Cyber risk expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, was commenting after the Association of British Insurers (ABI) called for a new "national, anonymised database recording details of cyber incidents at businesses" to be established.
The ABI said the database would "contain details of cyber incidents including business interruption losses, ransom demands, loss of confidential data, and damage to IT systems" and help insurers "improve pricing" of cyber insurance policies.
Huw Evans, the ABI’s director general, said that "the lack of data" on cyber incidents "is a huge inhibitor" to the UK's cyber insurance market. He called on the UK parliament to introduce a new cyber incident database through new legislation.
"We have 350 years of fire data and 100 years of motor and aviation data, but we have just a few years of cyber data," Evans said. "But cyber is the biggest insurable risk that the industry will have to meet, and it is critical to the economy. We’d like to see a not for profit, anonymised database covering things like business interruption costs, ransom demands, privacy breach claims and damage to IT systems."
"If it is not a requirement to report these losses, then insurers are not going to have the data they need to provide the right cover. It would have to be mandated by parliament, but it would need to be proportionate and manageable," he said.
Birdsey said that the UK's cyber insurance market is still "in its infancy" and that there is "limited cyber data available to insurers". However, he warned that insurers and businesses that buy cyber insurance might be wary of the de-anonymisation of data about cyber incidents input into a new database.
"Unlike other more established markets, underwriters do not have any meaningful management information to draw on when pricing risks or assessing cyber policy limits," Birdsey said. "While underwriters may welcome such data being made available to the market in principle, insurers may in fact be reluctant to share meaningful claims data with competitors. Anonymised data is susceptible to being reverse engineered. The specific nature of a particular cyber-event, including the unique facts underlying a data breach, may serve to increase this risk."
"Corporate insureds are unlikely to be in favour of a central database providing the insurance market with potentially sensitive and confidential details relating to their specific breach event, even if those details are anonymised," he said.