Beyond commercial loss
But cyber insurance is not just about covering potential financial or reputational loss in commercial organisations; the insurance industry also has a key role to play in helping governments and critical infrastructure businesses prepare for cyber-attacks according to AEGIS London's active underwriter David Croom-Johnson, speaking at the Electrical Industry Security Summit at the end of June. Electric & Gas Insurance Services Limited
The assertion contradicts a recent BBC report that claimed, “power companies are being refused insurance cover for cyber-attacks because their defences are perceived as weak.” This led some commentators (promoting the launch of the Government's new Computer Emergency Readiness Team - CERT-UK) to ask, would the money spent on insurance not be better placed to develop security infrastructure? Why did we find out from the insurance industry that energy suppliers' cyber security isn't up to scratch? Have these underwriters suddenly become experts in cyber security?
Explaining the role of the insurance industry in such scenarios, Croom-Johnson drew parallels between the insurance industry's reaction to the sinking of the Titanic and resulting calls by insurers for greater safety improvements and the role it could also play in preparing countries to manage future cyber terrorism and cyber warfare. “We know there is growing regulatory and compliance fatigue over the question of cyber security. (However, despite conflicting national government responses).... Critical infrastructure companies would like unified guidance; no-one wants a repeat of the situation which occurred after US retailer Target was attacked, with regulators and shareholders becoming increasingly aggressive and militant.”
Mick Ebsworth, information security consulting practice director at NTT Com Security notes how ability to get insurance will also influence security quality, commenting to SC: “Insurance companies are likely to either refuse to insure or make premiums extremely high for organisations that cannot demonstrate that they have considered risk, implemented protective controls and applied governance around demonstrating the controls are adequate."
Ebsworth adds: "Organisations need to consider two things here; firstly the impact to them of obtaining insurance and what that means to their risk and security teams and the impact on their business processes; secondly as organisations either decide to take up insurance or decide not to, will it demonstrate that weakness or strength from a risk and security perspective.
Croom-Johnson also pointed out that governments need to understand that insurance cannot be the total solution to cyber risk. He said: “Governments tend to think there is unlimited capacity within the insurance market. This is far from the case. Insurers have only a finite capacity to respond, and indeed some will not wish to respond at all. Governments need to work with us with the objective of increasing cyber risk management and risk modelling capabilities and of improving security.”
“Governments are curious to know if insurance is available for critical infrastructure, and if it can protect the public and private entities servicing these, but the question is if they have the budget for it,” Max Perkins, underwriter at specialist insurance business Beazley Group told SCMagazineUK.com. He added that definitive terms – as well as attractive financial incentives – will need to be rolled out if insurers are to team up with the UK government in protecting CPNIs.
“All the insurers I've been in conversation with are open to [protecting CPNI] but how much risk are they expected to take on?” asked Beasley, who added that war cannot be insured against.
Beasley said that the US is slightly ahead of the curve as it implemented the Terrorism Risk Insurance Act (TRIA) in 2002, enabling insurers and brokers to back companies against terrorism-related activity. “It came out of 9/11,” said Beazley. Insurance losses after the Al Qaeda attack are estimated to have been more than £20 billion.
A report from Experian late last year found that just 31 percent of US companies had cyber insurance policies in place. However, another study from risk management research firm Betterley Risk Consultants founds that the annual gross premium for US cyber insurance policies was US $1.3 billion (£734 million).
Multinational insurance provider AIG told The Financial Times in January that sales of cyber insurance policies increased by 30 percent in 2013, when compared with the year before. “What we've being seeing is significant growth,” Tracie Grella, who oversees AIG's cyber insurance initiatives as the head of professional liability told SCMagazine.com.
Based on current trends, the nascent cyber insurance market looks set to play an increasingly central role in the industry going forward.
