As the demand for cyber insurance products grows, insurers are being required to service the market as well as protect their own businesses from cyber attacks.
News last month of a data breach at the UK’s largest insurer, Aviva, has got the insurance industry questioning the security of its internal systems against cyber attacks.
Perhaps most shocking about the Aviva incident was that the insurer’s data was mined by two of its employees, who had been paid by claims management companies to supply them with information.
Since the breach, Admiral has admitted it is closely monitoring its own systems for similar illegal activity. Chief operating officer David Stevens told Post: “It is something we are very vigilant about, because obviously if people are approaching Aviva employees to break the law there is no guarantee they will not approach our own.”
Zurich, too, is wary of potential attacks on its systems. Head of risk, information and business continuity, Alastair Allison, says: “We are going to watch what the regulator says and see how [the breach] occurred. We will respond to that accordingly and, if necessary, make adjustments to our own systems.”
This increased activity is taking place because insurers inevitably hold large amounts of customer information and management intelligence – making them vulnerable to cyber attacks on their business.
Speaking at the Post fraud conference in November 2013, Axa Direct and Partnerships counter fraud head Steve Gaywood told delegates, “Every day our systems are being targeted, and that is from trying to elicit customer data and other weaknesses.”
Indeed, Allison calls customer information an insurer’s “data crown jewels” – highlighting that, should this information get into the wrong hands, it could be harmful for both the insurance company and the consumer.
“From a financial perspective [cyber attacks are dangerous] because hackers can get enough information to intercept funds, strategies or practices that would undermine our financial stability,” he explains.
“Growth opportunities could also be affected – if [hackers] intercept the tactics you intend to employ on a merger and acquisition, they could prevent it from going ahead or push the price higher than you are prepared to pay.”
For Gaywood, reputational damage caused by cyber breaches is also a salient issue. “[Reputational damage] is going to impact the customer’s confidence in the security of your operation, and, therefore, they will be less likely to purchase products from your company,” he says.
Indeed, following US retail giant Target’s December 2013 data breach, online and in-store customer traffic dropped from 43% in January 2013 to 33% in January this year – the retailer’s lowest recorded point in three years. Last week, it was revealed UK supermarket chain Morrisons suffered a cyber attack that saw the bank details of around 100 000 employees stolen.
And the reputational damage doesn’t end with the insurer. A customer who has been the victim of a cyber attack could struggle to get approval for other products such as loans, Gaywood adds – which is also bad news for insurers.
“If [a consumer] has got a black mark against them because of some other kind of financial fraud that has been perpetrated using their details, they will find it difficult to get someone to repair that damage.”
Gaywood explains several measures can be employed to protect against cyber attacks –
including enforcing network security and malware protection and implementing home and mobile working policies.
“Cyber crime prevention is something insurers should be investing in. Any financial services business of any size will have a reliance on information technology to some degree, and with that comes a risk of cyber crime,” he says.
However, insurers protecting their own businesses is only one half of the cyber crime story as, fundamentally, insurance companies are required to meet market demand for cover to protect their clients’ assets against cyber attacks.
Capacity in the market
Insurer AIG reported a 60% increase in the sale of UK cyber insurance in 2013, and research from the Ponemon Institute shows annual costs to businesses from cyber attacks is also on the up, with the 2013 figure set at £2.99m – compared with £2.1m the year before.
Nigel Pearson, global fidelity head at Allianz Global Corporate and Specialty, claims the insurance market is catering “fairly well” for the demand for cyber insurance products.
Globally, he says, there is plenty of capacity in the market. Cover is available not just for the liability element, but also for things such as non-critical damage and business interruption. Pearson says the US market has been estimated to have premium income worth around $1.3bn, but outside that territory the market is fairly nascent.
“In the UK, the cyber market is definitely defined – even though it is small. There are elements of cover under other policies, but there is a move away from that because you can’t get the cover and the capacity under small extensions,” he explains.
Writing cyber liability cover is nothing new to Lloyd’s syndicates, according to Lloyd’s Market Association senior technical executive Tony Ellwood. Indeed, Lloyd’s already provides cover for cyber extortion, coverage for non-physical damage, and data breach response services.
“The non-standard, niche cyber market is also expanding rapidly, with some Lloyd’s underwriters focusing on companies with higher risk profiles – for example, providing cover to aid insureds facing more intangible risks such as reputational harm caused by cyber events,” Ellwood says.
However, Gaywood thinks more of an education piece is necessary as he believes there should be more demand for cyber products than the market is currently seeing.
“If you think about internet trade in the UK, it has increased year-on-year for at least the past decade – and the UK has one of the highest percentages of gross written premiums that is traded online. You would expect there to be a higher personal risk to individuals, but I don’t think we are at the point yet where it has become as much of a concern across the entire population,” he says.
“The products tend to be more about prevention and reporting, rather than something that can repair some of the damage. For businesses, there are more products available from some of the bespoke insurers that will offer insurance for loss of revenue, the cost of investigation or civil damages
Deloitte UK cyber lead James Nunn-Price considers investment in cyber security to be reactive, and says it is often overlooked by businesses looking to cut costs.
But, he adds, cyber insurance is becoming more firmly fixed on the agenda. “There has been a significant growth in sales of cyber insurance policies as more businesses are opting to supplement traditional insurance policies with additional coverage for incident response.”
Alongside this, businesses are investing in cyber security measures – a signal, perhaps, that people are not taking the threat lightly. “Some businesses are starting to invest in security operations centres for real-time logging, monitoring and alerting of security events, incident response and advanced threat intelligence services,” he explains.
But while many businesses may be waking up to the increasing threat of cyber crime, the number of attacks on SMEs is becoming more prevalent. The Department for Business, Innovation and Skills 2013 Information Security Breaches Survey found small businesses were now seeing levels of cyber attacks previously only seen in large organisations.
The survey found that 87% of small businesses (those with 50 staff or less) surveyed had suffered a security breach in the previous 12 months – an increase from 76% of small businesses the year before. Also, 9% of SMEs were aware that an outsider had stolen their intellectual property or confidential data in the past year – up from 4% in the previous year’s survey.
“SMEs are probably more at risk because with banks, insurers and retail trade, the law enforcement agencies have helped a lot and they have got the wherewithal to lock things down. SMEs, on the other hand, are a weaker link and have weaker controlled environments – and criminals will go where it is easier to go,” Allison says.
Pearson agrees, adding: “Some of the smaller, more traditional organisations, such as manufacturing, are probably not as aware of the issues as larger organisations that devote time and effort to their
However, as the Aviva breach has shown, no organisation is safe from a cyber attack, and all businesses must be on guard against security breaches of their IT systems.
With a large number of insurers servicing the cyber market, and the demand for products growing, insurers will need to be prepared for emerging cyber crime risks both for clients, and their own businesses – which could strike at any time.
As Pearson concludes: “What is difficult to pin down at the moment is what the probability is of any particular company suffering a data breach.”
- Top 100 Insurtech: Quarter four update
- Charles Taylor bolsters liability team by hiring senior sextet from Vericlaim
- Roundtable: Is a single customer view taking off in insurance?
- I work in insurance: Stephanie Horton, River Canal Rescue
- Insurtech diary: Getting stuck into insurance
- Analysis: The mystery of the missing Insurance Fraud Taskforce report
- Gallagher Bassett acquires claims management firm