The president of the European Central Bank (ECB), Christine Lagarde, warned earlier this year that a coordinated cyberattack on a major financial institution could cause a “liquidity crisis”. With that in mind, it’s no surprise that financial institutions have been the earliest and most willing adopters of cyber insurance. They tend to be sophisticated buyers of insurance, and are subject to stringent industry regulations and standards, which carry harsh penalties and consequences if they’re not met.
Another early adopter of cyber insurance was the technology industry, particularly large companies that process and host a lot of data for third parties. Again, this is partly due to the data privacy regulations that have been introduced or are in development around the world. One example is the European General Data Protection Regulation (GDPR) Act, which introduced some new multi-jurisdictional obligations and requirements for data processes, causing many technology companies to completely re-write their data privacy programs – cyber insurance being a key element of that program - or race to create programs if they didn’t have one to start off with.
After financial institutions and technology companies came a variety of industries that share a commonality in that they process and store a vast amount of PII (personally identifiable information), PHI (protected health information) and PCI (payment card industry) data. These companies are very concerned with the privacy exposure that they hold, explained Mauro Signorelli, head of international cyber at Aspen Insurance.
“In the last 18 months or so, we’ve seen more and more industrial and manufacturing risks come into the market,” said Signorelli. “I think it’s partly to do with the fact that we’re seeing a broad expansion in coverage on business interruption in the supply chain, and therefore cyber has become the place to go to get insurance for that network interruption exposure. Also, we see in the press a massive uptick in terms of ransomware attacking industrial control systems and manufacturing companies, and we see how disruptive the prolonged effects of these kind of events can be. So, anything that has to do with manufacturing, industrial plants, power and utility, but also transport and logistics tend to be the new category of buyers of cyber insurance.”
Another element driving more companies and more industries towards the standalone cyber insurance market is the wider commercial insurance market’s efforts to address silent cyber exposure. In a movement spearheaded by Lloyd’s of London, insurers today are under pressure to either affirmatively include cyber risk or exclude it on traditional non-cyber policies. As Signorelli pointed out, historically, some professional services firms relied upon their E&O policy to cover some of their cyber exposure, but now they’re facing the reality that cyber has been excluded under their E&O policy, so they’re looking for somewhere to place a tailor-made solution for their cyber risks. And that’s not just the case for professional services firms; it will impact all industries.
“I think another element that we’re seeing more and more is that cyber is becoming a contractual requirement in many jurisdictions and in many industries,” Signorelli added. “Also, given the increase in litigation activity from a class action and security class action standpoint around how companies are handling data breaches, boards are becoming much more responsible and aware of the consequences to the organisation of privacy and cyber-related exposure. So, we’re definitely seeing boards integrating cyber insurance as part of their risk management programs.”