Marsh: Insurance in the fickle world of cyber security
UK companies continue to face significant risks from cyber related crime and effects. In a bid to increase clarity on the kinds of risk, their insurability and the perspective of the industry, Marsh has worked together with the UK Government and insurance companies to create a picture of the current environment and develop a Cyber Essentials scheme that allows firms to mitigate common risks while also creating the beginnings of an assurance basis.
Cyber security continues to be a threat to national, business and personal security, and with the continued presence of risk, the traditional industry taking an interest in risk – insurance - is starting to offer (sophisticated) coverage for cyber-risks. In the ‘UK Cyber Security the Role of Insurance in Managing and Mitigating the Risk’ report, released by Marsh and the UK Government, the state of cyber-security insurance is considered in relation to business activity. The report aims at identifying ways in which insurers may provide a positive impetus for improving cyber security.
The report highlights a number of incentives that insurance can introduce to businesses. By creating a cost for premiums, and the possibility of reduced premiums against improving security conditions, a motivation is created for businesses to meet or exceed security standards. Insurers looking to mitigate their own losses will provide businesses with up-to-date knowledge of incidents or near misses that could affect their business. Finally, the long history of insurance risk assessments mean that insurers already have powerful analytic tools to create viable risk profiles of threats – which have similar profiles to other tail risks (low frequency, high impact events).
Insuring risks requires some grasp of their frequency and effect, as well as creating the kinds of products that businesses actually want or need. The risk profiles between company types differs significantly. According to the research, larger organisations are more likely the owner and developer of intellectual property, for instance, and therefore more likely to be affected by its theft.
In terms of probability and highly impactful, the loss of intellectual property rates highly for large companies, followed by liability following the violation of privacy laws or other privacy events. Damage to reputation is also considered a harmful and likely risk by the risk profile.
For small businesses the biggest risks come in the form of network or business interruption, fraud, privacy events, and damage to software. Smaller risks are related to reputational loss and IP theft. Physical asset damage, where hackers take control of a physical device to destroy it, remains in the current context a small risk.
Mitigating risk and insuring possibility
To protect businesses from common cyber threats, the UK Government and the insurance industry have developed a ‘Cyber Essentials scheme’. The scheme provides a clear statement of the basic technical controls all organisations should implement to mitigate the risk from common internet-based threats. It also provides a qualification that allows firms to demonstrate to customers, creditors, insurers, and others that they have taken essential precautions against cyber risk.
The insurance industry is also coming with cyber-security coverage. However, uptake has so far been patchy. Marsh’s report shows that while 52% of large organisations believe they are covered for cyber security events, 10% actually have coverage and only about 2% of UK businesses are insured for cyber-crime. One of the problems with the insurance of cyber threats is that the products are often highly complex as a result of which businesses not fully understand the kinds of risks that can be assessed or protected against via insurance.