Alexandra Foster, head of insurance and strategy, global banking and financial markets, BT, explains why cyber is a huge opportunity.
The problem of cyber crime is ubiquitous and the need to build resilient defences is common to every organisation in any industry. Insurance brokers are no more or less vulnerable than any other sector. However, what differentiates the insurance industry as a whole is that the growth of cyber crime is a commercial opportunity.
It’s fair to say that cyber attacks are growing in intensity, frequency and scale. And thanks to a stream of high profile stories about hacking and data loss at some of the world’s biggest organisations, business leaders increasingly understand that the threat of cyber crime is real and here to stay.
No surprise then that cyber security insurance is one of today’s fastest growing product lines for the industry. PwC says that the global cyber insurance market could grow to $5bn in annual premiums by 2018 and at least $7.5bn (£5.1bn) by the end of the decade.
The British government really understands the issues and has ambitions to make the UK a world centre for cyber security insurance. However, there’s a significant gap in business awareness. A 2015 study by HM Government and Marsh found that around half of firms interviewed were unaware that insurance was available for cyber risk, and less than 10 percent of companies have cyber security insurance in place.
Insurance brokers have a central role to play in closing this gap by helping UK businesses and public sector organisations understand the risks of a more digital world and put in place appropriate measures, including insurance. But to develop successful products for the digital age, insurance companies and their broking partners must first understand the nature of the threats so they can analyse and accurately price the risks.
New technology, same old crime
The first thing to appreciate is that attacks on businesses are not a new species of crime. Theft, fraud and extortion have gone on for centuries. The second point is that most cyber crime is not the work of a handful of teenage hackers but of highly organised, professional, global criminal gangs, and even state entities, with sophisticated tradecraft: they buy malware online, rent botnets by the hour and compete for the best talent (often those teenage hackers). It’s no exaggeration to describe them as criminal entrepreneurs.
A recent report by KPMG and BT, Taking the offensive, disrupting Cyber Crime, argues that we need to treat these cyber criminals like challenger brands. That is, we need to understand the business model of the criminal entrepreneur and work out how to disrupt it. To this end, partnership is absolutely fundamental. Criminals collaborate and so should the good guys.
By working with trusted partners (in financial services, government and in wider industry) we can share situational awareness and alerts for visible and invisible threats. Initiatives such as the joint industry/government CiSP (Cyber-security Information Sharing Partnership) help raise the bar and make it harder for criminal action to succeed.
One size fits nobody
Current cyber security insurance products on the market tend to be one size for all, and some have so many exemptions that they don’t actually provide much protection.
UK plc needs a much greater variety of cover, which can be fine-tuned to each organisation to match its security performance and the board’s attitude to risk. Insurers and brokers should work more closely with cyber security specialists to develop assessment tools and packages that will help them to write more tailored policies.
We can’t ignore the possibility that cyber security insurance might cause the complacency of a ‘we’re OK because we’re insured’ school of thought. The consequence of that could be that the business disengages with day-to-day security protocols, lowers its guard and becomes more vulnerable to attack.
Here’s a further opportunity. Hand-in-hand with more tailored policies, insurers might consider offering incentives to organisations that keep their risks under review and under control. Lower premiums would apply to customers who could demonstrate ‘cyber maturity’.
Finally, we should all be confident about our ability to defeat cyber crime. We have a government that fully appreciates the threats and is committed to building resilient defences. Insurance has a key part to play.