Back in 1979, the economist Mark Skousen published a book on maintaining the security of financial data. He was worried about relentless information collection — he reckoned that 50 files of various sorts were being kept on each American. The inherent risks seemed pretty obvious to him.
In his section on companies, he added something pretty prescient: businesses should not stop at maintaining burglar alarms, employing night-watchmen and watching for “new employees working as spies for the competition”, they should also be aware that much of their valuable information was now stored on computers.
It would “pay to ask your computer company specifically about unwarranted intrusion into sensitive information”, he says. Forty years on, he has been proved very right.
We are in a world with an endlessly rising number of interconnected devices (and a lot more than 50 files on each person). There is no company or product that doesn’t have cyber risk attached to it. So much so that if you ask a corporate chieftain about the biggest threat to his business, they probably shouldn’t say Brexit or global growth, they should say cyber risk. The growing list of governments refusing to do business with Huawei bear witness to its relevance and danger.
Political and economic risk are slow moving enough that a quality company can cope, but a cyber problem can leave you helpless instantly: shipping group Maersk’s systems were shut down for a full ten days following the 2017 NotPetya malware attack, at a total cost of about $300m. A company also risks the loss of commercially sensitive data, becoming the victim of cyber extortion, and huge fines for personal data breaches, to say nothing of the legal costs and brand damage.
This is not news to company boards: a survey by insurance consultancy Mactavish found 43% of UK respondents reporting that their company had suffered at least one cyber attack in the prior two years.
The insurance industry isn’t set up to cope
But the odd thing is that, while most companies have cyber security on their minds, not very many are specifically insuring themselves against a systems breach. The market is growing fast: up 100% in the past year, according to the Association of British Insurers. Even so, a mere 9% of UK companies (rising to 25% in the financial sector) have specific cyber insurance.
In the US, the number is only slightly higher but is still low — Dan Truman of speciality insurance firm Axis Capital puts it at about 30%, thanks in part to many states’ early adoption of strict rules on reporting data breaches. Maersk did not have standalone cyber insurance — one imagines this has now been rectified.
So why the foot-dragging? In the Mactavish survey, 37% say the risk isn’t “serious enough”; 30% say the insurance is too expensive; some 35% argue it is “unfit for purpose”; and 22% “do not trust the insurer to pay out”. The first two are silly; the second two have some merit. The utility of cyber insurance should improve as data improves and the industry gains a better understanding of the risk; the payout problem might not.
Parts of cyber risk are easily insurable, says the Association of British Insurers’ Joseph Ahern. These include hackers, low level ransom attempts and data-collecting malware. Other bits are not. There is a legal battle under way between confectionery firm Mondelez and insurer Zurich, which is refusing to pay on the NotPetya attack, arguing that the damage came from a “hostile or warlike action”.
The insurance industry works on the basis that bad things happen to a few people at a time. When really bad stuff happens to a large number of people at once, it struggles. The industry either goes bust or gets out of the market. Then, the government has to step in.
During and after the Second World War, the UK War Damage Commission stepped in to pay for damage to buildings and land. In the wake of the 1993 Irish republican bombing of the Baltic Exchange, the UK government created pool reinsurance to underwrite terrorist damage. The US set up the Terrorism Risk Insurance Program after the September 2011 attacks. More recently, the UK created Flood Re for homes in flood-prone areas.
Dan Hyde, author of Cyber Security: Law and Practice, doesn’t expect Zurich to win the Mondelez case — proving the incident was warlike will be extremely tricky. But the questions won’t go away.
If North Korea and Russia are sponsoring cyber attacks across the West as a type of unprovable warfare, and if this represents a long-term persistent threat in a world where many companies share a digital architecture, that might make much of cyber risk uninsurable. You can see why the insurance industry wants to test who pays. And you can see why governments might not (after the 2008 financial crisis, they are not keen on providing backstops to the financial industry).
This fight is going to run. In the meantime, companies must look for standalone cyber coverage they really understand: Mondelez was claiming on its general insurance. A night-watchman is never going to be enough again.
• This article was first published in the Financial Times