Anonymous U.K. cyber database faces misgivingsReprints
In an attempt to help insurers better understand and price cyber risks, the Association of British Insurers has called for an anonymous database of incidents. But a legal expert said insurers and buyers still may be reluctant to share such information.
The London-based ABI said in a statement that it hopes keeping an anonymous database of cyber incidents — including business interruption losses, ransom demands, loss of confidential data and damage to information technology systems — could help the U.K. become a world leader in cyber insurance coverage.
The ABI said such a database, which would be nonprofit, could build upon the E.U. European Network and Information Security Directive that will, from 2018, require some firms to provide notification of cyber breaches.
The ABI said the data would be stripped of identifying information and made available to insurers to help them better price cyber coverage.
“Cyber losses are the biggest threat to Britain's world-leading digital economy, and we need to capture more data to get on top of the problem,” Huw Evans, director general of the ABI, said in the statement released last week.
“We have 350 years of fire data and 100 years of motor and aviation data, but we have just a few years of cyber data. But cyber is the biggest insurable risk that the industry will have to meet, and it is critical to the economy,” he said.
“Nothing hinders the growth of an insurance market more than a lack of data,” he added. “More data can help stimulate the cyber insurance market, giving greater choice to businesses in insuring against cyber losses.”
“The U.K. cyber market is in its infancy, with limited cyber data available to insurers,” Ian Birdsey, a partner and cyber risk and insurance expert at law firm Pinsent Masons L.L.P. in London, said in an email.
“Unlike other more established markets, underwriters do not have any meaningful management information to draw on when pricing risks or assessing cyber policy limits,” he said. “While underwriters may welcome such data being made available to the market in principle, insurers may, in fact, be reluctant to share meaningful claims data with competitors.
“Anonymized data is susceptible to being reverse-engineered. The specific nature of a particular cyber event, including the unique facts underlying a data breach, may serve to increase this risk,” he said.
“Corporate insureds are unlikely to be in favor of a central database providing the insurance market with potentially sensitive and confidential details relating to their specific breach event, even if those details are anonymized,” Mr. Birdsey said.