A quick history lesson for you. Earlier this month, we commemorated the 352nd anniversary of the Great Fire of London, which destroyed 13,200 homes, as well as St Paul’s Cathedral. The giant Monument is a stone’s throw from the City A.M. offices.
The fire blazed from 2 to 6 September, and the inhabitants of London had to rely on basic fire services run by local church parishes – there was no state-run fire service at the time.
In fact, the London Fire Brigade wasn’t established until 1865, nearly 200 years after the Great Fire.
What happened during those two centuries? As a result of the fire, several businessmen set up insurance companies to protect properties – and as the most common risk to property was fire, these insurers also created the first fire engines to put out blazes.
This led to a bizarre situation where several fire engine crews would rush to the scene of a fire, but only extinguish properties insured by their parent company, leaving the rest to burn. Buildings that were insured had signs on their front called fire marks – many of these are still visible in older parts of London.
The point of this history lesson is that there are strong parallels between the Great Fire and the subsequent birth of the property insurance industry, and the growth of cyber insurance today – a type of cover that businesses can take against digital threats such as ransomware and data theft.
“We’re seeing history repeating itself, and cyber insurers today are setting up the equivalent of digital fire engines,” says Graeme Newman, chief innovation officer of cyber insurance provider CFC Specialists.
“WannaCry in May 2017 and NotPetchya in June 2017 – these outbreaks of malware and ransomware are very much like the Great Fire of London. When businesses get affected, who do they call? There is no state-provided IT security service.”
This isn’t strictly true. There’s the National Cyber Security Centre, which is part of GCHQ, and there is Action Fraud, a branch of the police where people can report fraud and cyber crime.
But Newman argues that these are insufficient: the former is focused on protecting national infrastructure, rather than individual businesses, while the latter isn’t going to send someone to fix the problem. This has left a gap for the private sector to fill.
“Fundamentally, the state has not provided the services to support businesses, and that’s what the cyber insurance industry is doing,” Newman adds.
And the industry is growing rapidly. In 2016, brokers Aon valued the global cyber insurance market at $2.3bn, and a recent report from EY says cyber is the fastest growing line of insurance. Newman’s company, CFC, is growing at 30 per cent a year.
Putting out cyber flames
Cyber insurance isn’t a replacement for cyber security, but complements it. And it works differently to traditional insurance, where you would typically insure a physical item and claim for its value if it's lost, stolen, or damaged.
First, businesses are insuring intangible assets – their data, customer information, intellectual property, etc.
Second, cyber insurance is more like a service – when a firm is hacked, cyber insurers will work to help reclaim data if possible, and help to rebuild and restore data if not.
So, what actually happens when an affected company makes a cyber insurance claim?
“We had a business where the data was irrecoverable,” says Newman. “It was an engineering firm. They lost gigabytes of data, lots of drawings and diagrams, so we paid the cost of them bringing in third-party contractors to rebuild those plans. It cost roughly £500,000 to reconstitute that data.”
Newman reveals that ransomware attacks – where a hacker encrypts data and computer systems until a ransom is paid – are the most common issue that they deal with, making up a third of claims. While the general advice given to the public is not to pay a cyber ransom, Newman says that many businesses don’t have a choice.
“This is an uncomfortable topic – people don’t like paying ransom. They will assume that is us funding and perpetuating crime. Far from it. It’s the last port of call, but sometimes it’s the only port of call.”
If a company has to pay a ransom, CFC will first work out if the theft is genuine: does the hacker actually have the data? CFC hires a threat intelligence agency, which will try to get a data sample from the hacker, which can be cross-referenced with the company’s records.
They’ll then help to facilitate the payment, which is usually in a cryptocurrency like bitcoin.
“Meanwhile, we’ve got security people looking at how the hacker got in, what they took, and the extent of the damage, in order to close off the vulnerability and make sure they can’t get back in,” says Newman.
In the case of a data theft, there’s the risk that the hacker will publish sensitive customer data. The company then has the tricky task of working out who (if anyone) was affected by the data breach – and informing them. This can be an expensive task, but again is covered by the cyber insurance.
“We pay the cost of investigating the extent of a data breach, the cost of remedying the source of the problem, the cost of putting together and sending out a notification. What you can’t do is just write a letter and say ‘sorry, we’ve lost your sensitive data’ – you have to put in a set of steps that victims can take to protect themselves,” he explains.
As well as protecting a firm’s bottom line by covering losses, cyber insurers can offer plenty of advice to the industry. Dealing with so many cyber incidents gives them the advantage of spotting trends. For instance, email is a common point of vulnerability that hackers abuse. It can easily be prevented by multi-factor verification – where users confirm their identity when they login using a second device – but many businesses and their employees don’t use it.
“The vast majority of crimes are really basic, but most UK businesses don’t take the most basic of precautions, such as multi-factor verification, or doing vulnerability scans on a regular basis,” despairs Newman.
“Ultimately, cyber insurance has a role to play in helping businesses to understand where to put their limited IT security spend, and hopefully put it in better, more effective areas.”
It took almost two centuries after the Great Fire of London for the city to get a public fire-fighting service. Who can say whether we will get a publicly-funded cyber crime-fighting service, but in the meantime, cyber insurance will be there to help put out digital blazes.
Read more: Invest in safeguarding our digital world