Why the City needs realistic cyber insurance
The cyber security risks to banks are real, and have existed for years. Yet we still have no proper reinsurance to cover them. Here's why it needs to change.
cyber crime on financial markets can lead to significant losses, in the worst
cases tens or even hundred of millions of pounds. The risk remains outrageously
high, and business interruption can be phenomenal, particularly if sensitive
systems are compromised and assets are frozen or stolen.
would be untrue to say that cyber security risks have suddenly appeared for banks. The risks have been
about for decades, as banks operate on technology. These businesses simply
wouldn't be in existence if they haven't already extensively tackled cyber
are starting to see the need for things to change in terms of national
infrastructure, but much more needs to be done around insurance for all sides
to be protected.
The reality of reinsuring cyber
are many ways that businesses can be insured for cyber security. The key is
protecting them through a market where insurers are confident they can write
realistic and financially viable policies.
it is up to banks to assess their own business impact of
various cyber incidents, ranging from hacking to denial of service attacks.
Insuring this would be very difficult. What can be done is to create insurance for
business interruption, meaning the amount of time the bank is unable to operate
normally. This is because there are realistic and measurable, agreeable, clear
are several levels of process that would need to be put into place. To start
with, ideally there would be a Cyber Re (reinsurance) pool or club in which the
government helps the insurance industry to fund any extreme losses. This is not
a radical idea, in 1993 the government created Pool Re in which there was
coverage for terrorism affecting property insurance.
The economic effects
establishing this foundation, insurers can write cyber policies around business
interruption. It also creates an environment in which the security industry and
banks work closely together. Instead of scaremongering, there is an
encouragement from all sides to prevent incidents by sharing best practice and
collaborating on information.
is so much to gain from getting this right. With a fully functioning cyber
reinsurance market, the UK would be much more attractive to IT businesses such
as financial exchanges and large Internet firms.
strongly hope that things will change. Currently, it is nearly impossible to
get cyber reinsurance above a few million pounds, or covering more than a
handful of computers. This is no way near enough for businesses.
discussions are taking place between government policymakers and the industry
on how to tackle this problem. Perhaps there is not yet the urgency because
there has not been a debilitating security incident. No one would wish this
problem to happen, and simply by looking at the threats anyone could see that
things do need to change.
discussions so far are encouraging: financial and IT firms want the cover,
insurers like the idea, and government bodies see the gains. What we need next
are a cost proposal, further market research, financial modelling for various
scenarios, and clarity on legal, regulatory and tax issues.
strongly hope that the government, insurers and the banking community will
advance the work around cyber risk. It is vital to the operation of banks and
financial system to get the reinsurance right.