AIG CEO warns companies failing to insure against data breaches

American International Group chief executive Peter Hancock says that businesses have insufficient cyber security insurance cover.

Cyber security insurance is advised to protect against data loss
Cyber security insurance is advised to protect against data loss

The CEO of American International Group (AIG)'s property-casualty division says that businesses have insufficient cover when it comes to dealing with the costs of cyber attacks and data breaches.

Speaking at a major insurance industry conference in New York on Tuesday, Hancock said that, without greater awareness, there is not much demand from clients - and without customer demand, the industry's capacity [for cyber security insurance) is small.

According to Bloomberg, Hancock went on to say that, with small capacity for this type of insurance, customers then question the logic in buying security insurance.

So are UK businesses failing to insure themselves adequately on the cyber security insurance front? We put this question to Professor John Walker, a Visiting Professor with the Nottingham-Trent University Faculty of Engineering, who told SCMagazineUK.com that Hancock - though clearly trying to ramp up interest in cyber security insurance - has a point.

"Absolutely he has a point,” said Walker. “With the new data breach legislation from the EU and others coming along, this type of insurance is very important for companies to have, even though many businesses do not bother," he said, adding that the analogy here is with house insurance for consumers.

"Every year people get the reminder and then shop around for the best deal, wondering whether they do, in fact, need it. But if their house does burn down, the end result would be catastrophic. And it's the same with cyber security and data breach insurance, as the consequences of not having any insurance can mean the end for many companies," he explained.

Professor Walker, who is also CTO of Integral Security Xssurance, the security consultancy, says that one issue the insurance industry may have to face up to is the fact that most of its analyses for this type of insurance is `tick and check' - with little real thought given to the actual risks involved.

Before the economic crash started six years ago, he adds, his observation was that the insurance industry would almost accept any degree of risk on the cyber security front, on the basis that the interest the insurance firm was making from premiums would help to offset any actual payouts for data breaches or similar events.

"Today, with interest rates so low, it is clear that the insurers have become a lot more price-sensitive and are asking more questions before taking on a risk, than they did just a few years back," he said.

Digital forensics specialist Professor Peter Sommer, who is also a Visiting Professor at Leicester's de Montfort University, said that, whilst cyber security insurance is now a must-have for any company, it is really important that prospective customers are completely clear what is - and what is not - being covered for.

"For most businesses they will want several things: costs of repair after an attack, the ability to compensate those who have sustained losses as a result of data breaches and, often most important of all - consequential losses covering loss of revenue/profit," he said.

"It is also critical to think carefully about what evidence the insurer will require before paying out - and how they will react if, on inspection, they find that essential preventative and loss-mitigatory measures were inadequate," he added.

Professor Sommer went on to say that insurance provides an additional measure of comfort by offering possible compensation for provable losses - but this is not a substitute for basic security measures.

Sign up to our newsletters