This is a contributed piece by Graeme Newman, Chief Innovation Officer at CFC Underwriting
At the end of 2016, the National Crime Agency released statistics showing that cybercrime had officially overtaken traditional crime rates in the UK. A time when crimes were mostly committed on a local, personal level is now giving way to an era of crimes being committed on a vast, global scale, with thousands of individuals and businesses falling victim simultaneously.
This is reinforced by what we have been seeing as an insurer; we experienced a 78% rise in claims from UK businesses involving cybercrime last year, while inversely, claims for traditional crime have been steadily declining. Given that cybercrime is now the fastest growing form of crime in the world, individuals and companies alike need to recognise this new exposure and as technology becomes even more ingrained in day-to-day business operations, companies need to start thinking now about how they can best mitigate this threat.
What is cyber insurance, and how does it fit into this?
Cyber insurance policies have actually been around since the dot com boom in the early 2000s, but have since evolved to match a period of rapid technological growth and also to address the extraordinary changing face of crime. The spate of high-profile attacks in 2016 (Yahoo, TalkTalk, The National Lottery, to name but a few) are clear indicators of this change and growing market need.
A primary objective of cyber insurance is to protect against the new world of electronic crime, which includes everything from malware infections and phishing scams through to cyber extortion and data hacks, as the value shifts from physical assets to things such as company data and systems, or sensitive customer information.
When a business suffers an attack, cyber insurance can help to cover both the immediate financial fallout and the costs associated with bringing in specialist providers to help manage the incident. Hiring forensic investigators, a PR team, IT specialists and legal experts can be a costly affair – not to mention the possible regulatory fines that victims might face for not having adequate defences in place. Cyber insurance exists not only to pay for the financial losses, but also to help you handle and resolve incidents quickly and effectively.
More than 20 different insurers in the UK now offer cyber insurance within their remit, and as businesses become more aware of this exposure, this number continues to grow. That being said, we are still seeing surprisingly low adoption rates amongst UK firms compared to the US. Currently, less than 10% of UK businesses purchase a standalone cyber policy, compared to more than a quarter of businesses across the water. However, as the industry evolves and measures such as the GDPR (General Data Protection Regulation) become a reality, we expect to these figures to shift.
Why should businesses consider cyber insurance?
During the first half of 2016 alone CFC handled over 200 claims, a third (31%) of which were from businesses who had suffered data breaches, and almost a quarter (22%) from those who had been victims of electric crime. Although most of these resulted in no more than £50,000 ($62,000) worth of damage, an increase in attacks like ransomware are causing all sorts of business disruption problems for firms, where costs can reach much further – we had one small business dealing with a setback of over £1M ($1.2M) after they failed to pay a ransom.
With new threats constantly looming on the horizon, it’s important for businesses to re-think their cyber strategy now and to implement ‘future-proof’ policies. Contrary to popular belief, obtaining a policy is relatively painless for businesses nowadays. Cyber insurance has fewer obligations in terms of risk management than a typical home insurance policy - where a home policy might stipulate what kind of lock you must have on your front door, cyber insurance policies rarely dictate risk management criteria. This combined with the fact that there is plenty of competition driving premiums down, means that it’s never been easier to purchase cover that will best suit your business.
The vast majority of UK businesses – SMEs in particular – will experience a security breach in their lifetimes. We therefore recommend a two-pronged approach, whereby good security and risk management practices run hand-in-hand with a strong cyber insurance policy, should the worst happen.
Jon Collins’ in-depth look at tech and society
Phil Muncaster reports on China and beyond