On March 23, 2015, Marsh and the United Kingdom Government released a Report titled: UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk [1]. The Marsh Report is stated to be “the result of close working between the Government and the insurance sector” in the UK and is intended to address the role insurers can play in reducing cyber risk.
This Report lends a unique perspective on how the insurance industry can help mitigate cyber threats and risks. It provides further guidance as the US Government and insurance industry struggle with insurance coverage for cyber threats and risks. For example, on March 19, 2015, the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security held a hearing titled, “Examining the Evolving Cyber Insurance Marketplace [2]” examining the insurance industry’s response to cyber threats.
The Marsh Report first examines legitimate concerns over estimates that cyber insurance costs approximately three times more than general liability and six times more than property insurance. While acknowledging costs may be higher for cyber insurance as research and modeling develops, the Report addresses other economic benefits provided by cyber insurance, which include:
- Insurance creates incentives to create safeguards against cyber threats.“Insurance places a cost on firms’ cyber risk through the premium they pay, and the prospect of a reduced premium then encourages firms to take steps to mitigate the risk.”
- Insurers gather information and gain a better understanding of cyber threats.“Insurance goes arm-in-arm with loss prevention. Insurers will help firms reduce their losses by providing insight from claims and near misses across their client base.”
- Insurers offer their collective experience to combat cyber threats.“Insurers bring their knowledge and experience of more established risks that can be applied to cyber.”
The Marsh Report also provides another interesting perspective on differences between the insurance markets in the US and the UK. “Insurers tend to conflate cyber with data breach given the well-developed demand for that coverage driven by US regulation.” Commentators are already suggesting [3] that the partnership between the Government and UK insurance companies may fill a gap caused by the lack of the public breach notification system found in the US. Further, the Report indicates there are “broader concerns” in the UK including business interruption, damage to property and theft of intellectual property, which the US system does not properly address.
The Marsh Report concludes with the suggestion that cyber risk management may provide “an export opportunity for London.” Specifically, the Report states that “[t]he London market is well positioned to compete for large and complex risks, and over time has provided innovative solutions for new threats.” Therefore, the Report concludes that “the sector is demonstrating that the UK is the natural home for a growing global cyber insurance market.”
The volatility in pricing in 2014 for cyber insurance is expected to continue in 2015 [4]. Since cyber insurance is still in the emerging stages, it is easy to question whether it is necessary. Some are already dismissing cyber insurance merely because there was no need, thankfully, for Y2K insurance. However, as the Marsh Report demonstrates, the UK is taking cyber insurance seriously and is hoping to make London the “global center” for cyber risk management. It will be important to monitor developments in the UK and question whether our system, driven by breach notification laws, is developing at a pace sufficient to respond to this risk.