurance, though, is developing rapidly to cover these risks and the range of cover in this competitive market has expanded considerably over the past few years.
But despite these developments, many firms still do not possess cyber insurance either due to its perceived high cost, a lack of understanding of what is and isn’t covered and because many believe they will never suffer a cyber attack.
However, the UK government estimated that 93% of large corporations and 76% of small business suffered a cyber attack in 2012; and the Association of British Insurers advises firms that specialist cyber risk policies are needed to complement existing insurance policies to provide adequate cover for such a loss.
But merely purchasing cyber security insurance could also give rise to a situation of moral hazard as companies may then be loath to spend money on technology solutions and cyber controls – thus transferring their risk entirely, rather than investing in risk mitigation efforts to improve their cyber security.
It is essential for businesses to have a comprehensive risk strategy, which involves human strategies, technology and insurance. And companies should be motivated to continually improve systems and processes that protect their networks and data.
“With car safety, for example, you can reduce the risks – and your premiums – if you are an old driver rather than a young driver and with the size of the car,” said Professor Udo Helmbrecht, Executive Director of the European Union Agency for Network and Information Security, or ENISA, a European Union body that monitors cyber crime.
“This approach could be adopted with cyber security, and you could pay a lot less for your insurance if you have in place things like firewalls, virus protection and business continuity.
“And by doing this, the insurance sector would, over time, encourage an increase in IT security levels.”
Putting these carrots in place may be laudable, but insurers themselves still do not necessarily know what the best line of approach is in terms of risk management for cyber security due to the ever-changing dangers – this despite the risks that arise in cyberspace, such as intellectual property theft, lost profits, privacy and reputational damages, are not new.
“With cyber crime, what you can insure for is loss or damage to goods, but there is yet to be an established business case for insuring intellectual property or loss, espionage and other things,” said Helmbrecht at ENISA.
Reliable statistics on cyber crime are also hard to come by.
“It is difficult for insurers to build up an accurate picture of the true scale of cyber crime because a lot of firms do not report anything to the police if something is stolen in cyberspace,” added Helmbrecht.
“So, if you don’t have real numbers, the maturity of this sector is not there. What ENISA is trying to do is bring insurance companies together behind closed doors – we started this with the banking sector – so insurers can debate what the challenges are and over time develop a proper understanding and also business models for cyber security.
“But because of competition and insurers looking to protect their business models, it is proving a little difficult. Insurers could be doing more in this field.”
On both sides of the Atlantic, though, policymakers are busily trying to crack down on cyber crime with various data protection rules mooted, although many of these new regulations are likely to prove onerous to businesses and organisations in the years to come.
With cyber crime, what you can insure for is loss or damage to goods, but there is yet to be an established business case for insuring intellectual property or loss, espionage and other things
Professor Udo Helmbrecht, Executive Director of the European Network and Information Security Agency
And despite the insurance industry slowly approaching something of a critical mass in the cyber security market, more can still be done from governments and insurers alike. Action, though, is beginning to happen. The UK, for instance, is setting up a new cyber unit to defend national security.
But there is still the chance to shape and define the debate, and insurers and other industry practitioners are being encouraged to develop the standards, procedures and other measures that will reduce the cyber threat in the years ahead.
“The goal of [insurance industry] collaboration would be to build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market,” said Michael Daniel, the US Cyber Security Co-ordinator and also special assistant to President Barack Obama, in his August 6 blog.
But, despite all of this, as long as technology evolves this cyber threat is always likely to be upon us.