On Thursday 29 January, techUK's Financial Services & Payments programme and Cyber Security Group hosted a joint session focused on the emergence of the UK's cyber insurance offering and its role in driving forward the adoption of minimum cyber security standards. The session was chaired by Keith Saxton of the techUK Financial Services Council and featured key players in the UK cyber insurance and security markets from both government and industry. Speakers included EJ Hilbert, Head of EMEA Cyber Investigations at Kroll, Matthew Webb, Head of Technology at Hiscox, Orla MacRae, Assistant Director for Cyber Security at the Department for Business, Innovation and Skills and Phil Allen, EMEA Director of Sales, Security / identity and Access Management, Dell. Attendees gained valuable insight into the market which included its key drivers, its current state and prospects for the future.
The panel identified factors driving the emergence of the UK cyber insurance market. Chief amongst them was the reliance on digital technology to the functioning of modern business, and the resulting exposure to cyber risk. The current trend towards tighter cyber security and data protection legislation was also cited as a key factor. Many organisations now derive significant value from the use of their customer data, amplifying the impact of a breach. Risks are taking the form of crime, espionage, warfare and activism, all now channelled via the medium of cyber space.
IT enabled fraud was compared with petty theft; at some point you will find yourself a victim. Growing awareness of such threats and the liabilities they can inflict has led to attempts to mitigate risk and can be seen in the fledgling UK cyber insurance market. Prospects of increasingly punitive legislation where data is considered sensitive is heightening perceptions of risk. The introduction of the Network and Information Security Directive and new Data Protection Regulations – which could levy fines of up to 5% of global turnover in addition to the possibility of criminal conviction is also increasing awareness. The onus to protect your business and your customers is, therefore, increasing.
The stick is not without its carrot however and the panel quite rightly acknowledged work undertaken by the government to support and encourage the development of the UK cyber insurance offering, which it sees as important to drive improvements in cyber security risk management. In November 2014 Francis Maude, Cabinet Office Minister with responsibility for the UK Cyber Security Strategy, hosted a summit of CEOs from the UK insurance market alongside Marsh Ltd to discuss this issue, which culminated in the announcement of industry working groups to report back to the Cabinet Office in April 2015. The hope is to build on existing initiatives such as the 10 Steps to Cyber Security, the Cyber Essentials Scheme and recent guidance published by GCHQ CESG on Technology and Information Risk management which all provide clear and practical advice as to what cyber security measures organisations should have in place.
State of the current market
Despite the growing weight of these market drivers the panel agreed that the UK cyber market is about 2-3 years behind that of the US. Estimates based on recent market intelligence value the Global Cyber Market at $2.3bn with the US making up $2.0bn of this figure. And, from an insurance perspective, only £20m worth of premiums have been written in the UK. The panel cited a more litigious culture, in addition to the market being driven by existing legislation, in the US. In Europe however, the development of stricter regulation was likely to motivate a more prudent approach to cyber risk and increased take up of cyber insurance in the future. On the demand side insurers are seeing interest from those with particular types of exposure, i.e. organisations that rely on customer data, like those in the retail and the hospitality industries but increasingly from tech companies who are perhaps more savvy in their approach to cyber risk.
On the supply side a lack of access to skills and reliable data in the underwriting process were also noted as barriers to the pricing of risk and, therefore, the development of cyber insurance products. In the UK there are few experts in cyber underwriting and also difficulties sourcing reliable data over a sufficient time period given the relatively recent emergence of cyber crime and the extent to which breaches are often underreported. Moreover, underwriters have found it difficult to determine the intangible damage/ costs to an organisation's brand and reputation. Again government intervention should help foster the emergence of the market but this time on the supply side, with promises of initiatives around skills, clearer messaging and the use of government guidance/ standards in the underwriting process.
Another problem flagged was the difficulty in defining the different types of cyber risks facing organisations. To address this, techUK's Cyber Security Group is working to develop a Cyber Risk Taxonomy aimed at helping insurers and their customers develop a corporate risk register for cyber. If this is something you would like to get involved with please see here for further information.
Market prospects and solutions
The panel were optimistic regarding the prospects for the UK cyber insurance market with the floodgates set to open in the coming years. The UK market is forecast to grow considerably in 2015, making it important to embed the right risk management processes now. This is especially so with the emergence of the Internet of Things (IoT) and the increasing use of cloud computing. The trend towards heightened connectivity will intensify the costs associated with a breach. The latter trend is facilitating a transfer in risk but not liability; an organisation remains responsible for their customer data even if it is not in their hands.
Policies cover breach costs, legal fees and even loss of income due to reputational damage. The insurance industry is also well placed to play an important role in educating firms. Similar to the development of the housing and car insurance industries, cyber focused policies are fostering the use of best practice. In addition to providing coverage, the industry is collaborating with vendors to deploy crisis containment, privacy protection and post-breach forensics to both mitigate risk and increase protection. The hope is to implement cyber due diligence processes on par with financial auditing, whilst understanding that the goal is not to completely remove the possibility of a breach but rather to mitigate its impact.
Educating the market is is by no means limited to having the right security controls in place however and there was wide agreement that cyber is an issue that now permeates the entire business. This is as much about getting the basics right, such as implementing secure passwords and getting users to install software updates. In the case of the now infamous attack on Sony for example, what was remarkable was not the breach in itself; this happens to a majority of organisations, but that there were insufficient measures in place to mitigate its impact. Sony did not have basic internal policies to privilege users in gaining access to certain information which allowed hackers the access to everything and enabled them to walk away with terabytes of sensitive date. The real risk lies, therefore, not in lapses in technology but in the fundamental processes of handling information. An acceptance of the inevitability of cyber risk and the need to implement a risk management methodology in response is the most prudent course of action; one in which the insurance industry can play a vital role.