Police can't stop cybercrimals, but maybe insurers can

Law enforcement is swamped and companies are under constant attack; Whitehall is hoping insurers can help out with the rising tide of online crime.

Can insurers help cut cybercrime across UK businesses? Whitehall is hoping so.

Most organisations are constantly being probed by hackers from across the globe. However, stopping, investigating, or prosecuting attackers is all but impossible as in most cases police lack (among other things) the jurisdiction, skills, evidence, and motivation to pursue such cases.

This means most companies have been left to defend themselves against hackers and they aren't doing a brilliant job: one survey suggested that across a number of countries, there were 1.7 successful digital attacks per company per week  on average.

Encouraging the creation of an insurance market for online crimes could help enforce standards of security, just as home insurers insist on a particular type of locks on doors and windows before they will agree a policy. This makes it harder for burglars to break in as well as potentially reduces the burden on the police.

Earlier this week a dozen of the UK's biggest insurers met with the Cabinet Office, officials from the Department for Business, Innovation and Skills, and officials from surveillance agency GCHQ to discuss the issue.

The government argues that insurers are in a good position to encourage businesses - small ones especially - to improve their cybersecurity by asking tough questions about their breach and operational risk policies. At the same time it also wants to promote London as a hub for the nascent cyberinsurance marketplace. According the Financial Times, despite the cost of cybercrime, only around $150m in related insurance is bought by businesses across Europe each year.

A group of insurers will look at issues such as how insurance can improve cybersecurity practice in UK businesses, modelling the impact of cyberattack scenarios on UK businesses, and how the insurance industry can help reduce the impact of cyberattack on critical national infrastructure. The group plan to report to the Cabinet Office by April 2015.

Cabinet Office minister Francis Maude said: "Cyber insurance does not replace the need for good cybersecurity practice but is an added protection for businesses in the event of breaches." But like any other form of insurance the risk with insuring against cybercrime is that businesses become less vigilant knowing they are protected, Maude continued.

Mark Brown, executive director of cybersecurity at Ernst & Young, said many firms are now focusing on how they protect against the consequential financial impacts of a cyber incident and are turning to insurance as a mechanism to alleviate risk.

But he added: "Whilst insurance offers financial protection to businesses, it does not incentivise businesses to invest in enhancing their cyber security defences." He said organisations that demonstrate good cybersecurity should be rewarded through lower premiums, adding: "This would align to steps taken by insurers offering protection against wider business interruption and ensure that such risks were being appropriately managed by businesses and not just managed through insurance coverage.”

Further reading