Anthony Hess, Principal Advisor at KPMG
In the last few months we have seen a number of large data breaches in the news, many of which are impacting the reputation of companies across a variety of sectors. The financial impact of these attacks is estimated in excess of £20 billion per year to UK businesses. As a result awareness of, and concern over, cyber risks to businesses has moved beyond the IT department. It has, rightly, landed squarely on the desks of executives and the board.
There are four main categories of attackers that businesses are detecting; state sponsored attackers, organised criminals, hacktivists, and the “lone wolves”.
The first group – state sponsored attackers – is typically trying to access very specific commercial or military data. It could, for example, be an attempt to gather information about defence plans or long-term ambitions around energy extraction. Whatever the target, it involves highly advanced techniques. State sponsored attacks are extraordinarily difficult to stop and they are often found operating within corporate networks over long periods of time without detection.
Organised criminals, on the other hand, are typically less advanced and their ambition is often centred around gathering commercial data to be sold to other cyber criminals (credit card numbers is an obvious example). The much publicized recent Target and Adobe attacks are examples of organised crime groups going after valuable customer data.
The third group – hacktivists – is typically not very sophisticated and usually focuses their attacks on interrupting the activities of a business to send a message, often politically-motivated or environmental in nature. For example, Anonymous, a large hacktivist group, recently cyber-attacked a US police department where an officer is accused of unlawfully shooting a teenager.
While still around, the lone wolf attacker is not usually the largest threat to businesses. That doesn’t mean they should be discounted. On the contrary, because these individuals can vary substantially in motive and quality, from disgruntled former employees to young hackers trying to prove their worth to the broader community, they must still be regarded as a clear and present danger. Edward Snowden is a famous example of a lone wolf in terms of his methods – using his internal access to steal a large number of sensitive documents in order to leak them to the press.
As the world becomes more automated and attackers become more organised and sophisticated, the impact they will have will become greater than ever. Executive level employees are already discovering that stock prices – and their jobs – can be on the line when hackers attack. They are also beginning to realise that cyber defence often lags behind cyber offence. Much like in a football match it only takes a defender making one mistake for the opponent to score a goal. Commercial property and liability insurance is widely available in most countries, but these policies don’t typically cover cyber risk – leaving companies uncovered. In this type of environment, then, it is no surprise that cyber insurance has been expanding rapidly. According to an estimate by Betterley, the premium total has increased to as much as $2.0 billion from $1.3 billion last year in the United States. Continental Europe is expected to grow over 500% by 2018. In particular many small and midsized businesses are becoming very aware of the risks and driving much of the increase.
Cyber insurance is essentially insurance protection against breaches or other outages. Originally it was limited to providing a payout in the event of a cyber breach or outage, but more recently it has been expanding to provide services. The most common service provided is cyber incident response where a skilled team of responders covering legal, PR, and technology arrive quickly on site to triage and resolve the issues faced by the insured.
It is no surprise to see insurance spring up in response to cyber breaches, after all information security is another form of risk management.
Like many emerging insurance products, cyber insurance is expected to rapidly evolve. As more competition enters the market, prices should begin to go down along with the increasing size of the risk pool. Insurance companies need to have a better understanding of the risks in the businesses they are insuring, but there isn’t much appetite among the insured to pay these large upfront costs. As a result, we can expect to see attempts to reduce this cost, add more value in terms of security consultancy, or perhaps amortise it across the life of the policy in a more efficient way.
There may also be a growth in the market for external assessment standards such as ISO to provide a third party standard for the insured to meet before being covered. Lastly, and perhaps most controversially, you could expect to see increased government regulation in this sector. Although a cyber insurance purchasing is currently driven by business agreements and high profile breaches in the news there is a strong probability that in some countries with more “market active” governments you will see a mandate. Much like car insurance and health insurance, it may be decided that the public good of universal coverage outweighs the up-front costs of the insurance.
In closing, it is clear that as the link between IT security and risk strengthens that cyber insurance will be a key part of the portfolio of tools for managing that risk. The next few years should be an interesting time for the insurance and cyber security industries.