Wednesday 20 August 2014

Why the City needs realistic cyber insurance



The cyber security risks to banks are real, and have existed for years. Yet we still have no proper reinsurance to cover them. Here's why it needs to change.

High-profile cyber crime on financial markets can lead to significant losses, in the worst cases tens or even hundred of millions of pounds. The risk remains outrageously high, and business interruption can be phenomenal, particularly if sensitive systems are compromised and assets are frozen or stolen.

It would be untrue to say that cyber security risks have suddenly appeared for banks. The risks have been about for decades, as banks operate on technology. These businesses simply wouldn't be in existence if they haven't already extensively tackled cyber security.

Governments are starting to see the need for things to change in terms of national infrastructure, but much more needs to be done around insurance for all sides to be protected. 
 
The reality of reinsuring cyber

There are many ways that businesses can be insured for cyber security. The key is protecting them through a market where insurers are confident they can write realistic and financially viable policies.

Essentially, it is up to banks to assess their own business impact of various cyber incidents, ranging from hacking to denial of service attacks. Insuring this would be very difficult. What can be done is to create insurance for business interruption, meaning the amount of time the bank is unable to operate normally. This is because there are realistic and measurable, agreeable, clear metrics.

There are several levels of process that would need to be put into place. To start with, ideally there would be a Cyber Re (reinsurance) pool or club in which the government helps the insurance industry to fund any extreme losses. This is not a radical idea, in 1993 the government created Pool Re in which there was coverage for terrorism affecting property insurance.

The economic effects 

By establishing this foundation, insurers can write cyber policies around business interruption. It also creates an environment in which the security industry and banks work closely together. Instead of scaremongering, there is an encouragement from all sides to prevent incidents by sharing best practice and collaborating on information.

There is so much to gain from getting this right. With a fully functioning cyber reinsurance market, the UK would be much more attractive to IT businesses such as financial exchanges and large Internet firms.


What's next

We strongly hope that things will change. Currently, it is nearly impossible to get cyber reinsurance above a few million pounds, or covering more than a handful of computers. This is no way near enough for businesses.

Extensive discussions are taking place between government policymakers and the industry on how to tackle this problem. Perhaps there is not yet the urgency because there has not been a debilitating security incident. No one would wish this problem to happen, and simply by looking at the threats anyone could see that things do need to change.

The discussions so far are encouraging: financial and IT firms want the cover, insurers like the idea, and government bodies see the gains. What we need next are a cost proposal, further market research, financial modelling for various scenarios, and clarity on legal, regulatory and tax issues.

We strongly hope that the government, insurers and the banking community will advance the work around cyber risk. It is vital to the operation of banks and financial system to get the reinsurance right.

No comments:

Post a Comment