RAN0021
Written evidence submitted by ABI & IUA
The UK insurance and long-term savings market
The Association of British Insurers (ABI) is the voice of the UK’s world-leading insurance and long-term savings industry. A productive and inclusive sector, our industry supports towns and cities across Britain in building back a balanced and innovative economy, employing over 300,000 individuals in high-skilled, lifelong careers, two-thirds of which are outside of London.
The UK insurance and long-term savings industry manages investments of over £1.9 trillion, contributes over £16bn in taxes to the Government and supports communities across the UK by enabling trade, risk-taking, investment and innovation. We are also a global success story, the largest in Europe and the fourth largest in the world.
The ABI represents over 200 member companies, including most household names and specialist providers, giving peace of mind to customers across the UK. Please note we would be happy, and stand ready, to provide further information if this would be helpful to the Joint Committee.
The International Underwriting Association of London (IUA) is the representative body for companies in London providing international and wholesale insurance and reinsurance coverage. Its mission statement is to secure an optimal trading environment for London insurance companies.
The IUA’s London Company Market Statistics Report shows that overall premium income for the company market in 2021 was £35.654bn. Gross premium written in London totalled £30.114bn, whilst a further £5.540bn was identified as written in other locations but overseen by London operations.
For the purposes of this response, ‘insurers’ refers to insurance, reinsurance and long-term savings companies.
Executive Summary
- The ABI and the IUA welcome the opportunity to submit evidence to the committee’s inquiry. We look forward to continuing to work with the Committee and if any further information would be helpful for the inquiry, please do not hesitate to get in contact. Our response does not attempt to answer all of the Committee’s questions but provides key points from our sector where relevant to the inquiry. Ransomware is one of the most significant threats facing businesses in the UK and this threat will likely grow more prominent in the future. SMEs are particularly vulnerable to attacks, largely due to low levels of cyber resilience, which criminals knowingly exploit.
- Cyber insurance is a vital component of any strategy aimed at mitigating ransomware and other cyber risks, improving cyber security and supporting customers. It provides a valuable layer of protection, helping businesses both prevent ransomware attacks from occurring, and if attacks do happen, assisting in the recovery process. More widely, cyber insurance helps to achieve the Government’s goal of making the UK one of the most secure places in the world to do business. While insuring against ransomware incidents is becoming increasingly difficult due to the global rise in the frequency and severity of cyber incidents and ransomware attacks, insurers are determined to offer the best level of service to customers and have responded by evolving their product offering.
- There are limits to what the private sector alone can achieve on ransomware and it requires greater levels of Government intervention and investment. Crucially, Government must avoid a ban on ransomware payments, as this is likely to have an adverse effect on businesses affected by ransomware attacks, and should work with international partners towards global regulatory consistency and clarity on ransomware.
Introduction
- As identified by the Integrated Review and 2021 National Cyber Strategy, ransomware is one of the most harmful forms of cybercrime and one of the most significant cyber threats facing the UK, so it is essential that the UK continues to develop, adapt and strengthen its cyber resilience in the face of an evolving threat. The ABI & IUA have submitted a joint response as the insurance industry is in agreement and aligned on the extent and nature of the ransomware threat as well as the reforms that will enhance the UK’s resilience to ransomware and reduce the economic and societal damage it causes.
The extent and nature of the ransomware threat (including sources), modes of extortion, and how the threat could evolve in future;
- Ransomware is one of the most significant threats facing businesses in the UK and beyond, with ransomware attacks costing organisations more than £58 billion per year globally. This figure is likely to grow in the future, with businesses recently noting a protracted growth in data breaches and business interruption costs due to ransomware attacks.
- SMEs in particular are being targeted in greater numbers as these attacks have become increasingly lucrative and low-cost for organised criminals. Insurers have observed a growth in the number of and monetary value of such attacks. The Hiscox Cyber Readiness Report 2022 found that 16% of UK companies have experienced a ransomware attack, an increase of 3% from 2021.[1] Claims specialists and underwriters suggest that from their experience, the cost of ransomware attacks on an SME can range from £25,000 to £100,000. Insurers have also suggested that this range has the potential to be significantly higher, which in turn would increase the global cost of ransomware attacks.
- Even an unsophisticated cyber-attack can have a significant impact on businesses, preventing them from accessing data and key digital assets for days and even weeks. This causes huge disruption to trade and negatively affects the public’s perception of the organisation in question. In fact, the financial impact of such events can quite easily overwhelm firms that do not have insurance cover in place.
- Criminals are also increasingly looking to sell stolen data from attacks on the dark web, beyond just disrupting an organisation’s operations as has been common in recent years.
- We are now also increasingly seeing ransomware as a service (RaaS), where bad actors can buy already developed ransomware tools, which they can use to execute an attack even as a novice. This threat will likely continue to become more common unless government and industry act now to prevent it.
Levels and sources of vulnerability of UK organisations to ransomware, including operators of critical national infrastructure;
- Micro, small and medium organisations often have low levels of cyber resilience due to limited financial resources, technical expertise, and an underappreciation of cyber risk; hence making them vulnerable to ransomware attacks. In particular, SMEs often do not fully appreciate the effect on the business operation of a successful ransomware attack. This may also contribute to a lack of awareness of the preventative measures that could have been implemented.
- SMEs also face specific challenges in identifying the types of technical controls and IT Security they should implement to attain at least an adequate level of cyber security. These will vary significantly based on the organisation’s size, amount and type of data held, reliance on data, and digital infrastructure for doing business. Improved Government guidance on what constitutes good cyber security would enable SMEs to target limited financial resources into the security measures that are likely to be the most effective. This is particularly significant given that SMEs comprise a large part of the UK economy, accounting for 99% of all UK businesses.
- Larger organisations do not face the same commercial challenges for investing in an appropriate level of cyber security or for procuring cyber insurance that suits their needs. They tend to have the financial and staff resources to invest in more up-to-date IT systems and have access to greater levels of technical expertise in assessing risk and the appropriate mitigation mechanisms. They may also have dedicated staff to manage operational risks to the business and are more conscious of the reputation and business continuity repercussions of a successful cyber-attack or the financial penalties imposed under the mandatory breach reporting requirements of the General Data Protection Regulation (GDPR). These types of requirements increase the financial and operational burden for firms in dealing with data breaches and are, therefore, likely to encourage firms to consider mitigating against the risk of a breach.
- Among larger organisations, insurers find that there is also a greater appreciation of the interconnectedness of business systems, meaning that a breach in one business can have repercussions for the supply chain. This contagion effect can lead to the suppliers, customers, and strategic partners of a targeted business being as vulnerable to an attack as the primary target itself. Greater awareness of this systemic risk in larger organisations has occurred as their focus has increasingly turned to business continuity planning and managing the effects of business interruption resulting from a wide variety of risks.
- In recent years, high profile cyber-attacks such as NotPetya and WannaCry have raised awareness among larger organisations of potential cyber threats, as have well-publicised data breach fines imposed by the Information Commissioner’s Office (ICO) on companies like British Airways. These events were large-scale and received significant media interest, motivating company boards to take more interest in the cybersecurity of their organisations. However, larger corporations still often treat improved cybersecurity and insurance as a choice for financial allocation purposes and not mutually reinforcing tools for ensuring cyber resilience.
- In all companies, practising good cyber hygiene, using multi-factor authentication and regularly updating and patching anti-virus and firewall software is key to reducing cyber risk, as well as educating staff on the importance of cyber security. Human error remains a key weakness for organisations of all sizes, with an estimated 90% of attacks made possible through human error. Moreover, experiencing a cyber-attack does not lower the likelihood of experiencing a second attack immediately after; on the contrary, it can often increase the vulnerabilities exposed.
- Insurance will play some role in protecting firms in the UK who fall within the thirteen sectors considered to be critical national infrastructure from cyber risk, as well as some firms who may be exposed to risks associated with organisations within these thirteen sectors. However, there will also be areas where insurers exclude risks associated with critical national infrastructure, to protect themselves from scenarios which create significant aggregation risk. This is in line with insurers’ responsibility to regulators to manage their exposures prudently.
The UK victim experience, including sources of support for prevention, detection and recovery, public-private partnerships, the role of the media, access to and availability of insurance cover, and regulatory requirements placed on ransomware victims;
- Cyber insurance is one vital component of any strategy aimed at mitigating cyber risks, improving cyber security and supporting customers. Coverage to address ransomware is often offered as part of a cyber insurance policy, either in standalone cyber insurance policies or as an add-on to other general insurance policies, subject to each insurer’s individual terms and conditions. In addition to paying out in the event of a cyber incident, insurance makes an important contribution to the management of cyber risks, such as by helping policyholders to apply better risk mitigation techniques to minimise exposure and damage, staff training, access to threat intelligence, vulnerability assessments, offering post-incident forensic, crisis management, legal and public relations support. These services, which are provided both pre- and post-breach, have important risk-mitigating and risk-containment effects by assisting businesses in protecting themselves, and getting back up and running after an event.
- Cyber insurance has grown significantly in recent years, yet uptake remains low among UK businesses, especially in comparison to the US market. It was estimated in 2016 that 85% of standalone global cyber insurance premium is for US risk ($1.3bn).[2] Surveys suggest that the cyber protection gap is higher for small businesses than larger corporates in the UK, and financial services firms are more likely than firms in other sectors to have some cover.[3]
- Cyber insurance provides a valuable layer of protection, helping achieve the Government’s goal of making the UK one of the most secure places in the world to do business. In addition to the financial security cyber insurance can provide, in the context of the Cyber Security Breaches Survey, various organisations highlighted the extras that went alongside any liability cover, as their main drivers for taking up cyber insurance. The firms felt that these extras such as having access to a breach management team or a forensics team, would help them manage the reputational damage from a breach. Indeed, cyber insurance was seen as a useful ‘badge of honour’ by some respondents. Given the potential contagion effect of cyberattacks, an increase in the number of firms with cyber protection is likely to have positive externalities across the whole economy. Like stopping a forest fire from taking hold, by preventing a cyber-attack on one firm, other firms that might have been affected as a consequence are also protected. Thereby, in addition to directly assisting and encouraging firms in improving their cyber security protection, where it breaks the chain of contagion, cyber insurance can have a broader impact.
- Insuring against ransomware incidents is becoming increasingly difficult due to the global rise in the frequency and severity of cyber incidents and ransomware attacks. The increase in attacks has been reflected in cyber insurance claims. According to Marsh, ransomware claims accounted for 32% of cyber claims in 2020 compared to an average of 14% during 2016-2019.[4]
- The effect of an increase in ransomware attacks is one of the primary drivers that has caused the cyber insurance market to ‘harden’ in recent years. What this means in practice is that premiums may increase, insurers are more selective about the risks they are willing to insure or may impose tighter terms & conditions, such as more risk requirements, larger excesses or coinsurance, on policyholders. Businesses that already have robust cyber security practices that meet insurers’ risk appetites will find it easier to access affordable insurance.
- Insurers remain determined to offer the best level of product and service to their customers and the increase in ransomware attacks has prompted many insurers to evolve their offering:
- Increasingly upskilling their staff by developing or acquiring in-house cyber security and Incident Response capabilities to triage and respond to incidents more effectively, instead of outsourcing to third parties.
- There has been an increased focus on incentivising businesses towards stronger security practices, in particular a focus on implementing cybersecurity measures to manage exposures at the level of policyholder before residual risk is transferred to the insurance market.
- Creating networks of support organisations (Incident Response, breach counsel, Public Relations) to assist victims in making informed and cost-informed decisions when a ransomware attack occurs.
The effectiveness of the response to ransomware by Government, law enforcement agencies and other UK state actors, including key operational challenges and ministerial oversight;
- The insurance industry believes the response to ransomware by Government and related agencies could be made more effective, please see our answer below for details.
Reforms that might enhance the UK’s resilience to ransomware, reduce the economic and societal damage that it causes, and/or support the law enforcement response;
- There are limits to what the private sector alone can achieve on ransomware, and ultimately it requires greater levels of Government intervention and investment. The insurance industry believes the following would be useful interventions from Government to combat ransomware:
- Avoid a ban on ransomware payments, as this is likely to have an adverse effect on businesses affected by ransomware attacks, such as increased insolvencies and unemployment. If a ban is considered the Government should be ready to step in and provide necessary relief for businesses who fall victim to a ransomware attack.
- Work towards global regulatory consistency and clarity on ransomware as discussions over potential bans on ransom payments and uncertainty over the international response can impact the insurance market potentially leading to reduced or more limited ransomware cover, which may leave customers more exposed.
- There is also more that can be done to reduce the frequency and severity of ransomware attacks by improving the cyber resilience and cyber risk management of UK businesses, particularly at the SME level. The insurance industry believes the Government should take the following actions in partnership with the private sector where appropriate to further improve the UK’s cyber resilience:
Engage in targeted public policy interventions to assist in the sustainable growth of the cyber insurance market
- Understanding the complementary role played by cyber insurance in managing cyber risks is limited, and the take-up of cyber cover remains relatively low in the UK. Department for Digital, Culture, Media & Sport’s (DCMS) Cyber Breaches Survey 2022 highlights that only 5% of businesses have a specific cyber insurance policy. There is a substantial public benefit attached to greater cyber insurance take-up. Above the current efforts of the Government to improve the cyber capabilities of UK organisations, the insurance industry would recommend:
- The Government uses its guidance channels to improve public awareness and understanding of the risks UK businesses face from cyber-attacks and the role of cyber insurance in helping to mitigate those risks. We are not aware that a single current piece of UK Government guidance or campaign relating to cyber security refers to the need to consider taking out cyber insurance. The development of the National Cyber Security Centre (NCSC) cyber insurance buyers’ guide for SMEs is a welcome step in the right direction, but there is more still to do.
- The Government encourages a greater focus on education for smaller insurance brokers. Insurers have noted that many smaller brokerage firms are unfamiliar with the cyber insurance market and the product offerings and, as such, are not equipped with the information necessary to provide companies, particularly SME’s, with the tools to fairly assess their risks and to purchase insurance products suitable to the relevant company’s needs. The insurance industry supports a greater focus on education for smaller insurance brokers, as greater broker expertise ensures businesses have more rounded protections in place, including appropriate IT expenditure, and insurance, but also internal controls such as completion of Cyber Essentials, IT security monitoring services and encryption of sensitive and confidential data. This education should focus on the added value services that cyber insurance policies provide and which are vital in improving businesses' cyber resilience.
- Continue to improve the cooperation between government departments, including DCMS, Department for Business, Energy and Industrial Strategy (BEIS), and HM Treasury on cyber-related issues as well as with non-departmental public bodies such as the NCSC, the ICO, and the National Cyber Crime Agency to improve how information and data are shared.
Make information for cyber risk management more transparent, accessible and trusted
- Organisations would benefit from more information on the threat levels their sector faces from malicious cyber-attacks and the types of evolving threats as and when they emerge. This information could be provided through targeted campaigns that focus on industry sectors, especially on those sectors and businesses in the UK economy that are not at high risk of a cyber-attack or data breach and have as such, developed a belief that their businesses are not at risk from such an attack. These campaigns could be disseminated on a regional basis to ensure the applicability of the information to local business interests.
- Information that is not tailored to take account of the range of risks different sectors face will be of less value and not as relatable to organisations that do not have the appropriate IT expertise. Equally, the current diversity of information sources can prove confusing with conflicting messaging diluting the impact of guidance on the key changes an organisation can make to improve cyber resilience dramatically. The insurance industry supports greater harmonisation of messaging across government organisations and a stronger role for the NCSC in disseminating key cyber security messages.
- The lack of data available to insurers to help them understand cyber risks remains an important hindrance to further growth of this market. Higher levels of inherent uncertainty for insurers can mean limitations in terms of the policy coverage that is able to be provided, given the requirements on insurers to prudently manage their potential exposure.
- In direct response to the lack of data available to insurers, the insurance industry worked with the ICO to increase access to mandatory data that it collects from businesses who suffer from a data breach in order to help improve the ability of the cyber insurance industry to assess risk, help firms plan and mitigate against those types of risks and insurers underwrite policies and model risks and outcomes with a greater degree of accuracy. We therefore strongly welcome the ICO’s new data security incidents dashboard.[5] We believe the dashboard will provide new and useful insights into data security incidents and trends and will help cyber insurers to understand the evolving profile of cyber and data risk. The datasets will improve the ability to understand the changing nature of cyber threats to UK organisations and allow insurers to provide more tailored products, tools and expertise to businesses.
Work with industry to help small businesses understand their cyber risks and adopt the right protection
- The digitalisation of virtually all productive activity in everyday society brings with it a wide array of social and economic benefits. However, it also creates large and often poorly understood risks that have the potential to cause economic damage, threaten the rights and safety of individuals, and harm our national security. Managing these cyber risks is consequently one of the largest public policy challenges we face.
- As mentioned above, micro, small and medium sized organisations are identified as having low levels of cyber resilience. Hence, improved government guidance on what constitutes good cyber security would enable SMEs to target limited financial resources into the security measures that are likely to be the most effective. The Government should aim to further increase understanding of the level of risk organisations face from malicious cyber-attacks through the use of promotional campaigns, focusing particularly on SMEs and using information from the NCSC, Action Fraud, and the ICO to demonstrate the prevalence of such attacks among all business types at a regional and national level. Through highlighting the risks that organisations face, and the costs resulting from successful attacks in a relatable manner, SMEs may be more likely to seek greater information and support on cyber security and to consider the benefits offered by cyber insurance products.
Promote simple security steps such as multi-factor authentication that protects us all, especially the most vulnerable
- IT forensic providers have highlighted that a significant increase in the cyber security of companies could be achieved if companies turned on multi-factor authentication login capabilities. Organisations employing single factor or similar login systems are particularly vulnerable to breaches and make up a significant proportion of cyber insurance claims. Few companies are aware of this risk, and many IT manufacturers have this facility switched off as standard. IT manufacturers could significantly increase cyber resilience by making multi-factor authentication login a standard feature of their software.
- The Government should also give due consideration to mandating organisations to nominate a named professional to hold specific responsibility for the cyber security and resilience of their organisation. The insurance industry is conscious of not placing an increased burden on businesses and particularly SMEs, however, the creation of such an obligation on businesses may serve to highlight cyber security issues and increase focus and investment on cyber resilience measures such as the updating of IT systems or the purchase of appropriate cyber insurance products.
Improve the amount of recognised certifications and standards for insurers to recommend in their insurance products and drive up security
- The constantly evolving nature of cyber-attacks and the variation of threat profile based on organisation size and economic sector makes the standardisation of assessing and defining effective cyber risk management particularly difficult.
- The insurance industry supports the work of the NCSC and their Cyber Essentials program and can see the benefit of promoting a basic cyber security checklist that encourages organisations to assess their firewall and anti-virus software and to encourage the regular backing up of data. This checklist could also support SMEs who outsource their IT, in purchasing the correct support from their IT outsourcers. This could include information on why some services are important to purchase and broaden the focus from procuring the cheapest service to the services that best meet their needs.
- Another key area in which the Government could provide greater guidance and support relates to creating standardised advice on instilling a secure cyber culture for employees in organisations of all sizes. Providing easily accessible checklists and training could reduce cyber incidents significantly, with little or no financial cost to organisations.
The scope for international cooperation to combat the global ransomware threat more effectively, including on crypto-currency regulation;
- We believe that international cooperation is imperative to combat the global ransomware threat. As mentioned above, the insurance industry believes the UK Government should work towards global regulatory consistency and clarity on ransomware. Discussions over potential bans on ransom payments and uncertainty over the international response can impact the insurance market potentially leading to reduced or more limited ransomware cover, which may leave customers more exposed.
Lessons that could be learned from other countries’ approaches and responses to ransomware.
- Some countries have considered implementing a ban on ransomware payments. As discussed above, we believe the UK Government should avoid a ban on ransomware payments, as this is likely to have an adverse effect on businesses affected by ransomware attacks, such as increased insolvencies and unemployment. If a ban is considered the Government should be ready to step in and provide necessary relief for businesses who fall victim to a ransomware attack.
16 December 2022