Cyber Crime: Hack attack


As the demand for cyber insurance products grows, insurers are being required to service the market as well as protect their own businesses from cyber attacks.

News last month of a data breach at the UK’s largest insurer, Aviva, has got the insurance industry questioning the security of its internal systems against cyber attacks.

Perhaps most shocking about the Aviva incident was that the insurer’s data was mined by two of its employees, who had been paid by claims management companies to supply them with information.

Since the breach, Admiral has admitted it is closely monitoring its own systems for similar illegal activity. Chief operating officer David Stevens told Post: “It is something we are very vigilant about, because obviously if people are approaching Aviva employees to break the law there is no guarantee they will not approach our own.”

Zurich, too, is wary of potential attacks on its systems. Head of risk, information and business continuity, Alastair Allison, says: “We are going to watch what the regulator says and see how [the breach] occurred. We will respond to that accordingly and, if necessary, make adjustments to our own systems.”

This increased activity is taking place because insurers inevitably hold large amounts of customer information and management intelligence – making them vulnerable to cyber attacks on their business.

Speaking at the Post fraud conference in November 2013, Axa Direct and Partnerships counter fraud head Steve Gaywood told delegates, “Every day our systems are being targeted, and that is from trying to elicit customer data and other weaknesses.”

Indeed, Allison calls customer information an insurer’s “data crown jewels” – highlighting that, should this information get into the wrong hands, it could be harmful for both the insurance company and the consumer.

“From a financial perspective [cyber attacks are dangerous] because hackers can get enough information to intercept funds, strategies or practices that would undermine our financial stability,” he explains.

“Growth opportunities could also be affected – if [hackers] intercept the tactics you intend to employ on a merger and acquisition, they could prevent it from going ahead or push the price higher than you are prepared to pay.”


What kinds of cyber attacks threaten businesses?

According to Axa Direct and Partnerships counter fraud head Steve Gaywood, the biggest cyber threat to business, both in the UK and globally, is from organised criminals trying to make as much money as possible by exploiting loopholes in companies’ systems.

“They are interested in making money through fraud or from the sale of valuable information. That could be from hacking or from physically planting rogue criminals as employees in these organisations,” Gaywood says.

“You have also got hackers that [attack companies’ IT systems] for fun. As well, there are also ‘hack-tivists’, who may wish to attack companies for political reasons,” he adds.

Another type of attack is where financial services companies’ intellectual property is targeted to try and gain an advantage for a competitor business.

In extreme cases, cyber criminals can also use extortion, Gaywood explains.

“[This is where] third parties threaten to release data if money is not paid to them. The use of malware in this type of attack is increasing more and more,” he says.

Ultimately, all these threats have financial consequences for the targeted business.

“If you think about hacking where you might have some sort of denial of service type attack, the business interruption from the network downtime can lead to a dramatic reduction in turnover from the loss of business.”


Reputational damage
For Gaywood, reputational damage caused by cyber breaches is also a salient issue. “[Reputational damage] is going to impact the customer’s confidence in the security of your operation, and, therefore, they will be less likely to purchase products from your company,” he says.

Indeed, following US retail giant Target’s December 2013 data breach, online and in-store customer traffic dropped from 43% in January 2013 to 33% in January this year – the retailer’s lowest recorded point in three years. Last week, it was revealed UK supermarket chain Morrisons suffered a cyber attack that saw the bank details of around 100 000 employees stolen.

And the reputational damage doesn’t end with the insurer. A customer who has been the victim of a cyber attack could struggle to get approval for other products such as loans, Gaywood adds – which is also bad news for insurers.

“If [a consumer] has got a black mark against them because of some other kind of financial fraud that has been perpetrated using their details, they will find it difficult to get someone to repair that damage.”

Gaywood explains several measures can be employed to protect against cyber attacks –
including enforcing network security and malware protection and implementing home and mobile working policies.

“Cyber crime prevention is something insurers should be investing in. Any financial services business of any size will have a reliance on information technology to some degree, and with that comes a risk of cyber crime,” he says.

However, insurers protecting their own businesses is only one half of the cyber crime story as, fundamentally, insurance companies are required to meet market demand for cover to protect their clients’ assets against cyber attacks.

Capacity in the market
Insurer AIG reported a 60% increase in the sale of UK cyber insurance in 2013, and research from the Ponemon Institute shows annual costs to businesses from cyber attacks is also on the up, with the 2013 figure set at £2.99m – compared with £2.1m the year before.

Nigel Pearson, global fidelity head at Allianz Global Corporate and Specialty, claims the insurance market is catering “fairly well” for the demand for cyber insurance products.

Globally, he says, there is plenty of capacity in the market. Cover is available not just for the liability element, but also for things such as non-critical damage and business interruption. Pearson says the US market has been estimated to have premium income worth around $1.3bn, but outside that territory the market is fairly nascent.

“In the UK, the cyber market is definitely defined – even though it is small. There are elements of cover under other policies, but there is a move away from that because you can’t get the cover and the capacity under small extensions,” he explains.

Writing cyber liability cover is nothing new to Lloyd’s syndicates, according to Lloyd’s Market Association senior technical executive Tony Ellwood. Indeed, Lloyd’s already provides cover for cyber extortion, coverage for non-physical damage, and data breach response services.

“The non-standard, niche cyber market is also expanding rapidly, with some Lloyd’s underwriters focusing on companies with higher risk profiles – for example, providing cover to aid insureds facing more intangible risks such as reputational harm caused by cyber events,” Ellwood says.

Education needed
However, Gaywood thinks more of an education piece is necessary as he believes there should be more demand for cyber products than the market is currently seeing.

“If you think about internet trade in the UK, it has increased year-on-year for at least the past decade – and the UK has one of the highest percentages of gross written premiums that is traded online. You would expect there to be a higher personal risk to individuals, but I don’t think we are at the point yet where it has become as much of a concern across the entire population,” he says.

“The products tend to be more about prevention and reporting, rather than something that can repair some of the damage. For businesses, there are more products available from some of the bespoke insurers that will offer insurance for loss of revenue, the cost of investigation or civil damages
for consumers.”

Deloitte UK cyber lead James Nunn-Price considers investment in cyber security to be reactive, and says it is often overlooked by businesses looking to cut costs.

But, he adds, cyber insurance is becoming more firmly fixed on the agenda. “There has been a significant growth in sales of cyber insurance policies as more businesses are opting to supplement traditional insurance policies with additional coverage for incident response.”

Alongside this, businesses are investing in cyber security measures – a signal, perhaps, that people are not taking the threat lightly. “Some businesses are starting to invest in security operations centres for real-time logging, monitoring and alerting of security events, incident response and advanced threat intelligence services,” he explains.

But while many businesses may be waking up to the increasing threat of cyber crime, the number of attacks on SMEs is becoming more prevalent. The Department for Business, Innovation and Skills 2013 Information Security Breaches Survey found small businesses were now seeing levels of cyber attacks previously only seen in large organisations.

The survey found that 87% of small businesses (those with 50 staff or less) surveyed had suffered a security breach in the previous 12 months – an increase from 76% of small businesses the year before. Also, 9% of SMEs were aware that an outsider had stolen their intellectual property or confidential data in the past year – up from 4% in the previous year’s survey.

“SMEs are probably more at risk because with banks, insurers and retail trade, the law enforcement agencies have helped a lot and they have got the wherewithal to lock things down. SMEs, on the other hand, are a weaker link and have weaker controlled environments – and criminals will go where it is easier to go,” Allison says.

Pearson agrees, adding: “Some of the smaller, more traditional organisations, such as manufacturing, are probably not as aware of the issues as larger organisations that devote time and effort to their
information security.”

Being prepared
However, as the Aviva breach has shown, no organisation is safe from a cyber attack, and all businesses must be on guard against security breaches of their IT systems.

With a large number of insurers servicing the cyber market, and the demand for products growing, insurers will need to be prepared for emerging cyber crime risks both for clients, and their own businesses – which could strike at any time. 

As Pearson concludes: “What is difficult to pin down at the moment is what the probability is of any particular company suffering a data breach.” 


Will the EU data directive help to prevent cyber attacks?

The European Union is currently debating the Data Protection Directive; an update of the existing regulations which have been in force since 1995. The directive is expected to be passed by either the end of 2014 or in 2015. EU member states then have two years to enact it into local law.

Alastair Allison, Zurich head of risk, information and business continuity, says:
“[The EUDP] will encourage greater protection of the data we hold on customers and how that data is managed. I am more hopeful the EU Cyber Security Directive will help to prevent cyber attacks, because that is dealing with greater international law enforcement, intelligence gathering and cyber co-operation.”

Nigel Pearson, Allianz Global Corporate and Specialty global fidelity head, adds: “It will focus people’s attention on the issue because there will be greater liability. As the legislation changes and creates new areas of liability, the costs associated with that become exorbitant. Naturally risk managers are going to look to see whether they can transfer that via an insurance data protection and privacy law and the development of the insurance marke mechanism. So there is a fairly well known and accepted correlation betweent.”

Steve Gaywood, Axa Direct and Partnerships counter-fraud head, says:
“From a consumer perspective one of the most prominent features is the right to be forgotten and you could find that users will become more savvy around the use of their data and might request data is deleted. That would present further opportunities for consumers to minimise their data being out there.”

  • LinkedIn  
  • Save this article
  • Print this page  

You need to sign in to use this feature. If you don’t have an Insurance Post account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an indvidual account here: