The Federation of European Risk Management (FERMA) has called on The European Commission to provide insurance cover for catastrophes such as large scale cyber attacks. Bruce Carnegie-Brown, Chairman of Lloyd’s of London has argued that a cyber attack could overwhelm the insurance sector and cause economic devastation on the same scale as the coronavirus pandemic. Andrew Clarke, Chief Strategist at Assured Cyber Protection, explains.
Insurance providers are concerned that a state-sponsored cyber attack could overwhelm the insurance industry. This apprehension is reasonable given that most insurance policies pay out or replace like-for-like in the event of loss.
However, this method can be extremely difficult when it comes to business – often losses are woefully underestimated and may not account for the projected losses, or worse, the total loss of the business. Take, for example, Norsk Hydro. Norsk lost $71m as a result of the Locker Gogo attack in March 2019 however, its insurance provider only paid out $3.6m.
When examined against the backdrop of the current state of the nation’s cyber health this paints a worrying picture. Last year, 99% of the cyber claims in the UK received a payout but is not clear how many of those businesses received full compensation for their loss or how many ceased to trade following the incident.
At a time when cyber attacks are increasing, only 11% of businesses in UK have specific cyber cover. The feeling is that organisations are disinclined to take insurance because they either can’t afford it or don’t see the value. This may shed some light on the root cause of the disinterest that is connected to a low level of awareness of cyber risk at the Board level. Cyber security is not a technology problem, it’s a risk management issue and as such needs to be considered by the highest level.
Perhaps it is time to refocus. Rather than bailing out companies in the event of a breach, we need to look to how to inoculate them against cyber attacks. Legislation, like GDPR, that mandate a certain level of cyber hygiene to be achieved and constantly maintained, could help. Additionally, regular cyber audits and inspections would create a better resilience against attack and could prevent an overwhelming situation from occurring.
Ultimately, improving the collection of raw data on breaches will better inform insurance providers of the risks involved and help regulate the market. This way the insurer is better placed to compensate at a reasonable level and the insured is better served. Set the conditions to reduce risk through better controls and regulations ensure businesses are better prepared for cyber events and insurance companies can manage their risk exposure better – it is a win-win situation.