The Government has launched an urgent fact finding task force to find ways of insuring UK businesses against the cyber threats that it warns “are happening all the time”.
The group, which will deliver its report in May 2015 was announced by Cabinet Office Minister Francis Maude, will involve talks with the UK’s 12 leading insurance companies to identify ways that the industry can support the British business and improve cyber security.
The initiative, according to the minister, should have the aims of increasing cyber security awareness and increasing protection by driving the adoption of best practice among UK businesses, while making London the centre for cyber insurance.
“Insurance can be a driver for increasing awareness and driving compliance with good practice and risk management,” said Maude. “We want Britain to be the safest place in the world in terms of cyber,” who added that the UK was in a unique position to deliver this.
“We are a country that is good at cyber security, in that we have a lot of companies that are really good at doing this and we’re also a country that’s very good at insurance, this is one of the major centres – if not the major centre in the world for insurance. In knowing how to price this risk and drive good practice London ought to be the place that leads the world in this.”
Though the minister fought shy of the need for mandatory disclosure of cyber attacks a move many observers believe to be essential in allowing the insurance industry to be able to accurately assess the level of threats that industry is facing.
The announcement by Francis Maude of a “joint Government industry initiative and working groups” marks the beginnings of an attempt to get to grips with an issue it has been wrestling with since the start of the administration.
Behind the scenes the UK has been working hard to develop a home grown cybersecurity industry by encouraging cyber security start-ups in Canary Wharf for the financial sector and looking to promote South Wales, Bristol and Cheltenham as a ‘cyber security triangle.’
Cyber insurance the unknown risk
The insurance sector has been more problematic.
According to insurance industry sources the Government has been attempting to kick-start insurance industry interest in cyber for a number of years and has achieved some recent success due to concerns over insurance for the housing market, one of the two parts of the financial sector considered to be too big to fail.
The Government is rumoured to have done a deal with the insurance industry to insure houses on floodplains despite the fact that they keep on getting flooded and with global warming that risk can only grow. If houses are not insured then those homeowners won’t be able to get a mortgage and another financial crisis could occur goes the theory.
In return for the insurance industry maintaining insurance for flood plain housing the Government has agreed to underwrite some of the risk.
Sources close to the discussion claim that in exchange for that help the Government has extracted a promise from the insurance industry to underwrite parts of the critical national infrastructure, the computer controlled, energy, utilities, communications and transport networks we all depend on.
Now it is claimed the Government is pushing the insurance industry in the direction of cyber insurance for businesses.
It may sound far-fetched? But the insurance industry’s agreement to underwrite the critical national infrastructure is fraught with risks given that according to experts much of it is outdated and obsolete.
Insuring business against losses that the UK’s National Audit Office has put at between £18-27 Bn a year could cause it even more headaches without accurate data to go on.
A point admitted by Mark Weil, head of the insurance company Marsh who said that data breach disclosure was an issue.
“It may be that we may look at that in this work, whether some form of data disclosure regime will be helpful. We’ve got historic data but all roads lead back to data because it’s an emerging risk that has at least some track record.
“One of the purposes of this task force is to see if there are ways that we can pool some of that data because if you talk to any of the insurers their biggest challenge, their biggest concern is we don’t know what risk we’re taking on.”
That the Government might be forced at some point to also underwrite risks that have hitherto not been considered was also acknowledged by James Quinault, the Director of the Office of Cyber Security at the UK National Security Secretariat.
“That is one of the things we will have to examine in the course of this work. There is a data issue here and we will be thinking about the ways that we can pool and understand data so we can try and work out what the worst could be.”
The science of hindsight
Several schemes currently exist that follow the ‘bolted horse principle,’ where companies insure themselves so that in the event of an attack they can employ teams of forensic experts to come into advise them on the data that they have lost and the likely culprits leaving it down to the companies effected to pursue redress.
A method that mirrors Government initiatives to date aimed at dealing with the ongoing ‘Advanced Persistent Threat’ attacks. These have been laid mainly at the door of the Chinese Government though according to the intrusion detection company FireEye, there is evidence to suggest that Russian organised crime is behind some of the attacks which are normally targeted on large companies.
Under the UK Government system, GCHQ, alerts a company that it knows to have been attacked, and four Government certified companies are put forward to the victim to provide help on the bolted horse principle and to recommend new security measures that should be adopted.
Ongoing discussions with wider industry, going back a number of years have foundered on cost, with small businesses being unwilling to shoulder a cost for cyber insurance that they saw little need for considering themselves targets.
An attitude found in a recent survey by Marsh: “we commissioned a report into cyber awareness and though two-thirds of UK companies said that they had a basic understanding of their exposure to cyber risks, some 44% said that it was not on their risk register at all.”
A complacency that presents dangers to all of the UK, as it is now widely accepted that most businesses will have been the victims of cyber attack, often without knowing and that the inter-connected nature of companies can make the smallest of organisations a threat to an entire supply chain as shown by the Stuxnet virus.
In a bid to counter this Future Intelligence has suggested that a system similar to that used in cars could be adopted so that like the car insurance mandatory on vehicles in the UK which is dependent on the car being properly maintained that a similar system could be adopted for computers based on the area that a company works in and the potential value of the data it hold and the possible consequences of its loss.
The costs of which could be potentially huge according to Marsh’s Weil.
“A massive data breach will invite litigation, generate regulatory fines and instigate law enforcement investigations. Cyber attacks can even cause physical damage by manipulating control processes.”
An allusion to the fact that a company that considers its work to be in the most mundane of sectors, such as sewage control, could still lead to devastating consequences if it were hacked and its systems failed and infected a number of homes.
The looming legal iceberg
A weakness now being pointed out by the growing number of lawyers eyeing cyber security and its lack as a potentially lucrative source of income.
According to Craig A. Newman, Managing Partner in the London, New York and Washington-based lawyers Richards Kibbe & Orbe LLP, it is increasingly common for companies to consider the purchase of cyber insurance, especially given the costs associated with remediating a data breach.
“Data breaches are becoming more widespread across multiple sectors with the financial services industry and retailers bearing the brunt of the most recent attacks,“ said Newman. “As we have seen with the data breach at the US-based retailer Target, the company’s public share price suffered once the breach was disclosed.
“But underlying these headline-grabbing breaches is a little known area of online theft aimed at stealing intellectual property. It’s the tech-driven start-ups and growth companies that are often far more vulnerable to an attack. When hackers aim at these young companies – most built on a foundation of intellectual property – a digital intrusion carries the risk that valuable intellectual property is compromised. In the world of start-ups, investors can’t simply assume these private companies are spending on data security. One key question to ask is whether these companies have a cyber-insurance plan in place.”
Other London lawyers have pointed out that by not declaring a cyber attack a company would leave itself open to litigation if a large part of its business involved intellectual property as those investing in the company would not be aware that it might have lost its assets. A potential nightmare for the venture capital firms looking to invest in the start-ups that Prime Minister David Cameron has hailed as the evolving life-blood of the UK, doubly so given that a number of recent surveys have pointed out that most start-ups have inadequate computer security.
Whilst any company that held customer data, such as an online retailer, could leave itself open to a joint legal case from aggrieved customers that could be potentially disastrous given the international nature of internet business.
Any company hiding such a breach from potential investors would also be leaving itself open to litigation for the non-disclosure of risks to the business.
The mandatory data breach issue
Despite this potential iceberg of cyber attack liability Maude dismissed the need for a measure that has already been adopted in the US claiming that the voluntary systems adopted in the UK are adequate.
“It’s always tempting to do things like that but it could be counter-productive and we are in a better place than we were because businesses are increasingly understanding that there is a collective self-interest in notification.
“There has been a historical reluctance among some businesses to acknowledge that this has been a problem, but the more that businesses keep those attacks to themselves, the more the collective knowledge and ability to adopt counter-measures is inhibited.
“It’s tempting doing what government’s like doing and passing a law and a regulation but this is better than having some centrally mandated top-down approach.”
A position the Government will be hard pushed to maintain, as increasingly cyber breaches are likely to come under the ambit of the US’s Sarbannes Oxley legislation and the Basel III banking codes which could see cyber breach as a notifiable balance sheet item.
A potential risk to banks was ironically highlighted by the London Evening Standard’s Anthony Hilton in the paper’s city pages on the same day as the Government announcement, under the headline ‘Cyber attacks the real threat to banks?’
The risk according to Hilton is that many of the new emergent banking institutions competing with the larger more established banks may not carry enough capital to stave off losses caused by inadequate cyber defences: but without accurate figures for regulators and insurers to go on how will they be able to know what defences should be in place?
