Cyber security and insurance — where do we even start?

October 27, 2015 Nigel Walsh


Vice President and Head of UK insurance at Capgemini, Nigel Walsh voices his findings around the rise of cyber crime and the impact on insurance. Due to recent and hugely public spate of cyber ‘events’, the world of cyber security and subsequently cyber insurance is firmly in overdrive.

According to the UK Department for Innovation and Skills — 81% of large businesses and 60% of small businesses suffered a cyber-security breach in the last year, and the average cost of breaches to business has nearly doubled since 2013. 

We have all seen the headlines, from Sony last year, to British Airways recently to the French TV Channel, TV5Monde. The severity and importance of each of these has material impacts on not only their ability to do business, but also their brand and reputation as a customer, employee and partner. Sony was clearly hugely public, by far one of the biggest and most public I have seen hit the news for a long time. It was all over most news channels causing outcry from customers and employees, some who threatened to sue their employer or former employer for failing to protect their data. Sony of course have had many attacks including taking down their PlayStation online platform for days on end. As for BA, the first I heard of this was an email saying – ‘someone has accessed your account’. Please come change your password! This is the brand that I trust with my personal details, my location and much more.

Finally, TV5Monde — seems to be particular worrying to me. In a scene that reminded me of the wonderfully played Elliot Carver from 007’s — Tomorrow Never Dies, the media giant was quite simply disabled, their TV taken off air, their public online presence taken over and more. An attack of this scale and power to me simply highlights what Hollywood has been portraying for years (remember Die Hard where they take over the airport by hot wiring a few cables nearby?). Interestingly, subsequent reports again point to human error here a TV interview showing passwords stuck to Post-it notes and more.

If we are under any doubt by the frequency, scale and impact of attacks, I found a great website recently that visualises some of the data breaches by year, industry and size, reason and more, which includes a full interactive chart.

So what is it?

Cyber threats have been defined by many, however like many other critical business issues, lots of other things are being added to the overall ‘cyber’ definition. The recent report from the UK Government on insurance talks through both the threat and importantly the opportunity for insurers.

The World Economic Forum in their 10th Annual Global Risks Report has cyber risks up with water crisis and natural catastrophe and ahead of WMD (Weapons of mass destruction), infectious disease and Fiscal Crisis (in terms of likelihood of occurrence). Water crisis on similar level, and ahead of fiscal crisis. Given what we have all experienced in the last recession, I don’t think we could have a stronger wake up call.

For now, and certainly as I write today - there is a small correlation between cyber-attacks and loss of human life. However, as we become ever more connected with IoT or IoE, future devices will all be connected. In a recent report from the guardian, the government have said that 14bn objects are already connected to the internet, 40m of them in the UK. By 2020, it could be as many as 100bn worldwide.

The upside of being able to monitor your heart pacemaker or your insulin levels from an app are already upon us, wearables is the buzzword for 2015. When these devices move from monitoring to controlling, the threat just increases. A cyber-attack at a local level, vs shutting down a hospital, airport, city traffic system, taking over a driverless car or airplane it’s far too easy to paint a picture here.

What’s the role of the insurer in all of this?

The insurance provider has a huge role in this, not only to pick up the pieces when an event occurs, but also across the entire lifecycle. At the outset, there is an opportunity to better educate the market on cyber risks in general, in creating insurance capacity for the event and ultimately better prepare for the ongoing advancement and frequency of attacks. 

This goes far beyond the Cyber Essentials (government scheme) to better prepare SME’s and Top Global Risks According to the World Economic Forum large enterprises alike. This is not collecting a badge, this is time to get ready for a battle. Not just a battle against cyber threats, but a battle for your reputation and brand. A brand that says to your employees, customers and partners, you can trust me with your information I have a plan in place that’s tried and tested! The government scheme has covered the bare minimum essentials but this is like passing your driving theory test. We need expert drivers here to navigate roads no one has previously seen.

The UK and London market  specifically is already well placed given its deep experience in insuring against speciality risks, however  capacity in the market will continue to increase as the threats and frequency of events increases, giving rise to new – more tailored products and opportunities for the entire market. How long will it be before we all have our own personal cyber insurance policy?

Move to prevention rather than cure 

We need to better help organisations truly understand the cost of putting this right after the event? As an example, some estimate that the cost of the Target breach in the USA cost them north of $100m to correct. In their early earnings call post the event, they cite “The breach resulted in $17 million of net expenses in the fourth quarter, Target said, with $61 million of total expenses partially offset by the recognition of a $44 million insurance receivable.” Hindsight is wonderful, but perhaps a fraction of this upfront would have saved this money and importantly time to focus on the business strategy, not remedial work.

Reputation, Reputation, Reputation

It’s already been widely discussed,
but insuring an organisations reputation is challenging for a number of reasons. Of course almost anything can be insured, however defining what the impact is and then working out what you need to be covered for will no doubt bring additional challenge and what cover you need for something that most would describe as intangible. The Insurance Times have a good piece on insurers becoming more innovative at covering reputational damage.

More importantly, what’s the short, medium or long-term impact and value on the reputational damage? Take your favourite or most used retailer, give them all your personal financial data and shopping habits. They then suffer a breach – how likely are you to use or recommend them again? Maybe you would forgive them for one breach, what if it happened again? It’s too easy to move. I read that in the UK you are more “likely to suffer a theft from your bank than be physical burglary” these days. Does this impact your future choice? How long does it take you to reestablish trust with your customers, employees and partners? Typically, reputation risk is ~5-20% of cyber cost. However in reality it’s the gift that keeps on giving that no one really wants.

What if you are an online-only business? What if you were the ones who disrupted your market through technology and now that has been taken away from you. You don’t have the luxury physical outlets as a backup or alternative part of your business plan. Dealing with other breaches such as shoplifting in these has been an occurrence since retail began, these were however isolated to the individual locations. 

SME’s especially are not as well equipped. On one hand digital makes it easy for anyone to create a new business, however on the other hand we must now factor in the cost of doing business online, of which cyber is a now business critical.

What do you think?
• Are we prepared and doing enough across the sector?
• Is this at the forefront of your business continuity strategy?
• Have you got a plan in place to protect your employees, customers and partners?
• Do you have cover or adequate cover, which is well enough defined?
• Are you investing ahead of the curve to prevent it?

This article is an extract from SSP eye issue 6

Previous Article
Are you paying the price for the wrong charging model?
Are you paying the price for the wrong charging model?

Although it has been nearly three years since the Retail Distribution Review came into effect, it still inf...

Next Article
Behaviour is changing as fraudsters stay one step ahead of insurers and brokers…
Behaviour is changing as fraudsters stay one step ahead of insurers and brokers…

A growing problem for insurers and consumers, today application fraud is in on the increase. We know that a...

Working from home support from SSP

View resources