In a recent FT article, Janet Williams, the lead oncybercrime initiatives for the Association of Chief Police Officers, commentedthat insurers should agree only to provide cover against cyber attacks tocompanies that meet a minimum cyber defence Kitemark standard.
Cyber crime attacks have now been upgraded to a “tier one”national security threat. Government statistics have estimated that cyberattacks cost businesses approximately £21bn a year and high profile commercialvictims of cybercrime include Sony and Lockheed Martin, the military supplier.More recently, the website of the Serious Organised Crime Agency (SOCA) wassubjected to a Distributed Denial of Service (DDoS) attack, which overloads asite with data requests with the aim of making it inaccessible to users.
In November 2011, the police central e-crime unit workedwith various UK banks to convict members of an international cybercrime outfitwho used a computer virus to steal £3m from online banking customers. This kindof collaboration signals an effort from businesses and financial institutionsto discuss attempted cyber attacks to help the police combat cybercrime and toimprove their own risk management procedures.
Another area of exposure to cyber attack will be operationsfor the London 2012 Olympic Games this summer: the organisers are alreadygearing up to deal with cyber disruption based on the experience of the 2008Beijing Games, where operators reportedly received 12 million cyber attacks aday despite extensive firewall protection against computer viruses.
Insurers have responded to the notion of establishingminimum security standards to prevent cyber attacks through the launch of TheCyber Insurance Working Group. The Group plans regular meetings to develop aframework of recommended information security practices and procedures,including adequate business continuity plans and corporate information securitypolicies.
The aim is that insurers providing security cover will beable to demand a specific structured demonstration of commitment from theirinsureds and ultimately avoid the costly fall out from claims, particularly incircumstances where there is little scope for insurers to make any significantrecoveries in the event of a loss. Cyber attacks involving a complex web ofdata/security breaches and multiple individuals can be difficult to prosecutethrough the criminal courts and whilst companies and insurers may want topursue civil cases against cyber offenders, it remains to be seen whether theseactions would suffer from the same obstacles.
The benefit to insured businesses implementing the minimumstandard will be a strengthened infrastructure and cyber risk mitigation.
This article first appeared in Law-Now, CMS CameronMcKenna's free online information service, and has been reproduced with theirpermission. For more information about Law-Now, click here. http://www.law-now.com/law-now/