Is the UK ready for cyber insurance?
April 2014 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
The way in which business is being conducted is changing. With squeezes on margin, most companies are looking for improved efficiencies and easier ways to reach the market. In many instances this involves the use of technology and the internet. Uses range from VoIP telephones to marketing websites, online trading to electronic storage and use of the cloud. The advantage of utilising the technology available is huge, but it also comes with risks that need to be evaluated and considered and these risks are different for every company.
Almost all companies are exposed to some type of potential loss resulting from damage or destruction of data, computers or computer networks. These risks range from third party liability due to lost client data through to first party liabilities such as business interruption costs, rectification costs, loss of digital assets, reputational damage or extortion. The consequences of each of these exposures differ for every company.
When considering if the UK is ready for cyber insurance we need to consider the environment that companies are trading in and the risks that companies are facing. In the run up to Christmas we saw the emergence of ‘Cyber Monday’, where analysis from Visa suggested that an estimated £450m was spent in some 7.7 million online transactions – an increase of 16 percent on 2012. This increase is expected to continue to grow in the future. Add to this the growing ease of international trading, increased use of the cloud for storing data, differing laws and regulations regarding the handling of data and it is clear that companies face increasing uncertainty.
If we use the retail sector as an example, we can start to evaluate some of the risks that companies are now taking on, many of which apply to other sectors too.
Retail shops are generally not considered to have much of an exposure other than public liability and the value of their stock, but these outlets are evolving. It is now commonplace to see websites attaching to high-street shops, which bring their own risks. Shops are responsible for storing and securing data that they collect, even if this is outsourced to a third party. If they are using ‘the cloud’ to store the information, where is it kept? If you have international clients or suppliers, is the data you are storing exposed to UK law, the law of where the client is based, or the law of where the data is being stored?
The technology employed within shops is increasing. It is likely that websites talk to stock management, ordering and invoicing systems, all of which are accessed via the internet. A denial of service attack could stop access to a shop’s website and therefore impact its turnover, particularly at busy seasons such as Christmas. In such a competitive market, will customers keep trying to gain access or go elsewhere? The result of denial of service attacks can inflict reputational and financial damage today, which can also impact future revenues.
The supply chains that feed into retailers are also adding to the exposure and extending uncertainty. The same software used by shops to manage stock levels, ordering and invoices are likely to also communicate with suppliers and manufacturers. With retailers trying to reduce the amount of cash tied up in stock, they are likely to be employing a just-in-time approach. If the connection with suppliers is disrupted, orders will not get through and stock levels will quickly drop, potentially resulting in lost revenue and reputation. Who is responsible, the retailer or the supplier?
Add to this the number of links that suppliers have with other retailers and manufacturers, and the subsequent links manufacturers have with those to whom supply components, and the web of companies becomes very large. The chance of someone in the web suffering an incident that could have a knock on effect on others via the connections also increases. Companies are no longer only affected by their security, but also the security of others with whom they trade. How many companies review the security of their customers’ or suppliers?
The manufacturing sector which supplies the retailers is also changing. Sourcing of components is an international process. Whether you are producing electronic products with components from China, Japan, Korea, or fashion products with resources from New Zealand, Italy or the US, you are suddenly relying on others’ security. Security standards differ wildly across the world and whilst you may be sourcing goods at a better price, you may also be exposing your company to a greater chance of cyber incident.
The control panels of production lines are no longer operated on the shop floor by pressing a button or pulling a lever. Computer systems and software now control what is produced, when it’s produced, how quickly it’s produced and so on. What happens if the computer systems are attacked and access is gained? Hacking into a simple email account could provide the pathway to gain access to stock control, invoicing or the control panel of the machines. A couple of changes later and you could be manufacturing a different product than you expect!
In short, the way companies communicate between each other and share systems and data means that the potential for security weaknesses is growing. Whilst the exposures are different for each company, the key increased risks are to their third party liability – due to potential loss of client data and denial of service attack, and first party exposures – due to damaged reputation, loss of revenue for today and tomorrow, costs of fixing the systems affected and potentially extortion to stop a denial of service attack or the publishing of stolen data.
Once the security is in place, insurance can assist in protecting your balance sheet against the unknown costs and expenses that could arise from a data security issue. The cover that clients need is available in the market; but has been overcomplicated by underwriters in the past trying to extend policies with limited extensions under the name of ‘Cyber’.
This is changing in the UK market with the emergence of a number of insurers providing full, standalone cover. As the potential market learns of the risks they face, more will start to insure. Cyber and data protection is currently a buzz topic.
In conclusion, the UK market is ready to purchase cyber insurance, but it won’t in any volume in the short term. The risks highlighted in the very basic breakdown above demonstrate some of the risks attached to web trading, manufacturing and communication, but the understanding of these exposures is only just beginning. Cyber is a complex area and new to many clients and their brokers. It will take a change in mindset before the product really takes off, but that is beginning. Historically we have always insured our greatest assets – buildings, contents and people. With the change in the way business is now being conducted, many companies are beginning to realise that data is now one of their greatest assets, and that maybe they should start to consider the risks associated with it and protect their data and balance sheets accordingly.
Simon Calderbank is a senior underwriter at HCC. He can be contacted on +44 (0)20 7680 2910 or by email: firstname.lastname@example.org.
© Financier Worldwide