Latest Issue

Introducing cybernomics

Insurance markets are lagging behind. The best bet is to build proper defences

By Paul Wallace  

Bank of England governor Mark Carney has stressed the need for strong cyberdefences. Photo: FACUNDO ARRIZABALAGA/SHUTTERSTOCK

For more than a decade the World Economic Forum at Davos in January has got the year off to a bracing start with its “Global Risks Report,” based on a survey of business leaders, top academics and other experts. In recent years cyber vulnerabilities have consistently ranked among the main worries. The 2019 survey showed data fraud or theft, and cyberattacks, as the two most likely risks other than environmental dangers.

Where there are risks, there are insurers. Providing cover against cyber breaches is the new fontier. Cyber insurance now commonly covers costs arising from business interruption as well as compensation for users whose data has been compromised. The global market will reach between $8bn and $9bn (of gross written premiums) in 2020—more than double its size in 2017—according to Munich Re, an insurance group.

The market is growing fast—but it is still diminutive given the potential risks. Cyber insurance is dwarfed, for example, by the insurance markets for motor vehicles, and fire and other property damage, worth $420bn and $250bn respectively in 2017 among the G7. As James Dalton at the Association of British Insurers pointed out in May, “the cyber protection gap remains vast,” since estimates of the total global cost of cybercrime range “from the hundreds of billions to the trillions of dollars.”

That gap arises because the standard insurance model, developed for risks that can be quantified and diversified across policyholders, is ill-suited for the cyber age. Potential losses from cybercrime are hard to gauge but can be massive, including harm to intangible assets such as a company’s reputation. Attacks may hurt more than one business, creating the danger of “accumulation risk” where losses pile up from a single incident affecting many policyholders. Cyber underwriters lack the wealth of historical data available for property insurance when pricing risks. Even if they did have more information, the rapidly changing forms of threat could soon render much of it redundant.

Despite these drawbacks, insurers are providing greater cover against losses, especially among larger firms. But in many respects they can help businesses more by getting them to manage cyber risks more effectively, and offering emergency help if attacks do occur. Cyber insurance can act as “a catalyst for good security practice” according to the Digital Policy Alliance, a forum that has parliamentary as well as corporate members.

With or without such a catalyst, businesses need to invest in adequate defences to ward off attacks and ensure recovery when they occur. Such investment differs from a customary capital project in that it is precautionary, protecting against potential losses rather than yielding higher profits—in effect improving risk-adjusted returns. This is one of the costs involved in participating in the digital economy, which brings its own rewards. Whether or not it relies upon outside security consultants or is done in-house, it will not come cheap, since IT personnel are expensive.

Of course, ensuring greater cybersecurity is not a matter for businesses alone. The state must take the lead for both strategic and economic reasons. Attacks can cripple vital national infrastructures.

The state is already using its regulatory leverage to beef up cybersecurity in finance—a particularly enticing target for malicious hackers. The Bank of England and the Financial Conduct Authority (FCA) are on the case, rightly so given the quickening tempo of cyberattacks. The number reported to the FCA jumped from 24 in 2015 to 69 in 2018; on a different reporting basis, it rose again to 93 in 2018.

Since some breaches will occur no matter how robust defences appear, it is vital to be able to respond effectively. The Bank of England is conducting a pilot stress test on banks this year based on “severe but plausible scenarios” of what it coyly calls a “cyber incident.” The aim is to assess if they can recover swiftly and avoid customer payments being delayed to the next day.

Finance is particularly vulnerable but cyber risks now pervade much of the economy. Britain is exposed because it is among the most digitally evolved countries, ranking eighth among 60 economies according to an index compiled by researchers at Tufts University in Massachusetts. This reinforces the case for the state to lead a national effort.

In principle this is exactly what the government is seeking to do, through a five-year strategy until 2021. Helping to drive the project is the National Cyber Security Centre. However, a scathing report in March from the National Audit Office found inadequate progress towards the strategy’s 12 goals, only three of which were on track to be accomplished.

Cyberspace has become a new theatre of operations, where economic and strategic warfare are fought and digital variations on old crimes are staged. Insurance can help, but the priority is to invest in adequate defences. The government has a crucial role to play but good intentions are not enough—ministers must achieve concrete results.

This article features in Prospect’s cyber resilience supplement

We want to hear what you think about this article. Submit a letter to

More From Prospect