In a recent FT article, Janet Williams, the lead on cybercrime
initiatives for the Association of Chief Police Officers, commented
that insurers should agree only to provide cover against cyber
attacks to companies that meet a minimum cyber defence Kitemark
standard.
Cyber crime attacks have now been upgraded to a "tier
one" national security threat. Government statistics have
estimated that cyber attacks cost businesses approximately
£21bn a year and high profile commercial victims of
cybercrime include Sony and Lockheed Martin, the military supplier.
More recently, the website of the Serious Organised Crime Agency
(SOCA) was subjected to a Distributed Denial of Service (DDoS)
attack, which overloads a site with data requests with the aim of
making it inaccessible to users.
In November 2011, the police central e-crime unit worked with
various UK banks to convict members of an international cybercrime
outfit who used a computer virus to steal £3m from online
banking customers. This kind of collaboration signals an effort
from businesses and financial institutions to discuss attempted
cyber attacks to help the police combat cybercrime and to improve
their own risk management procedures.
Another area of exposure to cyber attack will be operations for
the London 2012 Olympic Games this summer: the organisers are
already gearing up to deal with cyber disruption based on the
experience of the 2008 Beijing Games, where operators reportedly
received 12 million cyber attacks a day despite extensive firewall
protection against computer viruses.
Insurers have responded to the notion of establishing minimum
security standards to prevent cyber attacks through the launch of
The Cyber Insurance Working Group. The Group comprises technology
insurers including Liberty, Zurich and CNA Europe, plus specialist
technology insurance broker Oval. Other insurers selling cover for
cyber attacks and security/data breaches could be keen to
participate.
The Group plans regular meetings to develop a framework of
recommended information security practices and procedures,
including adequate business continuity plans and corporate
information security policies.
The aim is that insurers providing security cover will be able to
demand a specific structured demonstration of commitment from their
insureds and ultimately avoid the costly fall out from claims,
particularly in circumstances where there is little scope for
insurers to make any significant recoveries in the event of a loss.
Cyber attacks involving a complex web of data/security breaches and
multiple individuals can be difficult to prosecute through the
criminal courts and whilst companies and insurers may want to
pursue civil cases against cyber offenders, it remains to be seen
whether these actions would suffer from the same
obstacles.
The benefit to insured businesses implementing the minimum
standard will be a strengthened infrastructure and cyber risk
mitigation.
This article was written for Law-Now, CMS Cameron McKenna's free online information service. To register for Law-Now, please go to www.law-now.com/law-now/mondaq
Law-Now information is for general purposes and guidance only. The information and opinions expressed in all Law-Now articles are not necessarily comprehensive and do not purport to give professional or legal advice. All Law-Now information relates to circumstances prevailing at the date of its original publication and may not have been updated to reflect subsequent developments.
The original publication date for this article was 04/05/2012.