With businesses becoming ever more exposed and vulnerable to cyber attacks, organisations need to better manage such risks. Tim Smith, partner at BLM, examines how the cyber liability insurance cover (CLIC) sector has evolved over the past decade. The following interview was published on the LexisNexis PSL service.
How has the CLIC sector developed over the past ten years?
Ten years ago, there was a limited awareness of the gravity of cyber crime and there was less reliance on the use of computers and other devices and the internet. In the light of this (and possibly a lack of demand) relatively few insurers offered CLIC. If companies sought cover, it was typically errors and omissions insurance, in response to the spread of computer viruses. Over time, some insurers developed specific CLIC wordings and then offerings to specific industry sectors such as retail. Today, CLIC comes in a host of shapes and sizes, sometimes forming part of a broader cover, sometimes as a standalone cover, and sometimes sitting alongside existing covers. Many insurers are now producing tailored policies to cover specific sectors with a menu of different elements of cover. Many more insurers now provide CLIC and there is an extremely wide range of offerings.
What is the average cost of a cyber breach and how is CLIC structured?
It is almost impossible to place a figure on the average cost of a breach, as it varies widely according to the size of company. There has been research published by IBM and the Ponemon Institute that concluded that the average total cost of a data breach for companies globally stood at $3.79m in 2015, an increase of 23% over the previous two years.
However, this is based on incomplete data and only samples 350 companies in 11 countries. Data is hard to come by as many organisations do not want to publicise the breaches that they have experienced let alone the cost of those breaches. The focus is on discretion and confidentiality as companies will not want bad publicity, which can lead to a potential loss of business, revenues or a fall in investor confidence and share price.
Where has CLIC been most successful?
Again, it is difficult to specify as there is limited information publically available relating to individual breaches. Businesses tend not to wish to disclose the fact that they have suffered a cyber attack or data breach. However, it is clear that in relation to a number of the most significant reported breaches the existence of insurance cover has been of substantial financial benefit to the companies that have had it. Those companies are also likely to have had the benefit of all of the additional benefits that such policies often provide (credit monitoring, IT, legal, PR and regulatory support).
How has the introduction of mandatory requirements for data breach notifications affected CLIC?
In the US, 46 of the 50 states have mandatory notification requirements in the event of a data breach. In Europe there are currently no such requirements, although the draft EU General Data Protection Regulation, expected to be introduced in 2018, does contain such provisions. In our experience there is a direct link between mandatory reporting and claims. The combination of investors and customers being more aware of incidents and their consequences, the effect that this can have on brand/reputation and the cost of dealing with the claims that can arise as a result all appear to have been influential in increasing the take-up of CLIC in the US and many commentators (including ourselves) expect mandatory reporting to have a similar effect in the UK and Europe more widely.
How does each fresh leak or hack affect the CLIC market?
Each new leak or hack makes businesses more aware of their vulnerability to a cyber attack (especially if they hold large amounts of consumer data) and the resultant costs of repairing the physical, financial and reputational damage that can be caused. This is likely to lead to an increase in the number of CLIC policies being taken out. However, it is also likely to lead the market to be increasingly careful in assessing the risks that are being presented to it given the potential exposures that insurers are taking on in providing CLIC.
What does the future hold for CLIC—could it become compulsory?
The UK government does not appear inclined towards introducing compulsory insurance. It has, however, set out some basic measures that all organisations can use to reduce cyber risk. The 2014 Cyber Essentials scheme encourages organisations to examine their exposure to cyber risk and take steps to limit/reduce it. At the same time the government is pressing those who supply it to sign up to Cyber Essentials and organisations across a range of sectors are all looking not only at their own cyber security but also the cyber security of those in their supply chains. This is expected to lead to more pressure to obtain CLIC as organisations are likely to want their suppliers to have such cover. Equally, the government is looking to the insurance industry to support and encourage the roll out of Cyber Essentials. While it appears that the government is continuing to monitor the progress that is being made by businesses in relation to their cyber security and the Cyber Essentials scheme, if it feels that making the obtaining of cover compulsory would have benefits which outweigh the disadvantages it may yet consider this as an option.
Interviewed by Susan Ghaiwal.