Why cyber insurance is just a sticking plaster to cover a gaping wound

Rocketing premiums and an insurance industry that is still trying to come to grips with cyber risk has left many organisations struggling to insure themselves against the financial consequences of a serious security breach.

It has now emerged, for example, that the massive cyber security breach suffered by giant US retailer Home Depot could cost the company billions of dollars driven by legal suits from disgruntled customers and other costs. The company's insurance, however, is capped at only $100 million.

Other high profile attacks thought to have heightened the insurance industry's perception of risk include those which hit Target Corporation, Anthem Inc and Premera Blue Cross.

Risk is difficult to quantify

As insuring corporations against digital security breaches is a relatively new field for the insurance industry, the level of risk is difficult to quantify. In other areas of insurance such as fire or physical theft, the insurers have decades of actuarial data on which to base their premiums. In the case of cyber insurance, the situation is exacerbated by the unprecedented escalation in criminal activity on the Internet and the mushrooming growth in cyber crime.

The massive costs now being faced by companies such as Home Depot in the wake of major digital security breaches are now having the effect of making insurers rethink their premiums. In some sectors, such as healthcare, which has been heavily targeted by organised criminal groups (OCGs), cyber insurance premiums are reported to have tripled as result of the insurance industry's increased perception of the rising level of cyber risk.

Another problem faced by large corporations trying to manage cyber risk is the level of coverage needed to protect fully against the fallout from a major security breach. It is becoming increasingly apparent that the initial costs of getting a network up and running after an attack and bearing the immediate financial brunt of an attack are only the tip of the iceberg. Compromised client data, reputational damage and a loss of investor confidence are some of the areas where companies are seeing costs escalate in the wake of a major data breach.

There are also growing fears that the worst could be yet to come. A report released by Lloyds and the Centre for Risk Studies at the university of Cambridge estimated the financial and insurance costs of a major cyber attack on the US power grid. The simulation assumed that 50 power generators had been taken down by a cyber attack affecting the power supply to cities including New York and Washington. In this scenario, 93 million people were left without electricity. The economic impact of such a cyber breach is estimated at between $243 million to $1 trillion. The report also revealed that such a major attack would have additional repercussions with roughly 30 lines of business being caught up in the event's "insurance blast radius". Financial exposure ranged from property damage and interruption of business to general liability.

Given this level of potential liability, the insurance industry is having difficulty in providing the necessary cover. According to Geoff White, who is chairman of the Lloyds Market Association's cyber business panel and an underwriting manager at Barbican Insurance Group, Lloyd's current capacity of $350 million to $400 million will need to rise in order to provide the kind of future coverage needed by large multinational corporations. The London insurance market is estimated to write roughly a fifth of global cyber premiums, with Lloyds insurers carrying about three-quarters of the business.

But despite what must be acknowledged as serious teething problems, the cyber insurance industry is poised for rapid growth as chief executives become increasingly concerned about the the risk a serious cyber breach could pose to their business. According to PwC, annual gross cyber insurance written premiums are set to increase by 200 per cent in the next five years, growing from around $2.5 billion today to $7.5 billion by the end of the decade.

Over 100,000 cyber attacks a day

However, while the insurance industry struggles to keep up with rising demand, the threat level continues to grow. According to PwC, there were almost 43 million global security incidents detected in 2014, the equivalent of over 100,000 attacks a day.

And it may not only be the target company which is affected. According to PwC: "All businesses operate within an increasingly interconnected and interdependent ecosystem, in which it is not just their own systems and data which are vulnerable but those of their suppliers, customers and strategic partners."

In order to guard against direct cyber attacks as well those targeting a client or supplier further along the supply chain, it is important that, in the absence of truly comprehensive insurance cover, companies are seen to be doing their utmost to safeguard their data.

This means, at the least, instigating regular penetration testing by a third party, educating staff to be cyber security aware and installing best practice software capable of stopping increasingly sophisticated malware, with 12 million new variants of which are being produced every month, according to independent German IT security institute AV-Test.

Stuart Poole-Robb is the chief executive of the security, business intelligence and cyber security adviser, the KCS Group Europe

Image source: Shutterstock/nito