Companies must wake up to the dangers of cyber crime

Companies are coming under increasingly serious attack from cyber criminals. Few have the systems to cope with it, says Merryn Somerset Webb, and recovering losses through insurance could prove difficult.


Back in 1979, the economist Mark Skousen published a book on maintaining the security of financial data. He was worried about relentless information collection he reckoned that 50 files of various sorts were being kept on each American. The inherent risks seemed pretty obvious to him.

In his section on companies, he added something pretty prescient: businesses should not stop at maintaining burglar alarms, employing night-watchmen and watching for "new employees working as spies for the competition", they should also be aware that much of their valuable information was now stored on computers.

Subscribe to MoneyWeek

Become a smarter, better informed investor with MoneyWeek.

It would "pay to ask your computer company specifically about unwarranted intrusion into sensitive information", he says. Forty years on, he has been proved very right.

We are in a world with an endlessly rising number of interconnected devices (and a lot more than 50 files on each person). There is no company or product that doesn't have cyber risk attached to it. So much so that if you ask a corporate chieftain about the biggest threat to his business, they probably shouldn't say Brexit or global growth, they should say cyber risk. The growing list of governments refusing to do business with Huawei bear witness to its relevance and danger.

Advertisement - Article continues below

Political and economic risk are slow moving enough that a quality company can cope, but a cyber problem can leave you helpless instantly: shipping group Maersk's systems were shut down for a full ten days following the 2017 NotPetya malware attack, at a total cost of about $300m. A company also risks the loss of commercially sensitive data, becoming the victim of cyber extortion, and huge fines for personal data breaches, to say nothing of the legal costs and brand damage.

This is not news to company boards: a survey by insurance consultancy Mactavish found 43% of UK respondents reporting that their company had suffered at least one cyber attack in the prior two years.

The insurance industry isn't set up to cope

But the odd thing is that, while most companies have cyber security on their minds, not very many are specifically insuring themselves against a systems breach. The market is growing fast: up 100% in the past year, according to the Association of British Insurers. Even so, a mere 9% of UK companies (rising to 25% in the financial sector) have specific cyber insurance.

In the US, the number is only slightly higher but is still low Dan Truman of speciality insurance firm Axis Capital puts it at about 30%, thanks in part to many states' early adoption of strict rules on reporting data breaches. Maersk did not have standalone cyber insurance one imagines this has now been rectified.

So why the foot-dragging? In the Mactavish survey, 37% say the risk isn't "serious enough"; 30% say the insurance is too expensive; some 35% argue it is "unfit for purpose"; and 22% "do not trust the insurer to pay out". The first two are silly; the second two have some merit. The utility of cyber insurance should improve as data improves and the industry gains a better understanding of the risk; the payout problem might not.

Parts of cyber risk are easily insurable, says the Association of British Insurers' Joseph Ahern. These include hackers, low level ransom attempts and data-collecting malware. Other bits are not. There is a legal battle under way between confectionery firm Mondelez and insurer Zurich, which is refusing to pay on the NotPetya attack, arguing that the damage came from a "hostile or warlike action".

Advertisement - Article continues below

The insurance industry works on the basis that bad things happen to a few people at a time. When really bad stuff happens to a large number of people at once, it struggles. The industry either goes bust or gets out of the market. Then, the government has to step in.

During and after the Second World War, the UK War Damage Commission stepped in to pay for damage to buildings and land. In the wake of the 1993 Irish republican bombing of the Baltic Exchange, the UK government created pool reinsurance to underwrite terrorist damage. The US set up the Terrorism Risk Insurance Program after the September 2011 attacks. More recently, the UK created Flood Re for homes in flood-prone areas.

Dan Hyde, author of Cyber Security: Law and Practice, doesn't expect Zurich to win the Mondelez case proving the incident was warlike will be extremely tricky. But the questions won't go away.

If North Korea and Russia are sponsoring cyber attacks across the West as a type of unprovable warfare, and if this represents a long-term persistent threat in a world where many companies share a digital architecture, that might make much of cyber risk uninsurable. You can see why the insurance industry wants to test who pays. And you can see why governments might not (after the 2008 financial crisis, they are not keen on providing backstops to the financial industry).

This fight is going to run. In the meantime, companies must look for standalone cyber coverage they really understand: Mondelez was claiming on its general insurance. A night-watchman is never going to be enough again.

This article was first published in the Financial Times




How long can the good times roll?

Despite all the doom and gloom that has dominated our headlines for most of 2019, Britain and most of the rest of the developing world is currently en…
19 Dec 2019
Stock markets

The British equity market is shrinking

British startups are abandoning public stockmarkets and turning to deep-pocketed Silicon Valley venture capitalists for their investment needs.
8 Nov 2019
Stock markets

There are lots of reasons to be bearish – but you should stick with the bulls

There are plenty of reasons to be gloomy about the stockmarkets. But the trend remains up, says Dominic Frisby. And you don’t want to bet against the …
17 Jul 2019

Good news on jobs scares US stockmarkets

June brought the best monthly US jobs growth of the year, but stockmarkets were not best pleased.
11 Jul 2019

Most Popular

House prices

The biggest risk facing the UK housing market right now

For house prices to stagnate or even fall would be healthy for the property market, says John Stepek. But there is a distinct danger that isn't going …
17 Feb 2020

The euro’s slide against the US dollar looks set to continue

The euro has been in a bear market against the US dollar for two years now. And on a broader scale since 2008. A decline like that is telling us somet…
19 Feb 2020
Share tips

Three overlooked stocks to buy now

Each week, a professional investor tells us where he’d put his money. This week: Joe Bauernfreund, portfolio manager at the AVI Global Trust, highligh…
17 Feb 2020

Why investors shouldn’t overlook Europe

SPONSORED CONTENT - Ollie Beckett, manager of the TR European Growth Trust, tackles investor questions around Europe’s economic outlook and the conseq…
6 Nov 2019