With cyber-attacks increasing in frequency and severity, many companies are turning to insurance to cover their mounting losses. But can insurers quantify the risk accurately and could insurance lead to corporate complacency?
Many firms feel like they’re under siege.
Cyber-attacks are coming thick and fast and the tools at the hackers’ disposal seem to be getting more, not less, powerful.
Estimated annual losses from cyber crime now top $400bn (£291bn), according to the Center for Strategic and International Studies. And the cost in lost productivity of last year’s WannaCry ransomware attack alone was estimated at $4bn.
So many businesses are buying cyber insurance “in a mad panic”, warns Charl van der Walt of SecureData, a cyber-security company.
“Unfortunately this will mean that businesses of all sizes will seek out the minimum cyber-security investment laid out by insurers, government, and regulators, rather than going above and beyond to protect their own, and their customers’, data.”
Ransomware attacks, whereby criminals break in to your network, encrypt all your data, then demand money in return for the decryption key, are particularly virulent. Firms have even been stocking up on Bitcoins – the hackers’ cryptocurrency payment of choice – to pay the ransoms.
And it’s not just the immediate ransom costs they have to worry about. There are the costs of investigating and closing the breach, legal and public relations costs, the damage to your share price as consumers and clients lose confidence, and the loss of business resulting from a damaged reputation.
There are also potential regulatory fines to pay – particularly when the European Union’s General Data Protection Regulation (GDPR) comes into force in May. Under the new rules your firm could be fined up to 4% of turnover or €20m, whichever is the greater, if regulators think you haven’t protected customers’ personal data adequately.
The average cost of a cyber breach was $349,000 in 2017, according to NetDiligence, whose data is based on actual cyber insurance claims. For a big company the average cost was $5.9m.
But US retailer Target, which had more than 40 million customer credit card details stolen in 2013, had to fork out $279m in total as a result of the breach, says specialist insurance market Lloyd’s of London in a report compiled with consultancy KPMG and international law firm DAC Beachcroft.
Around $100m of that was on lawsuits.
Telecoms company TalkTalk suffered losses of nearly $100m after its breach in 2015, says Lloyd’s, and this included a £400,000 fine from the UK Information Commissioner’s Office.
So it’s perhaps little surprise that interest in cyber insurance has spiked recently.
The number of insurers offering cyber insurance via Lloyd’s of London has leapt to more than 70, nearly double the number a few years ago. And insurance giant Allianz predicts that global cyber insurance premiums will grow to $20bn by 2025, up from around $3-4bn now.
One insurer, Hiscox, says it has been enjoying robust growth in its cyber insurance business, particularly following the TalkTalk breach and as GDPR approaches.
“We’re seeing annual growth of around 40% in cyber,” says Gareth Wharton, chief executive of cyber at the insurer. “We expect to have taken around $100m in premiums in 2017.”