Insurance industry joins the fight against cyberattacks
There seems to be an endless flow of hacking horror stories. Dell is the latest big business to have been hit by criminals, who allegedly splashed data from millions of its customers on the dark web. The British Library, Boeing and PlayStation have all been victims. Last week Ascension, an American healthcare network, was forced to divert ambulances from hospitals after a cyberattack.
Against this backdrop, delegates are gathering in Birmingham this week for the annual Cyber UK conference. Organised by the National Cyber Security Centre, part of GCHQ, the event is so busy that “it will need to hire Wembley Stadium soon”, in the words of one attendee.
Strikingly, alongside the spooks and the techies, the insurance industry has an increasingly important seat at the table in the fight against hackers. Felicity Oswald, the security centre’s chief executive, even launched the event by announcing a collaboration with the sector to help businesses to deal with ransomware.
This is, in part, a reaction to failures in years gone by. After a period of growing pains, the 20-year-old cyber insurance industry finally has become more sophisticated when it comes to protecting businesses. The experience of having to pay out billions of dollars for ransomware attacks, which burst on the scene with a vengeance five years ago, has helped to sharpen the minds of brokers and underwriters.
Policies generally cover ransoms, forensic investigation, liability and business interruption, for example if systems are taken down. As one broker explained: “We weren’t ready for it. We’d been thinking about data breaches and then this ransomware thing came in and the risk bar just wasn’t there.”
In the wake of these payouts, premiums soared, becoming five times more expensive in some cases, and the industry got a bad reputation as being both expensive and difficult to deal with. However, according to Marsh, the insurance group, UK cyber insurance rates decreased by 7 per cent in the first quarter of this year as competition increased, leading to better rates and coverage. Four in ten businesses have it, according to government stats.
Getting insurance against cyberattacks these days is tougher, but insurers are setting the bar higher, making business think more carefully about their weaknesses. As Oswald put it in her speech: “Cyber insurance is an added incentive for organisations to implement security controls and resilience measures.”
Businesses grumble about it, but gone are the days when you merely fill in a form detailing your cyber defences. The information required has got more detailed. Insurers often want to meet the information security officer, to know how much customer data is in the cloud and to examine detection and response functions. “We don’t just talk to you once a year,” Paul Bantick, group head of cyber risks at Beazley, said. “[It is] not like a car insurance policy. We are talking to you monthly or daily.”
Having some cyber insurance increasingly is becoming a stipulation of doing business, to protect companies from digital weaknesses in their supply chains. This was brought into sharp relief last year during an attack by Clop, a group of Russian hackers, which exploited a loophole in a piece of software called MoveIT and led to data breaches at British Airways, Shell, the BBC and Boots, to name a few, when Zellis, their payroll operator, was affected.
None of this is straightforward. Just as people get to grips with one threat, another appears. One broker drew a wavy line in the air with his finger to illustrate the ups and downs of the market. Expensive premiums could return.
The number of attacks may have dropped since a spike in 2020, according to TechUK, but the threat is ever-present and more than half of companies reported an attack last year. Ransomware is rearing its head again, phishing emails are becoming more tricksy and more realistic with the surge in generative AI and companies can be targeted through their connected devices.
Yet, as the insurance industry has finally woken up to the significance of the threat, its increasing knowledge is a tool to try and stem the tide.
Katie Prescott is Technology Business Editor of The Times
Post Comment