Why it’s time to go cyber

There aren't many types of insurance that carry quite the same hype as cyber insurance. If you believe the promotion then the product is on a rapid ascension – one that could even place it among a ‘big three’, along with car insurance and home insurance.

“There will come a time when it becomes a standard part of insurance,” says Neill Johnstone, managing director at Lorega. “It will become something that people automatically select as part of their
protection. The average profi le for cyber criminals is their early 20s and they are committing tens of thousands of crimes from their beds – they don’t even need to go out and burgle anyone these days. I can’t see cyber criminals having less activity so the need for insurance will only grow.”

Where there is growth, of course, there is opportunity – brokers are in a terrifi c position to capitalise on a rapidly developing market, as long as they are well prepared.

The sales pitch
According to a UK government survey in 2014, 81% of large corporations and 60% of small businesses su ered a cyber breach. The average cost for large businesses ranged from £600,000 to £1.15m, while for SMEs the average cost stood at £65,000 to £115,000. Despite these fi gures, research from Aon Risk Solutions in August 2016 found that while 31% of SME decisionmakers considered developing an online presence a key opportunity in the year ahead, just 7% had cyber insurance.

Clearly, the message about the importance of cyber insurance is yet to get across – so how can brokers change this? “It’s all about finding the relevant exposure points for each industry,” says James Burns, cyber product leader at CFC Underwriting.

“Manufacturers, for example, have a huge potential system business interruption exposure, while retailers are exposed to breaches of payment-card data. Businesses of all sizes are increasingly the victim of electronic funds transfer fraud – something hitting SMEs particularly hard. All of these risks can be insured against with a cyber policy, but di erent businesses will be purchasing policies for di erent reasons. We need to make businesses aware of their specifi c cyber risks and provide them with an insurance solution accordingly.”

Adrian Scott, the head of cyber liability at Pen Underwriting, says: “Brokers should identify appropriate products and insurance providers that o er simplicity and ease of access, while also providing brokers with the necessary support and education. “Cyber is a specialised area that not everyone will be comfortable with, so being able to access supporting resources is crucial. Brokers can then provide a clear outline of coverage, exclusions and terms to address each client’s specifi c cyber risk.”

Beazley’s UK and international breach response manager, Sandra Cole, adds that “brokers also need to attend meetings armed with statistics and real-life case scenarios in order to demonstrate how risk transfer and specialist help from an experienced insurer can make all the di erence to a company following a breach”.

The risks
There is a fear among some brokers, however, about potential mis-selling. Many have claimed to lack confidence about selling such a new product, while there also appears to be confusion about the type of claims that are made. In the US, where the insurance policies are already well established, cyber claims are generally driven by data breaches, whereas in the UK, different threats are often just as prevalent, including network interruption, extortion and system failure. However, Cole believes the risks of taking the wrong approach can be averted by using specif ic knowledge of your clients’ businesses.

“This is a new area and, as such, brokers need to ensure that they understand their clients’ businesses – not only how much data they hold but where they hold it and what arrangements they have with thirdparty vendors,” she says. “Given the complex nature of global regulation that can apply to data breaches, brokers need to understand whether their clients have global exposure. They need to understand the policies that are available, including any exclusions that may be of particular significance to their client.”

Scott, meanwhile, believes that brokers shouldn’t be afraid of leaning on insurers for help – making it vital to choose the right providers to work with. Brokers should look for those who not only fully understand the evolving nature of cyber risks but also want to both support and empower their distribution to provide effective client protection.

“Go for those with skilled, experienced underwriters that are keen to share their knowledge and educate brokers in being confident at outlining products for clients, while ensuring specialised technical support can be quickly and easily accessed and consulted,” he says.

Choosing the right policy
So how do you know that an insurer is providing the level of cover that your client needs? According to Scott one size does not fit all with cyber insurance – and it’s up to the broker to work with the buyer to understand what’s needed.

“Developing an understanding of where the buyer’s cyber risks lie, what the threat is that is posed, what could happen as a result of a breach, what their current cyber resilience looks like and what responses they could implement is a good starting point,” he says. “Each industry and, in turn, each company, will be exposed in different ways. Therefore priorities will vary in each and every case, and the most valuable aspects of a cyber policy will align with that understanding.”

Burns, however, believes there are certain policy aspects that are likely to apply to the bulk of SMEs. “I’d say that comprehensive cybercrime is a key aspect of cover that needs to be looked for these days. Funds-transfer fraud, phishing attacks, social engineering are all areas where we’re seeing a sharp uptick in claims and it’s a ecting businesses of all sizes, across all industry verticals and across multiple territories,” he says.

“It’s important that policies address both known and emerging threats, including cyber extortion and deliberate denial of service attacks,” Cole says. “Good policies will a ord coverage for business interruption losses – critical for consumerfacing businesses such as retailers and banks. Policies should also include access to panels of experienced service providers to give insureds the expert support they need in a time of crisis.”

Another dilemma facing brokers is whether to sell policies as an add-on or stand alone – with Burns stating there are many advantages to the latter. “Generally, the cover in stand-alone policies is broader and available limits tend to be higher. Lots of add-ons tend to be sublimited or at least sublimit certain key areas of coverage,” he says. “Perhaps more importantly, when a claim does arise, a stand-alone cyber policy means you have a specialist cyber insurer with experience in managing cyber incidents to support the client and manage the response. If the cover was purchased as an add-on, then you will likely have your cyber incident managed by an insurer with little to no cyber claims handling experience.”

While preparation is the key, and it’s vital to think specifi cally about your client’s needs, there is little doubt that cyber has become the emerging market for brokers and insurers alike. Cyber security, data protection and risk transfer are on the agenda of every organisation, from the boardroom down and, with the right preparation, brokers are in the position to become the first line of protection and reap the rewards.