UK cyber risk market gaining pace
Awareness of the cover known as ‘cyber risk’ is filtering through to the minds of business leaders in the mid-market and corporates as they square up to new technology-driven risks.
Cyber insurance is worth an estimated £250m per year in the EU, of which about half is written in the UK.
Even so, the UK is playing catch-up with the USA, where the cover is five or six years ahead in product terms. Total US market size estimates are pegged at $4bn (£2.5bn).
Cyber cover is poised to grow here too. Since May 2011, communication service providers have been required to report personal data breaches to the Information Commissioner’s Office (ICO), and their own customers. The UK notification regime is only likely to broaden to cover more sectors in the future as new data protection rules come in.
The ICO is likely to start using its powers to impose fines of up to £500,000 on those breaching the Data Protection Act as the regulatory regime toughens.
The fledgling UK cyber insurance market has a new working group, which includes broker Oval and insurers NCC Group, Liberty International Underwriters, Zurich Insurance and CNA Europe - while others are said to be keen to join. The group aims to develop a framework of data security practices and policies for corporates to follow, including having adequate business continuity plans and data security policies in place.
One line of argument says that companies should be denied cover against cyber attack unless they meet a minimum kitemark security standard.
The multiple cyber risks: Cover is shaping up to insure all types of tech liability
This is the same old-fashioned risk that it ever was, except that now the perpetrators have been emboldened by the anonymity of the web, and empowered by new ways of gaining leverage over their victims.
First-party property damage
Hardware such as servers, networked computers or cables can be damaged by flood, fire or other natural events.
Loss of intellectual property
Theft of digital intellectual property, such as designs for new products, architectural plans, software systems or creative works, could be commercially devastating for some corporates (not to mention governments).
Social media sites like Facebook and Twitter have created an environment where a minor customer complaint can unexpectedly explode into a significant public relations event.
Libel, slander, copyright
Electronic communication has made it easier to go too far: email mishaps, off-hand conversations that go viral, or incidents like Aviva’s recent blunder when it mistakenly sacked 1,300 staff by email, are all too easy to make nowadays. Inadvertent copyright infringement can also happen, especially when publishing or sourcing material online.
A data breach is when the security of information stored digitally - for example on a database, computer, servers, USB sticks or laptops - is compromised. Data may be confidential for reasons of commercial competition, national defence or personal privacy (see ‘privacy breach’, right).
When systems are put out of action, it can halt the normal operation of the business. This could be caused by hardware damage, a hacker or a disgruntled employee launching a cyber attack on the company (see ‘The big story)
Privacy breaches are when the security of customer or employee personal data is compromised, and can lead to significant costs, including that of notifying large numbers of individuals, hiring a PR firm and conducting a forensic analysis of what happened. There may also be third-party costs, such as financial liabilities.
Fines and damages
Fines and damages are uninsurable in the UK at the moment. The FSA has proved lenient on fines so far. However, this could change as updates to the Data Protection Act come
into force (see ‘Knowledge Live’, page 63).
A corporate could be liable for damage to a third party caused by a program originating from the corporate’s system.