Cyber insurance: What and why?
High-profile cyber-attacks are fast becoming the norm in modern society, with 2016 being arguably the worst year for major security breaches. National Crime Agency statistics released earlier in the year reinforced this, revealing how last year saw cybercrime overtake more traditional forms of crime in the UK for the first time.
Logic suggests that this trend is only progressing in one direction. Why look to target an individual office property when entire businesses can now be financially exploited and brought to a standstill remotely?
Although most of the headlines focus on the large scale breaches affecting multinational corporations, a whole host of small and medium sized enterprises are increasingly suffering from data breaches, creating a “fear factor” among many organisations. It’s this fear factor that has led to widespread adoption of cyber insurance. Our recent research found that UK insurers saw a 50% rise in demand for cyber policies during the course of 2016.
The development of cyber insurance
The primary aim of cyber insurance is to protect individuals and organisations against the financial fallout from the loss of electronically stored information. For years, insurance has been purchased to protect physical property from loss, theft or damage. Only recently, however, has the importance of buying cyber insurance been fully realised, as we see the value of electronic data far exceed that of physical property.
While cyber insurance legislation and regulation has been present since the turn of the millennium, rapid technological development over the past 20 years has ensured this arena remain anything but static. As such, cyber insurance has had to adapt to meet the way in which society utilises technology as a key part of modern life. It is now being purchased to address the concerning rise of cybercrime, which comes in various forms, from ransomware to phishing scams through to cyber extortion and hack attacks similar to those experienced widely toward the end of 2016.
Current policies help victims of cybercrime in various ways from a financial perspective. This might include covering any costs related to IT specialists, regulatory investigations or forensic investigators. Arguably more important, cyber insurance policies help victims to manage cyber incidents, enabling access to specialist providers who understand all aspects of cybercrime and its consequences.
Times are changing too. When cyber insurance was first introduced, obtaining quotes could be an incredibly tedious affair. Pre-requisites would often include on-site audits and essay-like technical application forms. Nowadays, coverage can be obtained in a much more efficient manner by completing just a few questions, including key financial information, previous loss history, and basic risk management. We now find ourselves in a position where we have over twenty insurers offering cyber policies across the UK, helping to further simplify the underwriting process and drive down prices.
Furthermore, as cyber insurers aren’t yet able to calculate the consequences of specific controls –depending instead upon standard portfolio management techniques to cover loss ratios – cyber insurance tends to contain fewer obligations in regards to risk management than a typical property policy. Unlike usual property policies, which may state clearly what type of alarm to fit or what variety of lock to have on your doors, cyber insurance policies are much more flexible where risk management is concerned.
Despite the advancements and increasing ease in which it can be adopted, less than 10% of UK firms purchase some form of cyber insurance, as opposed to more than 25% of businesses in the US. Industry experts believe this is likely to change at an unprecedented rate with cybercrime continuing to instil the ‘fear factor’ amongst UK businesses, and when individuals and firms have a better awareness of how cyber insurance policies really works.
Growing market equals increasing claims
With an increasing number of policyholders – creating a fast-expanding cyber insurance market – the number of claims is inevitably on the rise. We handled over 200 events in the first half of 2016 with nearly a third of these relating to data breaches, and over a fifth linked to electronic fraud. Other instances included ransomware, malware and denial of service attacks. Most of these attacks caused relatively minor damage so far, with the majority tending to be less than £50,000. That being said, the potential financial devastation for businesses is huge. One targeted attack in 2016 cost a small business over £1m after hackers deleted all company data having gained access to their network.
The full effects of cyber-attacks are even felt by organisations not directly compromised. These indirect, so-called “phantom breaches”, have steadily increased in recent times, with the Yahoo hack late last year providing just one example. Over a billion internet users had their data stolen, but this wasn’t the end of the story. Many customers use duplicate passwords and usernames across a number of websites, and this enables attackers to easily exploit other sites once they’ve carried out the initial attack, even if those sites are themselves secure. This demonstrates just how devastating the knock-on effects of such breaches can be.
The responsibility of the insured party
In spite of the increasing importance of cyber insurance adoption, the claim that “cyber insurance doesn’t pay” has often tainted the perception of this line of cover. This follows cases where businesses fail to correctly or fully complete policy applications leading to missing out on insurance in certain scenarios. Too often, however, it is the insurers who are portrayed in a negative way.
These instances of invalid claims can be reduced through effective collaborative efforts between the insurer and insured party.
From the insurer’s perspective, it is not about whether the insured party has strong or weak security controls in place, but whether they describe them accurately on the application form. This is true for any other line of insurance – you wouldn’t say that you have an alarm in your house if you didn’t – and this is where insureds might run into trouble. However, there are obviously cases when the questions can be misunderstood or misinterpreted; for example, a business might say they encrypt all their data, when in fact it is only password protected. So, in turn, it is the responsibility of the insurer to be asking the questions in a clear way, and further explaining security concepts that might be complicated.
Further collaboration amongst insurers and insured parties, along with more government proactivity, would prove hugely beneficial. The government has certainly made a solid start. Introduced in 2014, the Government Cyber Essential Scheme both educates companies on how to reduce cyberattacks as well as how to keep resulting costs as minimal as possible if a hack is successful.
Good cyber hygiene should be the first line of defence for any business. Unfortunately, statistics indicate that the majority of UK businesses, especially SMEs, are likely to suffer a security breach within their lifetime. As such, we advocate a two-pronged strategy which entails sufficiently investing in updated security and risk management practices, alongside implementing a strong insurance policy, should a cyber-attack present itself.