Speaking at the 2014 Electrical Industry Security summit at the Houses of Parliament earlier today, AEGIS London active underwriter David Croom-Johnson called for insurers to be part of the cyber defence discussion, and pointed to the industry's reaction to the Titanic sinking in 1912 and the 1906 San Francisco earthquake as proof that their involvement can herald widespread improvements.
In both cases, insurers called for safety improvements and the subsequent funding for insurers led to fundamental improvements like wireless telegraphy, Marconi signal stations and building codes.
But it was on the critical infrastructure where Croom-Johnson was most outspoken, calling for a centralised cyber security body to protect those in the energy sector, and asking for private and public sectors to work together to protect critical infrastructure.
“We need a unified industry response to risk management, security, incident response, threat intelligence and loss control. From our own discussions, we know there is growing regulatory and compliance fatigue over the question of cyber security. Yet critical infrastructure companies, more so than other sectors, are all too aware of the cyber spectre. It's a spectre growing in stature with the backdrop of increasingly complex geopolitical situations.
“Both the US and UK security agencies have offered alternative visions, but none are unified or consistent. Critical infrastructure companies would like unified guidance; no-one wants a repeat of the situation which occurred after US retailer Target was attacked, with regulators and shareholders becoming increasingly aggressive and militant.”
Murky grounds over coverage
Despite calling for insurers to be involved in protecting critical infrastructure – and the public or private companies running them – Croom-Johnson admitted that there needs to be a discussion between the insurance sector and government to discuss what kind of cover is achievable.
“Governments tend to think there is unlimited capacity within the insurance market,” he told the conference. “This is far from the case. Insurers have only a finite capacity to respond, and indeed some will not wish to respond at all. Governments need to work with us with the objective of increasing cyber risk management and risk modelling capabilities and of improving security.”
Max Perkins, underwriter at specialist insurance business Beazley Group, agreed that the amount of ‘tolerance' is key and said that definitive terms – as well as attractive financial incentives – will need to be rolled out if insurers are to team up with the UK government in protecting CPNIs.
“All the insurers I've been in conversation with are open to [protecting CPNI] but how much risk are they expected to take on?” asked Perkins, who added that war cannot be insured against.
“Governments are curious to know if insurance is available for critical infrastructure, and if it can protect the public and private entities servicing these, but the question is if they have the budget for it,” Perkins told SCMagazineUK.com.
And he warned: “It's early days – the government will either create insurance backing on a nationwide basis, or insurers will make their own decisions at their own risk.” He noted that many companies can already get cyber insurance to protect themselves from business operation loss, but said that this often doesn't protect them if other parties are involved
Marsh, Lloyds of London, and AEGIS London are just a few insurers to have rolled out cyber insurance products. AEGIS London has launched product for energy and critical infrastructure sectors.
Perkins said that the US is slightly ahead of the curve as it implemented the Terrorism Risk Insurance Act (TRIA) in 2002, enabling insurers and brokers to back companies against terrorism-related activity. “It came out of 9/11,” said Perkins. Insurance losses after the Al Qaeda attack are estimated to have been around £23 billion (US$40 billion).
Cyber insurance has been a topic of much discussion in the industry latterly, with various experts in the field mulling its relevance as companies look to protect themselves from operational downtime and significant finance loss (either through regulatory fines, or theft).
KPMG's partner for information protection Giles Watkins said that cyber risk is a “boardroom issue right now”, but said that insurance in this sector has been around for some time.
“Cyber insurance has been around quite a long time, but there's now quite a big push in that area,” he said at a recent McAfee event. He added though with insurers adding 24/7 phone capabilities, they are getting ‘smarter in what they're willing to pay-out'.
Multinational insurance provider AIG told The Financial Times in January that sales of cyber insurance policies increased by 30 percent in 2013, when compared with the year before.
“What we've being seeing is significant growth,” said Tracie Grella, who oversees AIG's cyber insurance initiatives as the head of professional liability.