Cyber liability insurance is a newly-established insurance category in the UK, estimated by the industry to represent GBP3–4 million, or just 0.01 per cent of the country’s non-life gross written premiums. However, this belies the market potential, with an estimated 4.8 million private businesses registered in the UK and growing use of the internet among these firms.
Indeed, it is developments in the use of information technology for business that have highlighted the issue of liability in cyberspace. Firms collect, manage and store data electronically, social media interaction has increased and portable computing devices are growing in popularity. This technological evolution means UK firms are increasing their exposure to cyber threats such as hacking, extortion, data leaks and business downtime, all of which could result in an onerous financial burden to resolve.
A number of high-profile data leaks during 2011 and 2012 highlighted the costs involved when personal data is exposed. Beyond the obvious monetary costs of launching an investigation and settling compensation payouts comes the costs which are more difficult for underwriters and businesses to quantify: damage to reputation, business disruption and lost business all have to be taken into consideration. A joint industry and government report, the Information Security Breaches Survey for 2013, calculated that in the aftermath of its most serious data breach, the highest cost to a large firm (more than 250 employees) stemmed from damage to reputation, followed by response costs and business disruption (see chart, below). For smaller businesses the cost of business disruption is, on average, eight times higher than any other resulting cost.
Average cost of a large organisation's worst cyber incident (GBP, 2012)
Industry surveys suggest a low awareness of cyber liability products among UK businesses. In all likelihood, managers believe these intangible risks are covered by their existing commercial liability insurance policies, yet traditional policies do not tend to address issues related to the internet or electronic data.
If the growing risk in the impalpable world of cyber data does not provide the catalyst for uptake of cyber liability insurance, regulatory changes will likely prove the strongest incentive for British businesses. The European Commission (EC) aims to harmonize laws on the protection of personal data across the EU. In the event of personal data being exposed, firms will be mandated to notify national authorities - the Information Commissioner's Office in the UK - and will face fines for non-compliance. The new law is slated for introduction in 2014 and is expected to be the primary growth driver of cyber liability insurance over the next five years.