# Opener

The Implications for Insurers: Capita and Southern Water Cyber Breaches

Published by Gavin Lillywhite

This March, Gavin Lillywhite, Axio’s Head of Insurance Distribution & Client Management discusses the Capita and Southern Water cyber breaches and their subsequent implications for insurers.

Capita 2023 cyberattack costs significant: as it reports staggering £100M+ loss

On 22nd March 2023 Capita, a major UK IT and software outsourcing company suffered a major data breach leading to exfiltration and compromise of ~half a million private pension scheme members; Black Basta were the perpetrators.

FY 2022 Profits were £61Mn, but in 2023 that had swung to a loss of £107Mn, nearly twice that of analyst expectations off the back of a drop in revenue from £3Bn to £2.8Bn.

Of the £107Mn, loss, approximately one-quarter of that was attributable to recovering from this cyber breach.

Consequently the share price has tanked from £35.62 as at 17th March 2023 to £13.42 as at 14th March 2024, a 62% reduction; market cap now stands at a meagre £227Mn

And the impact is felt beyond one year’s drop in revenue, according to their annual report, Capita’s net promoter score — a customer experience metric — dropped to +16 from +26 as a result of the cyber incident, which particularly impacted its pensions administration business; affected scheme members are pursuing compensation through a class action against Capita.

Implications for insurers:  If it’s proven that the Board of Management were negligent by not anticipating and implementing robust cyber risk management and plaintiffs win significant damages, aside from awarded damages, shareholders might also bring their own actions against the Board, thus impacting the Directors and Officers Insurance policy twice (if there is one).

Additionally, such an outcome would also lay bare Board of Management approach to attitude to risk which, might in turn be interpreted as poor moral hazard thus making it more difficult for Capita to place future insurances and/or lead to increased pricing.

And whilst we don’t know the specifics of Capita’s Cyber risk management, perhaps all or part of this cyber event and ensuring financial loss could have been avoided through better, robust cyber risk assessment and quantification from Axio . And insurers could have saved themselves from having to pay losses on both the cyber policy and D&O.

How attractive is Capita now from both an investment perspective and insurable risk?

Southern Water, UK Utility: hackers stole personal data of hundreds of thousands of customers

On the 17th February Southern Water, a major UK Water company suffered a major data breach also leading to exfiltration of consumer data including National Insurance Numbers, Date of Birth and bank details.

Southern Water is majority owned by the Australian infrastructure fund Macquarie Financial Services and has been the subject of terrible press over the years including directly pumping raw sewage into fresh water courses and the sea resulting in regulatory fines and having to repay customers £123Mn; somewhat ironically in 2019 they announced the moving of their customer service staff to Capita!

In a letter to affected customers they state ‘we take data protection and information security very seriously’; but one would reasonably question ‘how serious’?  Again we don’t know the specifics of Southern Water’s Cyber risk management but I am sure this too could have been mitigated or avoided if they really do take data protection seriously; using Axio360 they could have assessed, quantified and mitigated loss expectancy, what a shame their Management team didn’t have the foresight to save shareholders millions of pounds!

Class action lawsuits are already underway, once again, a cyber breach leads to a multi-million pound claim which will be paid by either the company’s Directors and Officers policy or directly out of earnings; either way there is a cost to investors with reduced yields; these investors are typically pension funds and asset managers managing investments on behalf of the public – is this acceptable?

Implications for Insurers: Again, we could see a claim under the D&O policy which too could have possibly been avoided had the insurers better understood Southern Water’s cyber risk resilience.  At Axio we can help both clients and insurers determine improved cyber risk resilience and quantification, and improve profitability through better preparedness and resiliency.

It doesn’t have to be this way, with the falling rates in the D&O market reducing margin and profitability, when insurers realise they could underwrite more profitably by partnering with Axio  we’re here ready to support them.