The risk of a cyber-event is the clear and present danger for UK business and is now among all UK firms' leading risks in terms of likelihood and severity of impact. Cyber-risk is ranked as a tier one threat by the UK National Security Strategy and is a key priority in the National Crime Agency's current annual Plan.
Is UK business covered?
One would assume that it follows that businesses should be insured against losses caused by cyber-attacks. However, there have been numerous recent questions over the insurance industry's appetite and ability to deliver effective policies to cover cyber-risks, and of the consequent value to businesses implementing them.
Insurance broker Marsh recently surveyed risk managers and CFOs from more than 100 large and medium sized UK firms. The survey revealed some alarming statistics:
- A substantial drop in respondents who feel they have a complete understanding of their exposure to cyber-risk
- More than 50% of respondents do not list cyber in their top 10 risks or have it even on their risk register at all
- Cyber is a board level responsibility at less than 20% of companies
- Whilst a majority of firms have or are seeking to buy cyber insurance in next 12 months, only 11% currently have policies in place
- 70% of respondents do not assess suppliers and/or customers for cyber-risk
Whilst the cyber-loss scenarios that respondents said posed the greatest threat, namely breach of customer information, business interruption, reputational loss and fraud, are all capable of being insured in the UK market, only 7% said that the insurance available meets all the needs of the organisation. Nearly half of respondents said they had insufficient knowledge to assess the products in the market.
Further, there is widespread concern amongst insurance buyers that whilst the basic coverage might exist in the market, understanding the policies and how they fit with existing, more traditional insurances is far from easy. This is not helped by over-complicated proposal forms issued by insurers.
A confused and confusing insurance offering
The picture this paints is of UK business as a whole recognising cyber as its biggest threat, but not fully understanding its own exposure. This is partly driven by an insurance market struggling to articulate its products and offer clients what they need.
If risk managers have issues in obtaining and fully understanding cyber information held, sometimes too closely, in their own IT departments, what causes the failings on the insurer side?
- Insurers argue that the lack of knowledge of events that are likely to be triggered and the quantum and frequency of them makes provision of the right cover difficult
- Aside from the US retail market, there is undoubtedly a lack of available data and an unwillingness to share the data there is, which makes pricing difficult
- Some insurers have claimed that cyber-crime is too big for them to handle. Unlike a physical catastrophe such as a hurricane, aeroplane loss, or oil rig blow out where losses may be huge, but can be modelled, tested, and limited – cyber-crime is intangible and leads to losses at multiple times in multiple places
- There is a somewhat cynical view that it will take a major catastrophic event for the market to take advantage of what will then a be a clamour for such coverage
Is it therefore surprising that many businesses are cynical about products launched to protect them from losses related to cyber-attacks?
A missed opportunity?
So why are UK insurers running scared of what will surely be one of the most lucrative lines of business? The US, where plentiful coverage options exist and are bought, does not share the same concern. Is cyber really so different from other large losses? First party losses, such as IT damage to data and software, business interruption caused by downtime, reputational damage and so on, can be modelled and assessed. Third party damage, such as investigation, defence costs and civil liability to customers, could be unpredictable and large, but via tight aggregation language and limits it should be possible to limit an insurer's maximum total exposure and still provide value to the client. Cover is available for both operational failure as well as malicious events. Whilst a cyber-event may simultaneously cause losses in more traditional markets like business interruption, it should not stop policies being tailored and dovetailed together - certainly not when cyber is now routinely excluded from general liability policies.
Insurers need to change their attitudes to insuring against these less tangible things, to move away from standard wordings and look at what each insured really needs.
Businesses need to focus on the key issues to get an effective policy:
- Review what coverage they already have in existing policies, for example, Business Interruption, D & O and Corporate Crime, to see what cyber-risk is already covered and where the real gaps are
- The current focus is on hacking by external fraudsters, but our experience is that most crime is internal and this must be reflected in any policy
- More work and support needs to be given to risk managers so they can understand the risks to their business and cyber insurance needs to be a board level issue to drive this understanding and prioritisation
- More work needs to be done on defensive strategies and internal risk management. It may be a truism that a cyber-event is a matter of "when not if", but one valid form of risk managements is to constantly stress test and scenario plan around cyber-events: over 40 % of the respondents to the Marsh 2015 survey either didn't have or didn't know they had an incident response plan for cyber-events
- Businesses should adopt an "aggressive defence" strategy. For example, as part of the insurance package, businesses need to plan for action as soon as there is a cyber-fraud to best limit the immediate damage and go after the fraudsters. It is possible to recover data and money obtained as a result of the data theft if the response is quick enough and the business can deploy the right specialists. This should form part of the insurance solution, without insurers losing control.
Despite all the negativity in the press and the surveys, there are products out there that already provide cover that works. Companies need to be savvy about their risks and talk to brokers and lawyers who understand the nuances of intangible risk and ensure that cyber-risk becomes a genuine Board level issue. As risk management awareness goes up, insurers will continue to work on and develop their products. It is an evolving, dynamic market and risk managers now have the opportunity to help shape its future.
1 Global Risks 2015 (10th Ed) World Economic Forum, Geneva 2015
2 UK 2015 Cyber Risk Survey Report, June 2015, Marsh
3 KPMG International Information Integrity Forum Survey 2015