Insurance brokers have a unique opportunity to become businesses' trusted adviser on cybersecurity, to help mitigate the potentially significant damages and costs caused by attacks.
Businesses need to wake up and act now to fully protect themselves against the risk of cyber attacks to avoid facing monumental bills, significant reputational damage and even years of litigation. Insurance brokers can reap the rewards by informing and guiding businesses through the complex cybersecurity landscape, as many experts claim most businesses, large and small, remain underprepared and underprotected from a potential security attack. They could also use it as a differentiator among their peers.
Although most businesses are concerned about the risk of a cyber attack, there still is not enough awareness of the true risks to their operation, with many still seeing the matter as purely an IT issue, rather than as a key commercial risk that affects all parts of a company.
Matthew Martindale, director in KPMG's cybersecurity practice, warns against businesses only considering the short-term implications of a cyber attack, including only seeing costs in possible ransoms: "Dealing with things like reputational issues and litigation in the aftermath of a breach can add substantial costs to the overall loss.
"Businesses really need to start thinking about the cyber risk holistically, rather than [in a way] that is currently very shortsighted."
A 2017 government cybersecurity survey found only one third (33%) of UK businesses had a formal policy that covered cybersecurity risks; and only one in 10 (11%) had a cybersecurity incident management plan in place.
UNDERSTANDING THE THREAT
Inga Beale, chief executive of Lloyd's and CII president, stresses the importance of education in fighting back against cybersecurity attacks:
"To protect themselves, businesses should spend time understanding what specific threats they may be exposed to and speak to experts who can help handle a breach, minimise reputational harm and arrange cyber insurance to ensure that the risks are adequately covered.
"By reacting swiftly to mitigate the impact of a cyber breach once it has occurred, companies will be able to minimise the immediate costs and their exposure to subsequent slow-burn costs." The costs also cannot be underestimated: recent research by Lloyd's claims that a major global cyber attack has the potential to trigger £40bn of economic losses. The report also reveals the stark truth of the situation where, although demand for cyber insurance is increasing, the majority of these losses are not currently insured, leaving an insurance gap of tens of billions of pounds.
Although recent attacks including WannaCry and Petya, with their wide spread of victims including the National Health Service, car manufacturers, airlines and universities, are perfect examples that highlight the need for cyber cover, the demand since those stark warning stories has not surged.
The threats, however, have increased. The insurance sector has been a rise in ransomware claims, from just a tenth of all cyber insurance claims last year to almost a quarter, according to insurer CFC Underwriting. Many companies have taken advantage of this by launching cyber-specific insurance products to capture what they presumed would be a huge uptake in security. In June, technology giant Apple teamed up with Cisco to help their business customers get discounts on cybersecurity insurance premiums,
which seems as good a sign as any that businesses really should be taking the threat seriously. Paul Gooch, cyber underwriter at Tokio Marine Kiln, urges better engagement between insurers, brokers and businesses to tackle this growing problem: "Businesses need to engage with their insurers, brokers and other risk management specialists to ensure that their risk management procedures and cybersecurity protocols are kept up-to-date in the face of this developing threat, with a particular focus on patching, back-up and business continuity planning, which helps reduce the impact of such events and prevent subsequent reputational damage."
But the future is looking bright for insurers. The upcoming General Data Protection Regulation (GDPR) in 2018, with its increased obligations on companies regarding protecting personal data, is expected to help cyber insurance rocket, especially as many businesses will also look for support during the transition. The insurance sector must also step up to be ready for the regulatory implementation. It is a very high level data-gathering sector, where personal and sensitive data supports decisions, but insurance is facing criticism that it is not doing enough -- understandable when even understanding all held data is in itself a huge task.
The GDPR will benefit insurers immeasurably if they are proactive and take the initiative: regulations always raise awareness among the public and the hefty prospective penalties will force many businesses into taking cybersecurity seriously. Educating businesses is the key to secure the success of cyber insurance. As the monetary amount of ransoms is set to escalate rapidly, and organisations with considerable business interruption payouts are all now at risk, this is vital for not only customers, but insurers too.