There is no denying that the digitisation of business has brought many benefits in terms of efficiency, speed of transaction and access to markets but it has also ushered in a new and pernicious type of threat.
As the appetite among businesses to accumulate data and connect to the web increases, so too does their attractiveness to the criminal fraternity. The data is valuable, the digital integration increases vulnerability and it seems criminals are taking full advantage.
I read in a recent survey from the Department for Digital, Culture, Media & Sport that 32% of businesses experienced a cyber security breach or hack in the last 12 months. That is a pretty high incidence rate and bear in mind, this only considers reported incidents with the report’s authors pointing out that the problem is almost certainly underestimated. This kind of regularity starts to take us beyond the realms of standard business risks. It starts to look like the odds are stacked against business.
Now of course, as insurers, we are used to dealing with risk and the fallout, but this is something different. As such, it requires a different approach from us and our customers because to date, we have largely been dealing with defined threats, the frequency and severity of which can be modelled and broadly defined. We are used to dealing with known risks.
The real issue with cyber-crime is that the scale and nature of the threat is largely hidden and the potential for damage difficult to quantify for any one business. Of course, most businesses can put in place defences that protect against the latest type of attack, but the fact is that the method of cyber-attack is constantly evolving. By the time a company has put in place protection against the latest piece of malware, for example, the criminals have moved on to the next weapon at their disposal. It’s a constant game of catch-up.
So where does that leave the UK’s businesses? Insurance should never be the first line of defence, but we do play an integral role in a strong risk management and disaster response programme. And the defence against cyber is no different.
A key part of this defence is the growing cyber market in the UK and we’ve been working hard at QBE to build a tailored proposition to help businesses face these risks head on. However, there have been some recent and high-profile cases regarding the NotPetya cyber-attack in 2017 that have started to raise some doubt as to whether cyber policies will in fact kick in when the worst happens, but I think their relation to the real cyber market is tenuous, dig a little deeper and you will see that these do not relate to specific cyber policies.
In any event whether other traditional lines of insurance policies should or should not respond to cyber events is one thing, but what is more important is that it’s only when you understand how a bespoke cyber policy responds to a claim that it becomes much clearer why a standard policy managed by people who are not cyber experts, just won’t work.
The insurer’s traditional role in a water or fire damage claim is to wait until the emergency services have got the situation under control after which we go in to assess the damage and start the process of recovery.
In cyber, a crucial part of our response as insurer is to play the role of emergency services.
We have several examples at QBE of customers who have been unfortunate enough to be the victim of a cyber-attack and our very first step has been to appoint technical cyber experts who will identify the source of the breach, close it down and ensure that the hacker has been removed from the system.
It is only then that we can move on to the damage assessment and rebuilding stage of the claim and once again, it is very different from a standard claim. Although computer systems can be physically damaged in a breach, the real risk at this point is to customer and company data, business interruption, the associated reputational damage and the response to any legal and regulatory issues.
A good, bespoke cyber policy will provide the holder with the technical expertise to manage these issues but the coordination and application of all this requires an experienced and properly-trained claims handler. This is the realm of the specialist, not the generalist and businesses wishing to protect their own and their customers’ assets, must take a similar view.
Any insurance policy is only as good as the team supporting that promise but I believe this is even more pertinent in the world of cyber risk. We have invested in in-house expertise at QBE to specifically underwrite cyber risks and manage the claims, but we have also recruited specialist external support to give our customers the best disaster recovery support and chance of survival.
As I said, the true nature of cyber risk is largely hidden but by engaging with organisations that really understand the risks, businesses can keep trading with confidence in the face of the threat and if they can’t beat the odds, at least they have a team of specialists ready to protect some of their most important assets – their data, their IT systems and, perhaps above all, their reputation.