Government must step in on cyber attack risk, says insurer

Out-Law News | 10 Feb 2015 | 2:32 pm | 1 min. read

Cyber attacks on businesses are such a threat that governments need to step in to cover the risks, the head of one of the UK's largest insurance companies has said. 

Stephen Catlin, head of the largest Lloyds of London insurer Catlin Group told the Insurance Insider London conference that cyber security was the biggest risk he had seen in his career, and that insurance companies cannot properly take it on, the Financial Times reported.

Managing such a threat to business is a role for government, Catlin was reported as saying. 

The UK government has previously outlined its support for the cyber insurance market, saying that providers can help businesses improve the way they address risk and respond to security breaches.

"Insurers providing cyber breach and wider operational risk cover can play an integral role in driving improvements in cyber security risk management," the government said in a statement in November 2014. "By asking the right questions and helping customers, insurers and insurance brokers can help promote the adoption of good practice, including Cyber Essentials, that reduce the frequency and cost of breaches."

In new guidance issued in January, the government said businesses must accept that they will not be able to eradicate all risks and that they will need to handle uncertainty when taking decisions regarding technology projects.

Insurers are concerned at the exposure this brings. While traditional risks such as natural disasters tend to be geographically limited, cyber attacks can be global.  The recent attack on Sony Pictures Entertainment was an example of how enormous such an attack can be, and of the potential crossover between cyber attacks and terrorism.

Insurance expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said: "In addition to insurance, gaps in compliance, legal and contractual protection regimes must be well thought out in order to deal with cyber risk effectively. These gaps could be in a business’s internal controls or processes or supply chain arrangements. They could also simply be in terms of how effective the organisation is at dealing with every aspect of crisis management. All avenues need to be addressed, as the damage that may result from a cyber threat may be just as much reputational as financial."

"Effective management requires co-ordination and collaboration between internal staff and professional advisers - from data security personnel to external legal support and reputational crisis management teams."