Due to recent and hugely public spate of cyber ‘events’, the world of Cyber security and subsequently cyber insurance is firmly in overdrive. According to the UK Department for Innovation & Skills - 81% of large businesses and 60% of small businesses suffered a cyber-security breach in the last year, and the average cost of breaches to business has nearly doubled since 2013.
We have all seen the headlines, from Sony last year, to British Airways earlier this month to the French TV Channel, TV5Monde. The severity and importance of each of these has material impacts on not only their ability to do business, but also their brand and reputation as both a customer, employee and partner.
Sony was clearly hugely public, by far one of the biggest and most public I have seen hit the news for a long time. It was all over most news channels causing outcry from customers and employees, some who threatened to sue their employer or former employer for failing to protect their data. Sony of course have had many attacks including taking down their PlayStation online platform for days on end. As for BA, the first I heard of this was an email saying – ‘someone has accessed your account'. Please come change your password! This is the brand that I trust with my personal details, my location and much more.
Finally, TV5Monde – seems to be particular worrying to me. In a scene that reminded me of the wonderfully played Elliot Carver from 007’s - Tomorrow Never Dies, the media giant was quite simply disabled, their TV taken off air, their public online presence taken over and more. An attack of this scale and power to me simply highlights what Hollywood has been portraying for years (remember Die hard where they take over the Airport by hot wiring a few cables nearby!). Interestingly, subsequent reports again points to human error here – a TV interview showing passwords stuck to Post It notes and more.
If we are under any doubt by the frequency, scale and impact of attacks, I found a great website (www.informationisbeautiful.net) recently that visualises some of the data breaches by year, industry and size, reason and more, see here for the full interactive chart.
So what is it?
Cyber threats have been defined by many, however like many other critical business issues, lots of other things are being added to the overall ‘cyber’ definition. The recent report from the UK Government on UK cyber security: the role of insurancetalks through both the threat and importantly the opportunity for Insurers.
The World Economic Forum in their 10th Annual Global Risks Report have Cyber risks up with water crisis and natural catastrophe and ahead of WMD, infectious disease and Fiscal Crisis (in terms of likelihood of occurrence). Water Crisis on similar level, and ahead of fiscal crisis. Given what we have all experienced in the last recession, I don’t think we could have a stronger wake up call.
- Top Global Risks According to the World Economic Forum
For now, and certainly as I write today - there is a small correlation between Cyber-attacks and loss of human life. However, as we become ever more connected with IoT or IoE, future devices will all be connected. In the latest report, the government have said that 14bn objects are already connected to the internet, 40m of them in the UK. By 2020, it could be as many as 100bn worldwide
The upside of being able to monitor your heart pacemaker or your insulin levels from an app are already upon us, wearables is the buzzword for 2015. When these devices move from monitoring to controlling, the threat just increases. A cyber-attack at a local level, vs shutting down a hospital, airport, city traffic system, taking over a driverless car or airplane – it’s far too easy to paint a picture here.
What’s the role of the Insurer in all of this?
The Insurance provider has a huge role in this, not only to pick up the pieces when an event occurs, but also across the entire lifecycle. At the outset, we have an opportunity to better educate the market on cyber risks in general, in creating insurance capacity for the event and ultimately better prepare ourselves for the ongoing advancement and frequency of attacks.
This goes far beyond the Cyber Essentials to better prepare SME’s and large enterprises alike. This is not collecting a badge, this is time to get ready for a battle. Not just a battle against cyber threats, but a battle for your reputation and brand. A brand that says to your employees, customers and partners, you can trust me with your information – I have a plan in place that’s tried and tested! The government scheme has covered the bare minimum essentials but this is like passing your driving theory test. We need expert drivers here to navigate roads no one has previously seen.
The UK and London Market specifically is already well placed given its deep experience in insuring against speciality risks, however – capacity in the market will continue to increase as the threats and frequency of events increases, giving rise to new – more tailored products and opportunities for the entire market. How long will it be before we all have our own personal Cyber Insurance policy?
Move to prevention rather than cure
We need to better help organisations truly understand the cost of putting this right after the event? As an example, some estimate that the cost of the Target breach in the USA has cost them north of $100m to correct. In their early earnings call post the event, they cite – “The breach resulted in $17 million of net expenses in the fourth quarter, Target said, with $61 million of total expenses partially offset by the recognition of a $44 million insurance receivable.”
Hindsight is wonderful, but perhaps a fraction of this upfront would have saved this money and importantly time to focus on the business strategy, not remedial work.
Reputation, Reputation, Reputation
It’s already been widely discussed, but insuring an organisations reputation is challenging for a number of reasons. Of course almost anything can be insured, however defining what the impact is and then working out what you need to be covered for will no doubt bring additional challenge and what cover you need for something that most would describe as intangible. The Insurance Times have a good piece here on this.
More importantly, what’s the short, medium or long term impact and value on the reputational damage? Take your favourite or most used retailer, give them all your personal financial data and shopping habits. They then suffer a breach – how likely are you to use or recommend them again? Maybe you would forgive them for one breach, what if it happened again? It’s too easy to move. I read that in the UK you are more “likely to suffer a theft from your bank than be physical burglary” these days.
Does this impact your future choice? How long does it take you to re-establish trust with your customers, employees and partners?
Typically, reputation risk is ~5-20% of cyber cost. However in reality it’s the gift that can keep on giving that no one really wants.
What if you are an online only Business? What if you were the ones who disrupted your market through technology and now that has been taken away from you. You don’t have the luxury physical outlets as a backup or alternative part of your business plan. Dealing with other breaches such as shoplifting in these has been an occurrence since retail began, these were however isolated to the individual locations.
SME’s especially are not as well equipped. On one hand digital makes access open to anyone to create a new business, however on the other hand we must now factor in the cost of doing business online, of which Cyber is a now business critical.
What do you think?
Are we prepared and doing enough across the sector?
Is this at the forefront of your business continuity strategy?
Have you a plan in place to protect your employees, customers & partners?
Do you have cover or adequate cover, which is well enough defined?
Are you investing ahead of the curve to prevent it?
Nigel Walsh | @nigelwalsh