Insurers ready to cash in on growing cyber threat

It could have come from anywhere: a teenager in a bedroom, or a sophisticated Russian cyber-crime gang looking to steal data.

Either way, the recent cyber attack on broker software provider SSP drove a dagger right into the heart of the company’s operations, forcing it to temporarily close the systems that allow broker partners to sell insurance on price comparison sites.

SSP is one of many companies globally that have suffered. Cyber attacks are costing business dearly and insurers sense an opportunity.

The European cyber insurance market is worth an estimated £250m, with half of this written in the UK, and its growth potential is huge.

This year alone, Chartis, Liberty, Hiscox, Ace, Barbican, Beasley and several Lloyd’s syndicates have launched cyber-liability insurance products in the UK and Europe.

Some of these providers have worked in the more mature US cyber-liability market for several years and their launch into European markets is no coincidence. In part, it’s a response to the increasing number of cyber attacks; SSP is believed to have suffered 20,000 cyber attacks after the original attack on its broker link to Google Compare.

Also, the launch into Europe of so many cyber-liability products is a result of a toughening of European regulations around personal data.

The European Commission (EC) is following the US example. US Federal Law requires companies that suffer data losses or a security breach to tell every customer individually.

In January, EC justice commissioner Viviane Reding revealed plans to update the 1995 Data Protection Directive. It includes plans for firms to notify customers within 24 hours about potential data loss.

That requires extra manpower and time, raising the cost of an attack. Ultimately, this has increased the need for firms to have cyber-liability insurance cover and the skilled risk management advice from brokers and insurers that can help prevent an attack in the first place.

Fines for losing data
Even without Europe’s gaze, domestic regulators are getting tough. While the UK Information Commissioner has told internet service providers who lose customer data to inform individual customers, there is no 24-hour deadline.

The FSA, meanwhile, has imposed sizeable fines on companies for losing customer data, the most recent example being Zurich Insurance, which ironically is seen as a leading player in cyber-liability.

Zurich was fined a record £2.27m by the regulator for “the loss and lack of control over the personal data of 46,000 of its customers”.

In addition to the rising costs associated with regulation, the global nature of business is putting cyber-liability insurance in demand.

AIG cyber-liability underwriting manager for Europe James Bouloux says that a company wanting to operate in a country with strict rules on data loss, such as the USA, needs to be able to cover the cost of a potential breach in that territory.

‘It’s not about spinning a message, it’s about explaining to the public what has happened and why’

Jamie Bouloux, AIG

For example, Sony suffered a global data breach last year in which the personal details of thousands of its PlayStation Network customers were compromised.

It cost the Japanese technology giant dearly, both financially and in terms of its global reputation, because of its worldwide reach and the number of legal jurisdictions it operates in, each with its own rules over personal data.

Insurers are well aware that cyber attacks are now high on the agenda for risk managers, who either control the insurance budget or have a big say in how it is spent.

InterContinental Hotels’ head of risk management John Ludlow, talking to StrategicRISK, an information source for European corporate risk mangers and a sister brand to Insurance Times, says he recently completed a security programme encompassing cyber risk.

Ludlow started by trying to understand the risk, its scope and possible effect.

He says: “Once we had done this, we were able to write a white paper that we circulated among all interested parties. We then had a workshop where we discussed the risk, and then set about coming up with a common strategy on how we would counter the risk.

“Each workstream has now gone away to write a paper, after which a small group of us will consolidate all those papers and come up with a strategy, and a way forward. We’ll then go to the executive, the audit and the board and say ‘you may have not heard of this threat of cyber; this is roughly what it is; this is roughly what it means for the company; and this (is what) we propose to do about it’.”

Increasing sophistication
IBM Institute for Advanced Security director Martin Borrett says cyber attack is so damaging, it is no wonder that risk managers and board members of multinationals are worried.

“Although cyber-risk is still relatively new, the volume of attacks has been going up, and their sophistication is increasing.

“As critical information, related assets and devices are becoming more instrumental and interconnected, the damage and the knock-on effects of a major cyber attack can be felt not only in computing. They can affect critical business and infrastructure operations,” he says.

“The biggest cyber risk within an organisation is complacency and a lack of awareness.”

If IBM is right, at least insurers are helping companies wake up out of their slumber to the growing threat.

To see a map of the top 10 countries were attacks come from and the top five targeted regions, click here.