The problem with cyber insurance

Philip Barton | 17 Mar 2017 | Comments

It is nearly two years since the last UK Government published “UK Cyber Security, the role of insurance in managing and mitigating the risk”. The global insurance industry has not fully exploited its role in the time since, so what of the report?

Having had time to digest the major themes in this report, I think that the Government at the time seemed determined to establish the Cyber Essentials scheme as key parts of UK SMEs cyber tool kits, and to leverage the insurance industry to secure that goal.

The message was that Cyber Essentials or Cyber Essentials Plus compliance would deserve a reduced premium, as well as enabling greater cyber-risk awareness among SMEs. The report indicated that cyber insurance firms were likely to offer support in becoming Cyber Essentials certified as part of the insurance process. This patently did not happen as planned, and the UK National Cyber Security Centre (NCSC) are yet to pick up the reins sufficiently to consider cyber insurance guidance.

The report was aimed squarely at SME cyber risk in the IT space, with brief mention that Cyber Essentials may not be appropriate, or rigorous enough, for many manufacturing industries. Regulated industries and critical infrastructure will have their own regimes to follow, so what for the SME manufacturing industries? The NIST cyber security framework or the SANS 20 controls are an excellent starting point, not to mention the many standards that exist such as ISO/IEC27001, ISA/IEC62443 etc.

An obvious barrier to widespread adoption of worthwhile, insurance-backed, cyber security in the industrial arena is having sufficiently good cyber forensic capability in place to be able to back up any claim. In the event of an incident, the bias for most manufacturing organisations is naturally toward production and not to preserving evidence; it may not even be obvious that a cyber event has occurred until later.

Bringing the insurance arena up to date, a recent (March 2017) report from Swiss Re: , a leading global re-insurer, explores the cyber insurance industry today and its recent evolution. This report, like many others, misses the point that the potential costs of a cyber breach are not rising – they always have been huge. What is changing fast is the democratisation of adversary capability, the ever-lowering of the bar to entry for ransomware and other malware. The report does correctly highlight the lack of mainstream cyber risk management practices, both pre and post-event, the still-immature market, and the dearth of understanding surrounding cyber events emanating from the culture of silence. All of these must be overcome collaboratively between insurers and the insured to enable proper transfer of residual risk.

A final ‘red flag’ from the Swiss Re: research is that of uninsurable risk. This is closely linked to critical infrastructure (utilities, major industry) where catastrophic loss could lead to Government intervention. Here, the low number of events to base assumptions on, coupled with the magnitude of consequential and accumulated losses naturally tends to limit the willingness of insurers to become involved. This surely must act as a spur for industry to enable insurers to evaluate the underwriting risks better by supplying better information about cyber events.