Few UK companies are aware enough of the growing threat to have cyber insurance, and some brokers are not selling cyber cover simply because they don’t understand the risk
Cyber risk is growing at an alarming rate. With every new piece of technology released to the consumer market, cyber liability increases. It is a risk with unknown boundaries.
Recent high-profile cases such as the Ashley Madison or the celebrity iCloud hack have shown the vulnerability of large companies to cyber crime.
Likewise, a Thomson Holidays’ employee who misplaced emails containing the bank details and addresses of thousands of customers, has shown that human error can also breed cyber risk.
Earlier this year, a study by software house Citrix revealed that 71% of UK workers believed that data theft was “inevitable” in their workplace.
It also found that global cyber crime costs businesses around £200bn annually, and that the financial sector is the worst exposed, with one-quarter of financial firms hacked in the past year.
There can be no doubt that cyber crime is rapidly growing, and while underwriters are just managing to keep up, policy sales remain alarmingly slow.
Collaborative research conducted by the government and broker Marsh earlier this year found that 98% of UK companies don’t have cyber insurance. The London cyber insurance market totals £160m, but UK companies account for only £25m of this.
Lack of awareness
But why do companies not understand cyber risk? The unpredictability and broad spectrum of cyber attacks means many firms don’t even realise they are at risk.
For those that do, the nature of the threat is so unknown that to price a premium for it is hard.
“These hacks can be very varied,” Kaspersky Lab security researcher David Emm says. “Sometimes the aim is disruption, or sometimes to just play around. Others hack smaller companies to get to bigger ones. No one is safe.”
With a still-difficult economy and often limited resources, companies are unwilling to pay extra to guard against an intangible and unknown risk.
Compounding this, recent high profile cyber attacks have sent policy prices soaring. Figures published by Marsh show that SME cyber premiums rose 32% in the first half of 2015, after a flat 2014.
So how can companies engage more with cyber risk?
JLT cyber, technology and media E&O partner Lauren Cisco believes UK companies have to develop cyber-aware cultures from the top down.
“For organisations to properly understand the risk and mitigate against the potential loss, it’s important to have an ongoing focus from management to engage with everyone in the firm.
“That way, the understanding of cyber risk will continue to evolve alongside the business evolution. It has to breed from management.”
Cisco says it is the C-suite that breeds culture throughout a business. If it fails to comprehend the digital world and its cyber risks, it is unlikely to want to part with the extra insurance premium spend.
This is a view shared by Simply Business chief technical officer Lukas Oberhuber, who says that for companies to understand the need for cyber, a culture of digitalisation is needed throughout the firm.
He said: “If this is not something that the entire management team agrees with, or understands, you have absolutely no chance.”
According to a study by consultants Alvarez & Marsal, the average age of a chief executive in the UK financial sector is 56, while the average chief financial officer is 54.
These are the ages of ‘digital immigrants’. The heads of these companies have grown up without social media, cloud storage and shared networking. The culture that both Cisco and Oberhuber talk about is not instinctive in these C-suites. So it has to come from elsewhere.
For AJ Gallagher head of technology Richard Hodson, it is up to the insurance industry, in particular the broker, to make cyber comprehensible.
“It really is a chicken and egg situation; brokers don’t understand it so they explain it badly, so they don’t sell it.
“Because they don’t sell it, they don’t have information and data on it, meaning they have nothing to help them understand it better. It’s a vicious circle.
“The whole industry needs to bring cyber into the language of the common people. Then cultures can breed awareness through companies.”
With cyber risk growing faster than the rate of policy uptake, it is up to the insurance industry to make cyber digestible.
If this means turning an industry-wide leadership of digital immigrants into digital natives, the cyber broking market looks set for tough times.
Join the conversation and share your views with others on LinkedIn here