Features

Companies must wake up to the dangers of cyber crime

Companies are coming under increasingly serious attack from cyber criminals. Few have the systems to cope with it, says Merryn Somerset Webb, and recovering losses through insurance could prove difficult.

Back in 1979, the economist Mark Skousen published a book on maintaining the security of financial data. He was worried about relentless information collection he reckoned that 50 files of various sorts were being kept on each American. The inherent risks seemed pretty obvious to him.

In his section on companies, he added something pretty prescient: businesses should not stop at maintaining burglar alarms, employing night-watchmen and watching for "new employees working as spies for the competition", they should also be aware that much of their valuable information was now stored on computers.

It would "pay to ask your computer company specifically about unwarranted intrusion into sensitive information", he says. Forty years on, he has been proved very right.

We are in a world with an endlessly rising number of interconnected devices (and a lot more than 50 files on each person). There is no company or product that doesn't have cyber risk attached to it. So much so that if you ask a corporate chieftain about the biggest threat to his business, they probably shouldn't say Brexit or global growth, they should say cyber risk. The growing list of governments refusing to do business with Huawei bear witness to its relevance and danger.

Political and economic risk are slow moving enough that a quality company can cope, but a cyber problem can leave you helpless instantly: shipping group Maersk's systems were shut down for a full ten days following the 2017 NotPetya malware attack, at a total cost of about $300m. A company also risks the loss of commercially sensitive data, becoming the victim of cyber extortion, and huge fines for personal data breaches, to say nothing of the legal costs and brand damage.

This is not news to company boards: a survey by insurance consultancy Mactavish found 43% of UK respondents reporting that their company had suffered at least one cyber attack in the prior two years.

The insurance industry isn't set up to cope

But the odd thing is that, while most companies have cyber security on their minds, not very many are specifically insuring themselves against a systems breach. The market is growing fast: up 100% in the past year, according to the Association of British Insurers. Even so, a mere 9% of UK companies (rising to 25% in the financial sector) have specific cyber insurance.

In the US, the number is only slightly higher but is still low Dan Truman of speciality insurance firm Axis Capital puts it at about 30%, thanks in part to many states' early adoption of strict rules on reporting data breaches. Maersk did not have standalone cyber insurance one imagines this has now been rectified.

So why the foot-dragging? In the Mactavish survey, 37% say the risk isn't "serious enough"; 30% say the insurance is too expensive; some 35% argue it is "unfit for purpose"; and 22% "do not trust the insurer to pay out". The first two are silly; the second two have some merit. The utility of cyber insurance should improve as data improves and the industry gains a better understanding of the risk; the payout problem might not.

Parts of cyber risk are easily insurable, says the Association of British Insurers' Joseph Ahern. These include hackers, low level ransom attempts and data-collecting malware. Other bits are not. There is a legal battle under way between confectionery firm Mondelez and insurer Zurich, which is refusing to pay on the NotPetya attack, arguing that the damage came from a "hostile or warlike action".

The insurance industry works on the basis that bad things happen to a few people at a time. When really bad stuff happens to a large number of people at once, it struggles. The industry either goes bust or gets out of the market. Then, the government has to step in.

During and after the Second World War, the UK War Damage Commission stepped in to pay for damage to buildings and land. In the wake of the 1993 Irish republican bombing of the Baltic Exchange, the UK government created pool reinsurance to underwrite terrorist damage. The US set up the Terrorism Risk Insurance Program after the September 2011 attacks. More recently, the UK created Flood Re for homes in flood-prone areas.

Dan Hyde, author of Cyber Security: Law and Practice, doesn't expect Zurich to win the Mondelez case proving the incident was warlike will be extremely tricky. But the questions won't go away.

If North Korea and Russia are sponsoring cyber attacks across the West as a type of unprovable warfare, and if this represents a long-term persistent threat in a world where many companies share a digital architecture, that might make much of cyber risk uninsurable. You can see why the insurance industry wants to test who pays. And you can see why governments might not (after the 2008 financial crisis, they are not keen on providing backstops to the financial industry).

This fight is going to run. In the meantime, companies must look for standalone cyber coverage they really understand: Mondelez was claiming on its general insurance. A night-watchman is never going to be enough again.

This article was first published in the Financial Times

Recommended

Green finance is set to be the most powerful financial repression tool yet
Bonds

Green finance is set to be the most powerful financial repression tool yet

The government has launched its “green savings bond” that offers investors just 0.65%. But that pitiful return is in many ways the point of “green” fi…
22 Oct 2021
Andrew Hunt: why it's a great time to be a deep value investor
Value investing

Andrew Hunt: why it's a great time to be a deep value investor

Merryn talks to Andrew Hunt, author of Better Value Investing, about his adventures in the market's dark underbelly, looking for the hated and neglec…
22 Oct 2021
Equities are not a good inflation hedge
Economy

Equities are not a good inflation hedge

Institutional investors are definitely now worried about inflation. But they're not yet worried enough to flee to cash, says John Stepek
22 Oct 2021
Why fed-up workers are quitting their jobs
Economy

Why fed-up workers are quitting their jobs

Workers are leaving their jobs at an astonishing rate, especially in the US, leading to a shortage of workers. What will that mean for our economies? …
22 Oct 2021

Most Popular

How to invest as we move to a hydrogen economy
Energy

How to invest as we move to a hydrogen economy

The government has started to roll out its plans for switching us over from fossil fuels to hydrogen and renewable energy. Should investors buy in? St…
8 Oct 2021
How to invest in SMRs – the future of green energy
Energy

How to invest in SMRs – the future of green energy

The UK’s electricity supply needs to be more robust for days when the wind doesn’t blow. We need nuclear power, says Dominic Frisby. And the future of…
6 Oct 2021
The after effects of the gas-price shock
Economy

The after effects of the gas-price shock

In the wake of the recent spike in the natural gas price, we can expect slower growth, an industrial recession – and a newly assertive Russia, says Ma…
17 Oct 2021