A new research report by the University of Kent and the Royal United Services Institute for Defence and Security Studies (RUSI) has found that the contribution of the insurance sector to improving cyber security practice is ‘more limited than policymakers and businesses might hope’ and recommends action by government and industry.
Identified along climate change and pandemics as ‘one of the most challenging risks facing societies in the next five years’ by the World Economic Forum, cybercrime is a complex, rapidly growing and severe threat to both government and business. In 2020, losses from cybercrime were estimated at over $945 billion worldwide, while the ‘average payment for a ransomware attack was reported to have risen from $84,116 to $220,298’ from Q4 2019 to Q1 2021’.
This rise is taking place at a time of rapid change in the online environment as organisations seek to digitalise, increase connectivity and accommodate increased remote working, heightening the need for protection. With both national infrastructure and economic security at risk, ‘one tool that has gained traction is cyber insurance’.
Not only is cyber insurance seen as a way for organisations to reduce the impact of cybercrime by transferring financial risk to insurers, but, as the market grows and matures, cyber insurers are seen as potentially able to fulfil the role played by insurers in other industries.
Yet, the authors of this report (James Sullivan, Director of Cyber Research at RUSI; Dr Jason Nurse, Associate Professor in Cyber Security at Kent’s School of Computing; Jamie MacColl, Research Analyst in cyber threats and cyber security at RUSI) have found that to date cyber insurance has failed to live up to expectations that it may act as a tool for improving organisations’ cyber security practices.
Based on interviews and workshops with experts across the insurance and cyber security industries, government, academia, the report identifies an insurance industry that is not only struggling to understand cyber risk itself, but that it is struggling to collect and analyse reliable cyber risk data. Without this, there are significant questions around the insurability of cyber risk. Meanwhile ransomware has become an existential threat for some insurers. At a time of mounting losses and rising public criticism, the report argues for a reset in the industry.
The Cyber Insurance and the Cyber Security Challenge report concludes that if cyber insurance is to have the desired impact, the ‘insurance industry must overcome significant challenges’ and provides actionable recommendations for the UK cyber insurance sector, aimed at both strengthening response and bolstering the market.
Dr Nurse, who is also member of Kent’s Institute of Cyber Security for Society (iCSS) said: ‘The role of cyber insurance as it pertains to cyber security has been discussed for decades, but still there has been little substantial progress on understanding whether insurance can incentivise better security practices in organisations, or if it can, how best can this be facilitated.
This report and our findings draw on a year-long study involving experts in policy, practice and research to answer many of these outstanding questions, thereby making a significant contribution to existing knowledge. More importantly, we provide several well-informed policy recommendations for the UK cyber insurance market, including UK policymakers, regulators and insurance providers and brokers, covering exactly is needed for cyber insurance to play a more significant role in allowing the robust management of cyber risk.’
The Cyber Insurance and the Cyber Security Challenge report can be accessed on RUSI’s website.