A View from Europe
A Q&A with Nick Beecroft of Lloyd’s of London
New regulation and awareness around growing threats such as operational attacks is changing the face of the European insurance market. I talked to Nick Beecroft, emerging risks and research manager at Lloyd’s of London, about his work assessing cyber vulnerabilities and helping develop products to address them.
What are some of the most pressing cyber threats you’re seeing out there?
The key characteristic of a cyber threat is that it’s continually evolving. The moment you identify any specific threat as “the most important” is the moment a new tactic or threat axis emerges and forces you to reevaluate. We see a great variety of tactics employed across the cyber threat landscape. The threats are becoming more sophisticated and all of the threat actors are trying to stay ahead of security measures. We see the tactics becoming increasingly about specific vulnerabilities rather than wider attacks.
That being said, there are two broad areas our clients are most concerned about and those are data breaches and attacks against operational technology. While data breaches are a well-established threat that organizations need to be aware of and prepare for, operational technology attacks are emerging as an important concern that clients are increasingly discussing with their insurers.
What are the specific concerns around operational attacks?
Operational technology in every sector of economic activity is increasingly connected to digital networks, and this is increasing the ‘attack surface’ available to cyber attackers. Business operations can be disrupted or prevented, and/or the attack could generate great physical harm. We are fortunate at the moment that these incidents have been rare, and security architecture is developing rapidly to ensure these critical systems are protected. The insurance industry is also in dialogue with governments to assist in developing national cyber resilience.
How do you go about assessing impact?
One of the key challenges of the insurance industry is that data on the frequency and severity of cyber attacks is limited, and this is particularly true of attacks against operational technology, so we have to employ other techniques. We develop scenarios to enable us to assess the impact of plausible but extreme cyber attacks, and we’re working with the research community to harness the best available expertise.
What are some of the newer tools to enable developments in cyber insurance?
We are seeing the development of a wide range of data breach products, including client support services that assist with managing and recovering from the impacts of data breaches—not simply reimbursement of costs. We are also seeing products that cover physical damage and bodily injury caused by cyber attacks on operational technology.
How are insurance companies in Europe preparing for cyber catastrophe?
I would say that the demand for cyber risk insurance is growing here with heightened awareness of cyber risk and operational threats, such as the attack on the German steel plant last year that inflicted major physical damage, and the expected EU data protection regulation. We expect to see continued innovation in the European cyber risk insurance market.
We want to thank Nick for his insights. He raises several interesting points—particularly that “cyber risk” goes well beyond privacy data breach issues, and to many clients operational attack and related business interruption is the exposure of greatest concern. It is equally interesting to see how some insurers are evolving and widening the scope of their cyber coverage to include physical damage when applicable.