Insurance chief: cyber attacks are most serious threat to UK business

07 April 2015 -

Lloyd’s of London turns attention to digital security after noting significant rise in protection enquiries

Jermaine Haughton

Britain’s largest insurer has urged bosses to put safeguards against cyber attacks at the top of their priority lists, after a Russian hacker reportedly stole £650 million from banks around the world over the past two years. Ranked as one of the largest cybercrimes ever recorded, the scam highlights the seriousness of the threats posed to globally wired businesses and national economies. Lloyd’s of London chief executive Inga Beale says that her organisation is preparing its clients for the new challenges they are set to face in this climate.

“Cyber risk poses the most serious threat to businesses and national economies,” she told the Telegraph, “and it’s an issue that’s not going to go away. The London market has a long, proud history of finding innovative solutions to insuring large, complex risks that are challenging to underwrite locally.”

Beale estimates UK companies lose up to £268m per year through cybercrimes, including the damage itself and subsequent disruption to the normal course of business – and in her view, the situation is only worsening. Over the past four years, the chief executive says, the size of the market for insurance contingencies has more than doubled, from less than £672m worldwide to approximately £1.6bn.

Worryingly, the bulk of cyber insurance is sold to US companies, leaving much of the rest of the world exposed. According to the government’s recent Information Security Breaches Survey Report, a whopping 90% of UK small companies have experienced a data breach. If there is an upside, it is an estimate from Allianz that that Europe’s cyber-insurance market alone could be worth more than £670m by 2018, providing a crucial opportunity for emerging and innovative IT insurers to thrive.

Underlining the rapid growth in the demand for insurance against cyberattacks, underwriter Geoff White at Lloyd’s syndicate Barbican recently reported a 50% year-on-year rise in insurance submissions during the first quarter of 2015. “In general terms,” he said, “we’re continuing to see new customers purchasing cyber insurance and existing customers purchasing higher limits following recent high profile attacks. In terms of our customers, approximately 70% are first-time purchasers. We’re also seeing customers in those sectors that were affected last year – and in particular in the retail sector – looking to buy higher limits.”

Following its own assessment of the field, the UK government recent report UK cyber security: the role of insurance in managing and mitigating the risk encouraged bosses to invest more heavily in cyber security improvements in the private sector. The report concluded that businesses should align risk assessments with good practice, while incentivising good risk management – thereby reducing the need for direct government involvement and regulation.

However, a series of organisational and industrial trends could make it difficult for UK companies to improve their cyber-security arrangements. For example, cyber risk can be exacerbated by a heavy dependency on outsourced services, or by the use of homogenous technology, meaning that a single, technological flaw could damage several businesses at once.

Plus, even in the light of copious data, there is no reliable means of quantifying the effectiveness of a typical cyber-security policy. As Phil Huggins – vice president of security science at Stroz Friedberg – recently wrote in the Actuarial Post: “Without a causal link from implemented cyber-security measures to improved risk outcomes, it is difficult to differentiate [clients]. From a premium perspective, they each get a general market cost, rather than an individual tailored cost. This incentivises no one to improve which, to insurers, is akin to a ‘lemon market’ for selling cyber risk.”

He added: “There is also a moral hazard of sorts in that the purchasers of cyber-risk insurance are not closely involved in the day-to-day cyber-risk management, which is often performed by IT staff who are incentivised to deliver business benefits over business protection, out of the sight of risk professionals.”

For further insights into managing digital aspects of your organisation, sign up to this forthcoming CMI seminar.

Image of Inga Beale courtesy of Lloyd’s of London.