Quantifying reputational damage from cyber keeps insurers awake at night

Insurers are grappling with the quantification of the damage to a business’s reputation that arises from a cyber attack, as this is not currently covered in cyber policies across the industry.

This was one of the key themes that emerged during a panel of cyber specialists speaking at the Airmic Conference 2017.

Citing the recent global system outage of British Airways, the ransomware attack on the NHS, and the data breach of TalkTalk, there are subsequent damages that arise from such examples that the industry still needs to address.

All of the intangible costs that arise from reputational damage would not be picked up, argued William Wright joint head of privacy, cyber and technology at Paragon International Insurance Broker.

The reputation damage can transfer through loss of income, the costs of public relations and managing a brand in light of an event, for example.

“It’s one of the biggest challenges the insurance market faces - and I don’t believe we are quite at that stage yet - is how you actually put a number on reputational damage,” said Wright.

Christian Stanley, performance management directorate at Lloyd’s of London, who hosted the event, explained that the media attention from the high profile losses is making the industry question how to calculate the true cost of a cyber attack.

“Every day you open a newspaper and somebody has been hacked,” said Stanley. “Nobody wants to advertise if there is a breach.”

And the outage of British Airways illustrates this, according to Patrick Hill, cyber specialist and partner at DAC Beachcroft.

“Who would want to be the CEO?” Hill asked. Whether they come forward or hide from the media, the publicity is adversely impacted, he explained.

And from an insurer’s perspective, the quantification of reputation and brand damage is very difficult. Stanley said: “It’s what keep businesses awake. It’s a domino effect; it just gets worse and worse.”

Wright continued: “Share price drops, investor fallouts, extra costs to boards; all of these intangible would not be picked up by your standard cyber policy, but they’re huge.”

He explained that it would be a “wonderful world” if there was a metric that can pinpoint where a business stands before and after an event, with a payout calculated accordingly. “I applaud any insurer that comes out with that product,” Wright said.