The recent Cyber-attack involving digital criminals asking for a ransom is proof that Cyber-crime can no longer be referred to as just a "Threat" or as a topical subject that we mention on the agenda of a boardroom meeting. It is here and it’s spreading like the plague...for all those that are less prepared.
In the UK, the National Health Services (NHS) was the most affected, causing much disruption in the sector. The Ransomware that hit the NHS in England and Scotland, known as Wanna Decryptor or WannaCry, has infected 200,000 machines in 150 countries since Friday.
Europol, the EU's law enforcement agency, has called the cyber-attack the "largest Ransomware attack observed in history". Luckily, as I type some recent reports are indicating that the situation is somewhat stabilised and there is no sign of a second spike, yet disruptions prevail.
To combat these threats all organisations are encouraged to assess their information risks, and then treat them according to their needs. Everyone is a target and every organisation must consider its cyber exposure.
Understanding your online footprint: taking concrete steps to protect your organisation's data is the only way to reduce the risk of your data being exploited. In the Insurance sector the balance of power is shifting towards the consumer.
What was a small corner of the insurance industry known as cyber risk is now poised for explosive growth in the coming years, but its very nature means that more than most types of insurance, its development will be shaped by technological changes. Cyber insurers face unique risks and challenges as they forge ahead into a 21st century where data can be as valuable as any monetary asset and just as vulnerable.
An intangible risk
The cost of Cyber-crime in the United Kingdom was estimated at nearly £30 billion in new research recently published by Beaming. However, according to PWC and a recently published report, it has discovered that among an aging workforce and Artificial Intelligence, one of the most significant challenges faced by insurers is the management of risk and another is cyber-insurance. Unlike other insurance sectors, cyber risk insurance does not have access to the type of actuarial data used to make predictions about risk. This has resulted in uncertainty in the sector. Many experts have suggested that using the captive insurance market as an incubator to build up more complete data may be the best approach to developing this segment.
Unfortunately, unlike property loss, the cost of a data breach is difficult to assess. Cyber liability is a broad term that covers a number of potential scenarios that goes beyond the cost of data breaches and includes protection against extortion, intellectual property theft and third-party damages that result from a lack of access to a site.
One possible solution is to assess the loss of income suffered by a company due to a data security breach and pay out the difference. Increasingly, insurers are finding the Cyber risk market to be one in which policies may be written collaboratively based on an organisation’s unique needs.
Greater potential risk
Whilst a Cyber-breach may mean exposure of customer data, tarnishing of an organisation’s reputation or a period of downtime for a website, some industries potentially face much greater risks. For example, a breach at an energy company could ultimately result in an explosion. Moving into the future, Cyber risk insurers will need to consider how to serve industries in which the worst-case scenarios might lead to such catastrophic events.
Most recently, the NHS came under attack when it was targeted to exploit a Microsoft weakness. 47 NHS trusts reported problems within its hospitals, GP surgeries or pharmacies. This breach in particular came with a multitude of associated risks including: loss of data, cancelled appointments, system downtime and changes to planned treatment. Although it has not been reported at this time, the most sever risk associated with a breach such as this on the NHS could easily have been life or death.
Educating the customer
The 2015-2025 Lloyds City Risk Index survey revealed that Cyber risk is the fourth most likely driver of expected loss in London, it sits behind a Market crash, Oil price and a Flooding.
Despite this awareness, it is understood that insurance agents still find many companies think they do not need Cyber risk insurance, or that Cyber risk is small for them. Furthermore, organisations may not be aware that the existing commercial liability cover or property insurance do not cover Cyber breaches. Cyber cover is usually provided as a standalone policy.
Even security professionals are not always aware of the existence of Cyber risk insurance or of its scope. Some insurers that offer Cyber policies have yet to sell one.
Even for companies that have sold policies, many of them have not yet dealt with any claims. Furthermore, brokers and insurers are struggling to find people with the expertise needed to build teams dealing with Cyber risk insurance.
One of the most significant results for insurance companies with a lack of expertise, is that they are improperly or incompletely assessing risk for the organisations that they do insure. Seasoned security professionals could carry out a thorough risk assessment, but in lieu of that, many insurers are instead providing clients with fairly simple questionnaires regarding their security. This may lead to insurers charging too little for their policies.
This lack of experience throughout the industry may lead to other pricing disparities as well. At such an early stage in the sector's existence, insurers simply do not have the data they need to assess whether they are pricing policies in accordance with risk.
Rapidly evolving technology presents yet another challenge. Insurers will need to stay abreast of technological developments and the potential damages that hackers may inflict, and this is yet another reason it is crucial that the industry successfully recruit people with the expertise to assess risk.
Assessing intangible risk currently presents a significant challenge to the industry. However, companies can examine the impact of Cyber-crimes to date and continue fine-tuning their policies as they move ahead into a profitable future.