Cybersecurity is an increasingly expensive threat to business, with Lloyd’s of London recently warning that a serious cyberattack could cost the global economy in excess of £92 billion. Aside from major disruption to infrastructure, there are significant reputational costs of being subject to a data breach, as well as substantial fines - particularly in light of the forthcoming GDPR. With the dangers of cyberattacks on the rise, along with the threat of serious consequential financial damage, many companies are turning to cyber insurance in an effort to protect themselves against the risks.
What are the main cybersecurity risks and their impact?
As the NHS hack demonstrated, some of the most extensive cyberattacks are very basic and often random in nature; viruses and malware can spread around the internet like wildfire, infecting any internet-connected devices which have not received the latest patches and security updates. Some of these viruses simply cause damage to computer systems; others include ransomware which lock down data until a ransom is paid. More targeted cyberattacks may involve phishing or SQL injections and DDoS attempts.
Often the most worrying attacks for business are those which involve a data breach, particularly if customer data is compromised. One of the most overlooked cybersecurity dangers is the internal threat; although this is sometimes due to malicious attacks by disaffected members of staff, the much larger problem is often down to an ineffective data protection culture or strategy and especially a lack of skilled staff who can lay down procedures and implement optimal cybersecurity measures.
Costs to businesses from cyberattacks include:
- Lost productivity
- Time and money to repair damaged infrastructure
- Fines (eg currently up to £500,000 following an investigation by the Information Commissioner’s Office – and rising to €20 million or 4% of annual global turnover GDPR comes into force)
- Reputational damage – including loss of existing clients and future business
- Any ransoms paid to hackers
What is the current state of cybersecurity insurance?
In light of the increased focus on risks from cyberattacks over recent years, it seemed likely that insurers who offered cybersecurity insurance would see an uptake in these policies, particularly from businesses dealing with large volumes of personal customer data. Indeed the British Government spoke of aims to make the UK a "world centre for cyber security insurance" in a 2015 report. However, although a surge has been seen in the US cyber insurance market recently, these trends have not yet been reflected on this side of the pond.
But a crucial turning point may be the impending General Data Protection Regulation (GDPR) which comes into force on 25 May 2018. GDPR not only introduces far more onerous penalties but it tightens up many aspects of data protection regulations and extends liability to data processors. As we get closer to the implementation date, an increased uptake of cyber insurance policies is to be expected, particularly by data processors who have less experience of data protection compliance.
What are the benefits and risks of providing cybersecurity insurance?
Insurers which offer cyber insurance policies are tapping into a potentially huge market, covering individuals as well as businesses. But insurers will need to be more guarded in their approach to providing cover in respect of computer viruses which can quickly spread across the internet, infecting millions of devices in less time than it would take a burglar to break into a single property. Potential costs to an insurer of a new virus which forces them to pay out on thousands or even millions of policies could prove crippling.
How will insurance products need to develop for cybersecurity?
Due to the aforementioned risks of offering broad cybersecurity cover, much thought needs to be given to developing policies, to take account of the fast changing cybersecurity threats and practices. Whilst a homeowner who leaves their front door wide open will generally need to concede that their element of fault reduces any payout, the degree of fault of a business which has not applied the latest security patch to their servers and consequently suffers a data breach is less clear. Policies may require regular updating to take account of new forms of threat and the types of cyber protection which are reasonably required to be taken by policyholders. But a careful balance will need to be struck between making policies too lenient with the consequence of mass payouts in the event of large scale ransomware viruses, and making policies so strict that they are not worth taking out in the first place.