Companies are finding a way to minimize the repercussions when their digital security is violated. Unfortunately, they’re turning to the same safeguards that protect the guitar-strumming hands of Keith Richards, the goal-scoring limbs of David Beckham and the most remarkable assets of Dolly Parton, rather than coming clean about the perils of data breaches or pooling information so that threats can be properly quantified and addressed. In short, they’re focusing on the consequences of cyber crime, not the causes, by purchasing liability and errors-and-omissions insurance.
It seems buying insurance against the financial consequences of cyber terrorism from Lloyd’s of London, the world’s oldest insurance market, is easier and more palatable than tackling the underlying problem.
High-profile attacks, including the data on 100 million customers stolen from U.S. retailer Target in 2013, and the emails filched from Sony’s film studios at the end of last year, have made companies fearful of the economic consequences of cyber robbery. Yet they haven’t done much to puncture the secrecy that surrounds the issue.
Demand for Coverage Jumps
Barbican, a Lloyd’s syndicate that specializes in digital defenses, says it saw a 50 percent jump in demand for coverage in the first quarter of this year compared with a year earlier. Barbican’s Geoff White told the Telegraph newspaper this month that business is flowing from “new customers purchasing cyber insurance and existing customers purchasing higher limits following recent high profile attacks.” Marsh & McLennan, which offers cyber insurance, reckons the U.S. market for the product doubled last year to as much as $2 billion.
The term “insurance” in this context is arguably being misused, with the word “assurance” probably a better fit. Assurance, according to the Investopedia dictionary, provides “coverage of an event that is certain to happen. Assurance is similar to insurance (and sometimes the terms are interchangeable) except that insurance protects policyholders from events that might happen.” Given the prevalence of digital terrorism, cyber attacks are a question of when, not if.
In the U.S., attacks are increasingly common. A global economic crime survey by PwC, a consulting company, found that 7 percent of U.S. organizations lost $1 million or more due to cyber-crime incidents in 2013, more than double the percentage of global companies suffering comparable losses. Attacks resulting in lesser damages are also more prevalent in the U.S., with 19 percent of respondents suffering financial harm worth $50,000 to $1 million compared with a worldwide figure of 8 percent.
Data breaches are getting more expensive, too. A report commissioned by the U.K. government from PwC says the average cost to large companies climbed to as much as 1.15 million pounds ($1.7 million) in 2014, up from 850,000 pounds a year earlier; for small businesses, the average almost doubled to 115,000 pounds. Ominously, the report notes that 10 percent of organizations that suffered a breach in the last year “were so badly damaged by the attack that they had to change the nature of their business.” Both the U.S. and U.K. reports showed 59 percent of respondents were either more concerned about or expected to experience more cyber security threats in the year ahead.
There’s a big caveat in how trustworthy even this data is, which depends on whether executives are telling the truth about the scale of the assaults they’ve experienced. That seems unlikely. Russian computer security firm Kaspersky Lab claims a hacker gang called Carbanak has stolen as much as $1 billion since 2013 from financial institutions and payment systems in more than 30 countries. You haven’t read much about those breaches, though: The potential for customers to abandon a bank that admits its systems are porous precludes honesty and publicity, meaning the antiseptic of sunlight rarely shines on cyber crime.
Government intervention can address this. Stricter rules obliging companies to confess when their security proves inadequate would improve the flow of information, both reducing the stigma and laying bare the true scale of the problem.
Stephen Catlin, founder of the biggest insurance syndicate at Lloyd’s of London, told the Financial Times in February that only the government has deep enough pockets to underwrite the dangers of cyber attacks. That may be true, but addressing the roots rather than the outcomes is a more pressing need. If insurance against financial losses is the only answer, then companies seeking to reduce their cyber security risks are asking the wrong question.
- Cyber Insurance: The Last Line of Defense or Frontline Offense?
- UK Report Highlights Role of Insurance in Managing, Mitigating Cyber Risk
- P/C Insurers Rush to Meet Rising Demand for Cyber Insurance
- P/C Insurers See Surge in Cyber Insurance, M&A Activity in 2015
- Insurance Industry Says Cyber Threat Database Needed
- Risk Modelers Working on Tools for Gauging Cyber Attack Risk
- U.S. Prods Banks to Buy Cyber Insurance, Insurers to Develop Products
Was this article valuable?
Here are more articles you may enjoy.