Cyber-crime is increasing rapidly, but UK companies are not equipped to protect their data
A hacker in China and a broker in Chigwell may appear to have little in common – except the fact they both indulge in risk for a living.
Thanks in no small part, however, to a steady stream of high profile security breaches over the past year, the development of the cyber-risk insurance market looks set to link the two in more ways than one.
Analysts suggest that the issue of cyber-crime, typically in the form of either an attack on an electronic system through a virus, or a data theft, has reached epidemic proportions.
This provides plenty of opportunities for brokers and insurers.
Cyber-risk represents a burgeoning market for the insurance sector – in particular, for stand alone covers. The threat is elevating and adapting at breakneck speed, while legislation that allows consumers to bring more legal action against companies for data breaches is creeping across the Atlantic.
But the insurance market for cyber-risk is scratching the surface at best - a case not helped by the fact that UK plc is proving inadequate in minimizing its exposure to cyber-risk
Though it is difficult to get a handle on the scale of the problem of cyber-crime, experts have speculated a global figure in excess of $100 billion. Based on the Federal Bureau of Investigation’s estimate in 2006 that cybercrime cost businesses around $67 billion worldwide, this appears to be erring on the side of caution.
More recently, there have been numerous incidents involving Chinese hackers breaking into Westminster and the Pentagon, clandestine Russian mobs stealing hundreds of millions of dollars from the world’s largest banks, and even Al Qaeda launching an electronic jihad – all of which is Hollywood stuff.
“The level of risk is increasing exponentially in proportion to the amount of data stored,” says Phil Mayes, senior underwriter for Commercial PI at Zurich.
While the lion’s share of media coverage is devoted to personal incidents of cyber-crime, businesses are hit equally hard. A survey by the Computer Security Institute in the USA last year found that average annual losses per company from security incidents stood at a whopping $345,000, double the previous year’s figure.
Yet for all the rancour about the threat itself, cyber-risk is dogged by a lack of definition that makes discussing the size and scope of the market in the UK particularly difficult.
The parameters for cyber-risk run the gamut from shutting down a company’s server to an international claim deriving from a website’s breach of intellectual property rights.
Because of the variation, some commentators argue that it is impossible to put a price on data.
But that is exactly what four insurers – Zurich, Hiscox, ACE and Click-for-cover – have done in recent years, developing stand-alone cyber-risk policies.
Other insurers offer various forms of cover, usually as part of technology-related professional indemnity cover.
The core markets for cyber-risk policies are those who at present do not buy it at all, but who face the greatest exposure, namely retailers and health organisations. These companies tend to have some sort of cyber-related cover bundled into their PI packages, but this is limited to data being treated as an asset, and does not include many of the claims associated with the risk (see box).
It is estimated that the combined market for first and third party cyber-risk cover in the UK is worth only between £15m and £20m in premium terms. But that is a figure widely disputed.
“It is very challenging to gauge the size of the premium pool for cyber-risk policies,” says Lisa Hansford-Smith, senior vice president in Marsh’s FINPRO practice.
“Very few standalone cyber-risk policies are actually purchased, as much of the risk can be found in other policies.”
The other side to that coin is that demand so far for cyber-products has been relatively low. Take up rates for stand-alone cyber cover in Europe have historically been as low as 2%.
That may not seem like a significant sum, but the rate of growth is substantial, in particular for third party liabilities, which at present constitute the majority of the market.
“There is a real opportunity for the development of stand alone cyber-cover,” says Marcus Breese, UK Media and Technology PI manager at Hiscox, which began developing cyber-products seven years ago.
“The process has started, and will speed up. The question is when? There is no claims history yet.”
Broker Aon says the market will take off in 2008.
“There will be an awakening in 2008,” says Shaun Cooper, Network Risk consultant at Aon Global. “The insurance industry has been lagging behind, but last year’s incidents have helped elevated the issue in the public mind.”
Tony Dye, director of IT security business at Qinetiq, the defense consultancy which hosts sensitive data and monitors network activity, says the insurance industry agrees that the insurance industry could do more to develop its expertise in the area of cyber risk.
“Insurers are not on top of it. It is simply too difficult. But there are some who are pushing the boundaries.”
“There has been more information gathering, and more understanding – and the more understanding there is, the more there will be a need for insurance products.”
Part of the difficulty for insurers in offering cover is that companies do not appear to be taking the threat of cybercrime seriously, and are consequently failing to take the necessary steps to minimize the risk.
In a survey conducted by Insurance Times’ sister publication, Strategic Risk, almost two-thirds of risk managers polled defined cyber-terrorism as a “serious concern”; that is IT-related risks such as computer hacking, viruses or worms intended to cripple governments, service or financial sectors of advanced economies.
More alarmingly, only 55% said they had prepared for a cyber-risk attack.
A similar survey by Global Reinsurance found that only 47% of reinsurance professionals were concerned by IT risks, while just 40% had prepared.
Risk mitigation and insurance go hand in glove, which exacerbates the problem, as Breese says: “Generally people who are switched on about the nature of exposure have measures in place for security, as well as other measures for mitigating the risk – including insurance.”
“The threat of cyber-attack moves down the food chain,” adds Cooper. “If you are a retailer this means your supply chain, your point of sale, your call centres – anything that makes up the flow of electronic data.”
More worryingly still, experts suggest that breaches in security are not generally due to the failure of online security systems.
Mayes says: “Losses tend to arise due to failure to adhere to an agreed process, rather than failure of a proprietary security application.”
Cooper says that social engineering techniques, namely calling up a company and asking for passwords to access systems, are a simple, but nonetheless effective method.
He argues that the biggest problem is that companies do not do enough to monitor who is logging on to critical systems in order to guard against the threat. This doubtless impedes the creation of a more stable market for insurance products.
Somewhat surprisingly, perhaps, it is believed that banks are already being hit hard by cyber-crime. And it could get much worse.
“Average financial institutions have not looked enough at cyber-risk,” Cooper continues, adding that an attack on the London Stock Exchange leading to a temporary shut-down could cost a bank £100m in a matter of hours. These are sums that could be insured.
“There are intangible aspects to cyber-risk,” adds Dye. “Loss of reputation is one. The recent failure of the government to protect personal data would have brought a commercial company to its knees.
“If you are a bank, how many customers are you likely to lose? It is very expensive to re-establish a brand.”
Mayes says that the nature of this development is tied in with the both the behaviour and type of the insured party.
“Risk Management is an enormous area, and the measures to be taken will be driven by the nature of the Insured activities.”
Larger organisations possess the resources to guard against cyber-attacks but, because they carry out extensive work on their IT systems, they are open to attack from hackers who, by playing a waiting game, can exploit portals as they become available.
Smaller companies, meanwhile, face the problem of internal breaches. In fact, some suggest that up to two thirds of cyber-related claims derive from either disgruntled or former employees.
Dye comments: “Hackers used to break into companies from the outside, sitting in darkened rooms. Many of these have been closed down.
“The growing threat is internal. A dissatisfied employee is a huge problem.”
He adds that growth of fraud in this area suggests the involvement of organised crime.
Gloomy though it is, companies are showing some willingness to take steps to minimize exposure, as evidenced by the fact that premiums for cyber-related covers have fallen by between 25 and 30% over the past three years. Unfortunately, that could just as easily be the result of intense competition in the soft market.
Most dangerous of all, however, is that brokers could ultimately end up as exposed as their clients. “Whether clients decide to take up cyber-cover or not is irrelevant,” says Gareth Tungatt, senior underwriter for Technology and E-Commerce at Ace.
“The point is the growth of the risk could potentially have a negative impact on brokers that do not recognise it and offer it at renewal. There would be potential for recourse under grounds of errors and omissions if the client suffered a cyber-attack for which he/she was not protected.”
Assuming that cyber-attacks will continue to escalate, it is a sobering thought.
Whatever the risks associated with developing products to deal with cyber-risk may be, two things at least are clear: the fledgling nature of the market makes insurers and brokers understandably cagey to throw their hats into the ring, and the market, however lacking in definition, will continue to grow in step with cyber-crime. A landscape for the provision of stand-alone cyber-risk products to sit alongside bundled packages will continue to take shape.
And while the cyber-clouds might be gathering, there is at least a distinctly silver lining.
“The UK is seen as a global model for understanding cyber-risk,” Dye concludes.
“The government talk openly to industry. It is not the same in The States, where there is a distrust been industry and the FBI. There is a good link here between industry and the organisations assigned to protect them.”
On a related note, though there is a considerable degree of distinction between the American and European insurance markets, experts unanimously agree that American policy and practice in the cyber-sphere will carry over to the UK.
“Where the US goes we follow,” says Breese. “Demand in Europe for cyber-risk products has not existed. That is changing as legislation becomes more consumer-friendly.
“The information commissioner is looking to tighten this up. Sanctions will get tougher.”
As this net tightens, insurers and brokers alike would do well to start casting theirs ever wider.
Cyber crime attacks
MI5 accuses China of executing state-sponsored acts of espionage against the computer systems of the financial services sector in the UK.
Computer security company McAfee says that key targets for cyber-attack include critical national infrastructure network systems such as utilities, air traffic control, financial markets and government computer networks.
An Israeli an online military intelligence magazine claims that Al Qaeda is planning to launch an electronic jihad in retaliation for western intelligence agencies disabling terrorist websites.
Symantec says that the number of websites containing malicious software has tripled in the first half of the year vs. the previous six months.
Reports claim that Chinese cyber-terrorists have shut down part of the computer system in the House of Commons.
June Chinese hackers are believed to have penetrated the Pentagon military mainframe. Congress subsequently describes Chinese espionage as the greatest threat to American technology security.
TJX, parent company of US retail giants T.J. Maxx and Marshalls, reveals that from July 2005 to January 2007, hackers stole over 45 million credit card numbers. 300 banks, and the company shareholders, are suing the company. Other companies to suffer similar attacks include eBay, Nationwide and RBS.