Cybercrime is on the increase, but an increasing awareness of the problem is expected to drive demand for more specialist insurance.
Growing cyber threat
Both the number of incidents and the awareness of cybercrime have been increasing in recent years, according to PricewaterhouseCoopers. Almost one quarter (24%) of companies surveyed for the PwC 2014 Global Economic Crime Survey now report that they have been a victim of cybercrime.
However, under-reporting and difficulties in discovering cybercrime means that the true figure is likely to be higher, explains Daljitt Barn, Director of Cyber Security at PwC. He points to the government’s 2013 Information Security Breaches Survey which found that 93% of large organisations in the UK had a security breach in 2012, its highest level yet.
Theft of personal data, such as credit card details, remains the most common cause of cybercrime, according to Alessandro Lezzi, a cyber-insurance underwriter at Beazley. But criminals are increasingly targeting other forms of data, such as personal information that can then be traded or used to perpetrate other crimes.
“Today data has become a currency, and there is a ready market for trading information on the internet, where it is sold on to other criminals or to marketing firms,” he says.
Crime wave in cyberspace
Cybercrime is lucrative and is a relatively easy way for criminals to make money, explains James Campbell, who leads PwC’s Cyber Incident Response practice. The tools, techniques and services to perpetrate crimes can easily be found or purchased through the Internet, while mobile technology and the trend towards outsourcing and sharing data potentially heightens exposure, he says.
Criminals are also increasingly using more sophisticated methods to extort money from businesses, says Campbell. For example, PwC has clients that have fallen victim to CryptoLocker, a form of malware that encrypts files and then holds them for ransom.
Cybercriminals are also involved in industrial espionage. Perpetrators are stealing intellectual property or information to manipulate markets – such as getting the inside track on a proposed merger, or to get ahead in a negotiation or in legal proceedings, says Campbell.
Corporate data targeted
Cyber criminals are increasingly targeting confidential client data, a major concern for technology companies, law firms, accountants and the like, said Lezzi. The Information Security Breaches Survey found that 14% of large UK organisations believe that outsiders have stolen their intellectual property or conﬁdential data.
Such a breach has obvious implications for reputation, says Lezzi. Beazley research shows that some 40% of companies would not do business with a company that had suffered a breach.
Insurance against the loss of corporate data is an emerging product line, but Beazley, and other Lloyd’s managing agents, do offer insurance against a data breach resulting in the loss of client data, says Lezzi. Insurers in the Lloyd’s market are looking to develop insurance to cover loss of intellectual property as a result of cybercrime, he says.
Keeping up with cybercrime
Attitudes to crime still reflect the pre-internet age, but the criminal underworld has moved on, explains Steve Bonnington of insurance broker Lockton.
“In the past you could protect your property by locking your door and setting your burglar alarm. But in the digital world there are far more doors for criminals to knock on, and they can knock on many different doors at the same time,” he says.
According to Bonnington, IT networks and crime are now very much intertwined, with many criminal acts now including some use of technology. “It is surprising how many firms think that cybercrime won’t happen to them, but this is a risk for all companies,” says Bonnington.
Companies are far more exposed to cybercrime than old-world physical crime, believes Graeme Newman of CFC Underwriting, a specialist cyber insurer backed by Lloyd’s syndicates. “Yet companies’ buying habits and the traditional property policies offered by insurers have not caught up,” he says.
Standard property insurance policies, which typically include some cover for theft, were developed in the pre-internet age and have not kept pace with developments in cybercrime. However, specialist cyber and crime policies do offer cover, although both are having to adapt to the fast moving internet age, explains Newman.
“Cyber and crime policies need to be expanded to cover the wide range of cybercrime risks that businesses face today. Privacy risks are just one aspect, but specialist insurers can also provide cover for theft of money, fraud, phishing attacks, identity theft, telephone fraud etc.,” he says.
Driving insurance demand
Almost half of respondents to the PwC crime survey said their perception of cybercrime risk had increased, a sign that organisations are taking the threat of cybercrime more seriously, says Barn.
A growing awareness of cybercrime, and reputational concerns for breaches, are important drivers behind growing interest in cyber insurance, says Lezzi. “Increased awareness of cybercrime is expected increasingly to help drive the up-take of cover, as companies grow more concerned with the potential financial loss or damage to reputation,” he says.