An IB Times article on the Lloyd’s of London cyber insurance market, published today, contains some interesting facts and figures—particularly about sources of loss and their relative importance:
`Only between 10% and 11% of losses come from actual malware and hacking. Obviously hackers pose a big risk to companies that have lots of credit card records, for instance. But the majority of losses can be attributed to human error—losing laptops or smartphones, or sending data places that you shouldn’t.’
While the percentages above are striking, they are encouraging to the extent that they implicitly suggest that a significant proportion of losses may, in fact, be relatively easily remedied—through a combination of education and awareness, plus the exercise of basic cyber “hygiene” and due diligence more generally. Such cases would, of course, stand in contrast to those where loss of the device or data results from intentional (rather than inadvertent, even if careless) behavior.
The article also contains the following observation by cyber underwriters:
`We are writing 10 times more business than two years ago.’
This exponential increase has been accompanied by intensified efforts within the insurance sector to determine premiums and work out the mechanics of underwriting in this context. However, this exercise remains something of a work in progress. As Ian Allison, the article’s author writes: Lloyd’s CEO Inga Beale has characterized cyber insurance as “a co-mingling of science and art.” Yet the same could also be said of law enforcement, counterterrorism, and other safety & security-related endeavors. While the hybrid nature of the challenge enhances its complexity, it should not prove to be a total bar to progress in any of these contexts. Successes in post-9/11 law enforcement and counterterrorism experience, at least, offer some support for such cautious optimism.