Source: Bloomberg Intelligence
This analysis is by Bloomberg Intelligence senior analyst Sarah Jane Mahmud, with assistance from Charles Graham. It appeared first on the Bloomberg Terminal.
The rising threat of cyberattack is one of the biggest risks facing the financial-services industry, exacerbated as the pandemic drives more employees to work from home. Insufficient protection could lead to major financial and reputational damage, especially with relatively new EU cybersecurity rules in place. That said, insurers may see a silver lining.
Coronavirus raises need for cyber hygiene
Banks are increasingly vulnerable to cyberattack as, with the coronavirus pandemic, more of their employees are working from home. Online systems have become mission-critical and it’s easier for cyber criminals to exploit the situation. Banks are particularly at risk due to the scale, sensitivity and value of the data they hold, heightened by digitalization and open banking. Costs escalate if an attack isn’t resolved quickly, with business disruption, income loss and damage to reputation key consequential risks.
Cybercrime costs
For banks, Tesco fine is just the beginning
As the FCA sharpens its focus on operational resilience, big fines are in store for banks that suffer a cyberattack, fail to report it to regulators and can’t mitigate its effects — it’d be a breach of the FCA Principles for Businesses. Its 16.5 million-pound fine on Tesco Bank, for failing to protect account holders from cyberattack, sets the tone for wider enforcement action, we believe. With over 50% of U.K. companies suffering at least one cyberattack in 2019, according to Hiscox, more attacks and fines are inevitable.
Tesco Bank’s fine was the FCA’s first for a cyberattack and first for enforcement of an IT-related issue since its 42 million-pound fine on RBS in 2014.
Insurers will see cyber-coverage demand grow
Insurers may see more demand for coverage against cyberattacks in 2H, we believe, as risks rise and companies seek adherence to the maturing EU Network Information Security Directive. Companies must disclose major IT breaches, exposing them to a fine that in the U.K. could reach 17 million pounds, though the FCA has discretion to impose larger penalties. While the cyber-insurance market is more mature in the U.S., large companies, such as AIG and Zurich, have developed policies alongside specialist insurers, including Hiscox and Beazley.
The global cyber-insurance market, valued at about $7 billion in 2020, could grow to $20 billion by 2025, according to Munich Re. The European market is estimated to be valued at over $1 billion.
