“I think cyber insurance is going to be one of those must-buys because there are only two types of businesses: businesses that know they have been hacked and businesses that don’t know that they have been hacked.”
The words of one of the most important figures in the insurance world, Lloyd’s of London CEO Inga Beale, speaking in an interview with Insurance Business in November 2016, are sure to resonate throughout the industry. In the insurance world, cyber is the new big thing – and cyber security is a risk that presents both an opportunity and a peril.
Why is cyber security so important to insurance?
Specialist insurer Allianz Global Corporate & Specialty released a study entitled A Guide to Cyber Risk: Managing the Impact of Increasing Interconnectivity back in 2015, which highlighted that cyber crime as a factor on its own, was costing the economy around $445 billion a year – a number that was only likely to expand.
While cyber insurance itself is not a substitute for IT security, it does at least create an additional line of defence – something for businesses to fall back on in case the worst happens, something that can often occur particularly as the emerging threats often out-pace the security set up to counter them.
Cyber insurance is also a relatively untapped market, with the same research highlighting that less than 10% of companies currently purchase cyber-specific policies. In a 2017 report by research and consulting firm GlobalData, just one in 10 SMEs in the UK were deemed to be covered against cyber risk – but still that relatively low number has grown rapidly. Allianz suggests that in 2014 just 2.1% of British SMEs that had coverage, while by 2017 this figure had reached 13.7% – so while it is a relatively small market compared to other aspects of commercial insurance, it is one that is growing at a notable rate.
Cyber insurance: for a risk that’s only going to grow
The cyber insurance market has far from peaked because the rate of risks is only likely to expand particularly due to the increase interconnectivity of devices and ever expanding reliance on technology and real-time data.
The Internet of Things in particular, opens up a host of vulnerabilities; estimates suggest that there could be a trillion devices connected by 2020. In addition, there is the possibility of catastrophic losses becoming more likely, this is because a successful attack on the core infrastructure of the internet could have a massive influence on a wide scale; as could an attack on a utility or energy company. Outage of services, physical damage and even, potentially, the loss of life, could follow a cyber attack: particularly if it is linked to terrorism.
Action being taken to tackle cyber security
The importance of cyber security has expanded even further because attacks have become so mainstream. One of the most notable examples came in September 2016 when Yahoo reported that the personal information of at least 500 million of its accounts had been stolen – exposing around one billion users.
These attacks have prompted a host of initiatives to tackle cyber security. For example, in 2014, Cyber Essentials was launched by the Government which was meant to provide organisations with some standard basic procedures that they could follow to limit the chances of a cyber attack and at least take the first step towards becoming more resilient. In addition, a national cyber crime unit has been created within the National Crime Agency; and a network of centres for cyber security research was also established in-an-effort to provide research into new methods of making businesses more secure.
Cyber insurance has therefore entered the spotlight too and many insurers are creating policies that include some form of technical assistance – helping businesses to manage a breach as quickly as possible and providing a first point of contact. It is, of course, in the insurer’s interests to limit the effects of any breach and therefore reduce their own costs in the event of a claim.
The insurance sector hasn’t been blind to the expanding importance of cyber insurance. Most major insurers and MGAs now offer policies, with Pool Re, the Government-backed terrorism reinsurer, the latest to throw its name in the hat with CEO Julian Enoizi declaring in an interview with Reuters in March 2017 that its cover will be limited to cyber attacks that are linked to acts of terror.
For insurers the battle has been to get the message across of the importance of the cover to businesses that assume it just won’t happen to them. There are many well-established insurance policies, including professional indemnity cover, commercial property insurance and business interruption cover that already include aspects of cyber insurance meaning that many companies may even assume they are already covered against all risks. However, the reality is that for many of them there is a need to consider other specialised policies – especially if they hold sensitive details about their customers such as banking details; or if they are heavily reliant on IT systems in-order-to make their businesses function effectively.
Cyber insurance can make a recovery process quick and efficient – but as with most insurance cover it remains a “grudge” purchase. The key now is for insurers to put across its importance and turn it from a niche policy to one that businesses see as the necessity that today’s climate dictates it needs to be.