Insurance Doesn’t Tackle Underlying Problem of Cyber Crime: Bloomberg View

By Mark Gilbert | April 13, 2015

Companies are finding a way to minimize the repercussions when their digital security is violated. Unfortunately, they’re turning to the same safeguards that protect the guitar-strumming hands of Keith Richards, the goal-scoring limbs of David Beckham and the most remarkable assets of Dolly Parton, rather than coming clean about the perils of data breaches or pooling information so that threats can be properly quantified and addressed. In short, they’re focusing on the consequences of cyber crime, not the causes, by purchasing liability and errors-and-omissions insurance.

It seems buying insurance against the financial consequences of cyber terrorism from Lloyd’s of London, the world’s oldest insurance market, is easier and more palatable than tackling the underlying problem.

High-profile attacks, including the data on 100 million customers stolen from U.S. retailer Target in 2013, and the emails filched from Sony’s film studios at the end of last year, have made companies fearful of the economic consequences of cyber robbery. Yet they haven’t done much to puncture the secrecy that surrounds the issue.

Demand for Coverage Jumps

Barbican, a Lloyd’s syndicate that specializes in digital defenses, says it saw a 50 percent jump in demand for coverage in the first quarter of this year compared with a year earlier. Barbican’s Geoff White told the Telegraph newspaper this month that business is flowing from “new customers purchasing cyber insurance and existing customers purchasing higher limits following recent high profile attacks.” Marsh & McLennan, which offers cyber insurance, reckons the U.S. market for the product doubled last year to as much as $2 billion.

The term “insurance” in this context is arguably being misused, with the word “assurance” probably a better fit. Assurance, according to the Investopedia dictionary, provides “coverage of an event that is certain to happen. Assurance is similar to insurance (and sometimes the terms are interchangeable) except that insurance protects policyholders from events that might happen.” Given the prevalence of digital terrorism, cyber attacks are a question of when, not if.

In the U.S., attacks are increasingly common. A global economic crime survey by PwC, a consulting company, found that 7 percent of U.S. organizations lost $1 million or more due to cyber-crime incidents in 2013, more than double the percentage of global companies suffering comparable losses. Attacks resulting in lesser damages are also more prevalent in the U.S., with 19 percent of respondents suffering financial harm worth $50,000 to $1 million compared with a worldwide figure of 8 percent.

Data breaches are getting more expensive, too. A report commissioned by the U.K. government from PwC says the average cost to large companies climbed to as much as 1.15 million pounds ($1.7 million) in 2014, up from 850,000 pounds a year earlier; for small businesses, the average almost doubled to 115,000 pounds. Ominously, the report notes that 10 percent of organizations that suffered a breach in the last year “were so badly damaged by the attack that they had to change the nature of their business.” Both the U.S. and U.K. reports showed 59 percent of respondents were either more concerned about or expected to experience more cyber security threats in the year ahead.

There’s a big caveat in how trustworthy even this data is, which depends on whether executives are telling the truth about the scale of the assaults they’ve experienced. That seems unlikely. Russian computer security firm Kaspersky Lab claims a hacker gang called Carbanak has stolen as much as $1 billion since 2013 from financial institutions and payment systems in more than 30 countries. You haven’t read much about those breaches, though: The potential for customers to abandon a bank that admits its systems are porous precludes honesty and publicity, meaning the antiseptic of sunlight rarely shines on cyber crime.

Government intervention can address this. Stricter rules obliging companies to confess when their security proves inadequate would improve the flow of information, both reducing the stigma and laying bare the true scale of the problem.

Stephen Catlin, founder of the biggest insurance syndicate at Lloyd’s of London, told the Financial Times in February that only the government has deep enough pockets to underwrite the dangers of cyber attacks. That may be true, but addressing the roots rather than the outcomes is a more pressing need. If insurance against financial losses is the only answer, then companies seeking to reduce their cyber security risks are asking the wrong question.


Was this article valuable?

Here are more articles you may enjoy.

Latest Comments

  • April 14, 2015 at 5:04 pm
    Ty Sagalow says:
    I am reading the article perhaps a bit different than others. Despite its title, it seems to conclude what we would all agree is obvious. Insurance is not (nor ever was suppos... read more
  • April 13, 2015 at 10:19 pm
    MCT says:
    Regarding the law enforcement silver bullet that seems to be the "problem"... it doesn't exist. The door and not the lock on the house is more the example or the door on the c... read more
  • April 13, 2015 at 2:05 pm
    Crain says:
    I guess that I read this article a little differently than you. We are not doing everything that we can to prevent cyber crime. I agree that insurance is for this type of even... read more

Add a CommentSee All Comments (4)Add a Comment

Your email address will not be published. Required fields are marked *


More News
More News Features