Insurance Won't Solve Cybercrime
Companies are finding a way to minimize the repercussions when their digital security is violated. Unfortunately, they're turning to the same safeguards that protect the guitar-strumming hands of Keith Richards, the goal-scoring limbs of David Beckham and the most remarkable assets of Dolly Parton, rather than coming clean about the perils of data breaches or pooling information so that threats can be properly quantified and addressed. In short, they're focusing on the consequences of cybercrime, not the causes, by purchasing liability and errors-and-omissions insurance.
It seems buying insurance against the financial consequences of cyberterrorism from Lloyds of London, the world's oldest insurance market, is easier and more palatable than tackling the underlying problem. High-profile attacks, including the data on 100 million customers stolen from U.S. retailer Target in 2013, and the emails filched from Sony's film studios at the end of last year, have made companies fearful of the economic consequences of cyber robbery. Yet they haven't done much to puncture the secrecy that surrounds the issue.
Barbican, a Lloyds syndicate that specializes in digital defenses, says it saw a 50 percent jump in demand for coverage in the first quarter of this year compared with a year earlier. Barbican's Geoff White told the Telegraph newspaper this month that business is flowing from "new customers purchasing cyber insurance and existing customers purchasing higher limits following recent high profile attacks." Marsh & Mclennan, which offers cyber insurance, reckons the U.S. market for the product doubled last year to as much as $2 billion.
The term "insurance" in this context is arguably being misused, with the word "assurance" probably a better fit. Assurance, according to the Investopedia dictionary, provides "coverage of an event that is certain to happen. Assurance is similar to insurance (and sometimes the terms are interchangeable) except that insurance protects policyholders from events that might happen." Given the prevalence of digital terrorism, cyber attacks are a question of when, not if.
In the U.S., attacks are increasingly common. A global economic crime survey by PwC, a consulting company, found that 7 percent of U.S. organizations lost $1 million or more due to cybercrime incidents in 2013, more than double the percentage of global companies suffering comparable losses. Attacks resulting in lesser damages are also more prevalent in the U.S., with 19 percent of respondents suffering financial harm worth $50,000 to $1 million compared with a worldwide figure of 8 percent.
Data breaches are getting more expensive, too. A report commissioned by the U.K. government from PwC says the average cost to large companies climbed to as much as 1.15 million pounds ($1.7 million) in 2014, up from 850,000 pounds a year earlier; for small businesses, the average almost doubled to 115,000 pounds. Ominously, the report notes that 10 percent of organizations that suffered a breach in the last year "were so badly damaged by the attack that they had to change the nature of their business." Both the U.S. and U.K. reports showed 59 percent of respondents were either more concerned about or expected to experience more cybersecurity threats in the year ahead.
There's a big caveat in how trustworthy even this data is, which depends on whether executives are telling the truth about the scale of the assaults they've experienced. That seems unlikely. Russian computer security firm Kaspersky Lab claims a hacker gang called Carbanak has stolen as much as $1 billion since 2013 from financial institutions and payment systems in more than 30 countries. You haven't read much about those breaches, though: The potential for customers to abandon a bank that admits its systems are porous precludes honesty and publicity, meaning the antiseptic of sunlight rarely shines on cyber crime.
Government intervention can address this. Stricter rules obliging companies to confess when their security proves inadequate would improve the flow of information, both reducing the stigma and laying bare the true scale of the problem. Stephen Catlin, founder of the biggest insurance syndicate at Lloyds of London, told the Financial Times in February that only the government has deep enough pockets to underwrite the dangers of cyber attacks. That may be true, but addressing the roots rather than the outcomes is a more pressing need. If insurance against financial losses is the only answer, then companies seeking to reduce their cybersecurity risks are asking the wrong question.
This column does not necessarily reflect the opinion of Bloomberg View's editorial board or Bloomberg LP, its owners and investors.
To contact the author on this story:
Mark Gilbert at firstname.lastname@example.org
To contact the editor on this story:
Paula Dwyer at email@example.com