Cyber crime impacts everyone as more and more new technologies emerge. It is invasive and contaminates both the personal and corporate world. From financial institutions to online shoppers we are exposed to this risk; the global cost of cyber breaches is estimated at a staggering *$300bn a year. And this cost can only get worse with the pace of cyber attacks predicted to accelerate in 2014.
This blog follows on from Cyber Crime Part 1 which discusses the different forms of cyber breach and what has been seen in recent years. As new technologies develop, they are accompanied by even swifter advancements in the ability of cyber criminals. Demand for network based products such as smart devices and wireless networks are increasing every day for both work and leisure. As greater volumes of data transitions across these networks, the target for hackers becomes ever more appealing, as this information is remarkably valuable.
Cyber crime is certainly a hot topic in the corporate world, with reports of attacks increasing at an exponential rate. Last month, travel insurer Staysure, warned that almost 100,000 customers were at risk of having their sensitive bank card details stolen after its IT security was breached. Also over the Christmas period, nationwide retail giant Target announced a data breach involving information of up to 70 million customers worldwide. Credit card details, pin numbers and other customer data were stolen. This attack is not unique however, with ample attacks taking place in 2012 on institutions such as American Express, Visa, Google, Yahoo and MasterCard.
Prevention or Protection
So what can companies do to protect themselves? Two safeguards against cyber crime are:
- IT systems in place to prevent the access of hackers,
- Cyber crime insurance.
We are seeing that many IT security systems are on their own not enough to protect a firm against cyber risk. This is particularly true for small and medium companies, who tend to invest less in IT and security. Even the most sophisticated IT security systems at large entities are being breached, and therefore companies of all sizes are looking to the second safeguard for protection.
Cyber insurance has been present in the market for around 10 years, but many individuals and corporations are unaware of its existence. Commercial general insurance products tend to provide cover for tangible assets. Businesses have traditionally been protected against potential losses such as employers’ liability or property damage. These products do not protect firms against cyber attacks, due to the relatively little historic data available and the intangibility of the assets covered.
The two main categories of cybercrime insurance are first party insurance and third party (or liability) insurance. First party insurance provides cover for losses occurring directly to the policy holder, such as damage to the software, data and systems of an organisation. Loss from business interruption is also covered, as well as cyber extortion protection such as ransom costs. Third party insurance protects against losses from individuals or organisations affected by a security breach. For example, cover for losses incurred by policyholders through theft and misuse of data.
Challenges for insurers
Insurance companies need to accurately estimate the loss that is incurred from a cyber attack in order to determine premium rates and process claims. Quantifying these losses, and the probability of occurrences are huge challenges. Insurers are still developing financial models and standard methodologies to accurately price cyber risk. As mentioned earlier, the lack of historical data available is a major hurdle for insurance companies attempting to establish cyber insurance premium rates. While corporations are concerned about protection against cyber risk, consumers are also getting more and more worried about their own personal data being stolen, via their phones or tablets, for example. The Institute of Risk Management has recently released a guidance on cyber risk to help professionals understand the risk the basic precautions that can be taken.
The absence of government or international standards regarding cyber protection also effects how insurers can write their cyber insurance business. The jurisdiction of country laws is restricted by geographical limits, but cyber attacks can be executed from any global location, due to accessibility of the internet. A new European Commission data protection law is on the horizon, which will enforce procedures to be carried out by organisations and the regulator in the event of a breach. The implementation date for this legislation is currently uncertain.
Widespread awareness of cyber insurance is on the rise, with AIG reporting a 30% increase in cyber insurance sales in 2013. New cyber insurance products are also being launched. On 15th January 2014 Allianz Global Corporate and Speciality (AGCS) joined forces with Thales to offer a new Allianz Cyber Data Protect insurance policy. This product covers the costs incurred when responding to a cyber attack, rebuilding IT systems, and covers the losses arising from business disruption. Most recently, Guy Carpenter launched a speciality practise to develop cyber reinsurance solutions to tackle the risks associated with cyber security. Despite significant levels of growth, the cyber insurance market is still immature.
The threat of a cyber breach may be a daunting prospect, but it is important to remember that well established prevention and protection methods are available. Firms must assess their current IT systems and determine their risk exposure and potential loss to a breach. Recent events have demonstrated that although a secure IT system is essential to deter hackers, cyber insurance also plays a crucial role in protecting businesses from a wide range of losses. The eagerly anticipated European Commission data protection law will endorse a common standard regarding cyber crime, and should be the impetus to encourage firms to seek the optimal protection and prevention advised.
* The economic impact of cybercrime and cyber espionage http://csis.org/files/publication/60396rpt_cybercrime-cost_0713_ph4_0.pdf