Cyber insurance – what and why?

The last few years have been filled with high-profile cyber-attacks, with 2016 being arguably the worst yet. Major security breaches, such as the ones at National Lottery and TalkTalk, hit the headlines nearly every week, and to round the year off, Yahoo revealed it had the personal data of 1 billion accounts breached back in 2013. But these are just the attacks that are hitting the headlines; underneath the media’s radar, small and medium sized businesses are dealing with these issues every day. 

In 2016, the National Crime Agency revealed that cybercrime had officially overtaken traditional crime in the UK. Rather than masked burglars holding up bank tellers and shop clerks and stealing physical goods and money, it’s far easier, and quicker, to hack a business’s systems. Crimes once committed on a local, personal level are now being committed on a massive global scale without the need for criminals to go anywhere near the individuals or businesses they’re targeting. 

How – and why – cyber insurance was developed

Although individuals and businesses are accustomed to buying insurance to protect their physical property, few understand the value of the information they store electronically. But believe it or not, the value of this data now generally outstrips the value of physical property and contents, and the primary objective of cyber insurance is to protect against its loss. In particular, cyber insurance addresses the new world of electronic crime, which includes everything from malware infections and phishing scams through to cyber extortion (where data is held for payment) and hack attacks on telephone and computer systems, and much more.

Cyber insurance policies have actually been around since the dot com boom in the early 2000s, but have evolved to address the way in which we now use technology as an integral part of our everyday lives. Not only do they protect against the potentially devastating financial fallout for victims of cybercrime - covering the costs associated with forensic investigators, IT specialists, breach notification to customers and clients, specialist PR firms, regulatory investigations and legal actions – but they also help you quickly and effectively manage cyber incidents by giving you access to specialist providers who truly understand these crimes and their consequences.

More than 20 different insurers now provide a cyber insurance product in the UK. This recent surge in new offerings has helped to drive down pricing and has forced insurance companies to simplify and streamline the underwriting process. Coverage can be obtained by answering just a few simple questions, including key company financial information, basic risk management and previous loss history. This is a far cry from when cyber insurance was first developed, where twenty page detailed technical application forms and on-site audits were a standard pre-requisite for obtaining a quote.

Also, contrary to popular belief, cyber insurance generally contains fewer obligations in terms of risk management than a typical property policy. Where a property and contents policy might stipulate what kind of lock you must have on your windows or what type of alarm should be fitted, cyber insurance policies rarely dictate risk management criteria. This is largely because insurers are not yet able to actuarially quantify the impact of certain controls, and instead rely upon standard portfolio management techniques to protect their loss ratios.

Despite these developments, adoption rates for cyber insurance in the UK remain surprisingly low, particularly when compared to the US. Even with the steep rise in cybercrime and the increased reporting of large cyber incidents over the last few years, less than 10 per cent of UK businesses purchase a standalone cyber policy, compared to more than a quarter of all businesses in the US. 

This low rate of market penetration can generally be explained by a lack of awareness and understanding of how a cyber insurance policy really works. But this is changing. In a recent survey we conducted, UK insurers said that they have seen a 50 per cent increase in demand for cyber insurance over the last twelve months and industry experts believe this line will grow exponentially in the coming years.

Increasing adoption leads to growing claims

As the UK market for cyber insurance develops, so will the claims. At CFC, we now handle a cyber security incident on behalf of policyholders every single day. In the first six months of 2016 alone, we handled over 200 events, including data breaches (31 per cent), electronic fraud (22 per cent), ransomware (16 per cent), malware (7 per cent) and denial of service attacks (5 per cent). Although many of these events cause relatively minor damage - with the average cost of a claim still less than £50,000 – there is still potential for serious business disruption. One targeted attack cost a small business over £1,000,000 when hackers were able to gain access to their network and delete all of their data, including back-ups, after the victim failed to pay a ransom.

Businesses don’t even need to be compromised themselves to feel the effect. After the revelation late last year that Yahoo lost the personal data of 1 billion internet users, we have seen a steady increase in so-called “phantom breaches.” Many of us use the same usernames and passwords across several sites, and a phantom breach – also called “credential stuffing” – occurs when usernames and passwords stolen from one place are used to exploit other sites, even if those sites themselves are secure. The Yahoo breach and others like it have an immense knock-on effect on smaller businesses as login details are used to commit online fraud on a mass scale. 

But clearly cyber insurance is only part of the answer, as good cyber hygiene has to be the first line of defence. Unfortunately, statistics show that the vast majority of UK businesses – SMEs in particular – will experience a security breach in their lifetimes. That’s why we promote a two-pronged approach of adequately investing in good risk management practices and updated security as well as getting a strong cyber insurance policy in place should the worst happen. 

Graeme Newman, Chief Innovation Officer, CFC Underwriting
Image source: Shutterstock/jijomathaidesigners