Cyber-risk At least 93% of large UK companies have been the victims of attacks as hackers grow in sophistication. To what extent can the insurance market protect them?

Published on Mon, 30/09/2013 - 23:00

The threat of cyber-attacks is growing and its scale, diversity and complexity is unprecedented, Orla MacRae of the Department for Business, Innovation and Skills told Airmic Live listeners. Some 93% of large UK companies report being targeted, and it is certain that others have been victims without yet realising it. “Everyone is being attacked in some form,” she said.    

Many of the culprits are nation states or criminals working from their own resources. With malware hacking programmes available off the shelf for less than $1,000, almost anyone with a will to do so can become a hacker.

To what extent is this insurable risk? There has been reluctance by risk managers to buy these products, a point that the two insurers on the panel both addressed. Iain Ainslie from ACE and Jason Coombe from Arthur J Gallagher agreed that the capacity and products are there to provide a significant amount of coverage and that education was a key challenge.

According to Coombe, new capacity is coming into the market and there is “something to work on”, but take-up in the UK is smaller than in some other countries.

Ainslie said a key challenge was for buyers to understand the exposure in the first place and to make themselves a better risk. It is important, he said, to sit down and discuss these matters with the insurer at an early stage and to have a strong grasp of what is covered. 

He also identified a disconnect between the risk manager and senior IT professionals such as the Chief Information Officer as a common difficulty. It would help for risk managers “to understand the risk to the business, not the technical causes or technical solutions,” he said.

“There is typically a nine-month time lag before companies realize they have been attacked,” he said.

Responding to questions from listeners, some of whom were clearly skeptical about the likelihood of such policies paying out, Coombe assured the audience that cyber-polices were responding. Furthermore, cover now extends beyond malicious attacks to include such areas as administrative and operational errors. Most policies, however, exclude the loss of unencrypted data, for example where an employee leaves their computer on a train.

Anyone wanting to listen to the entire Airmic Live can download it from www.airmic.com

“Ten Steps to Cyber-Security” can be downloaded from the Department for Business, Innovation and Skills website