Depending on the product line, the insurance market is harder in certain areas than others. Cyber, according to FTA Insurance managing director Christian Garling (pictured), is an “extremely” hard one.
“It’s a product very similar to management liability 10 years ago,” he explained, “where the insurance market was trying to come to terms with the value of the losses and then price their product accordingly.
“And that’s what we’re going through at the moment, with insurers trying to figure out how much the claims are going to cost them and then put the right price on it for the right types of business. So, cyber will remain a very hard market.”
Garling said there are opportunities for underwriting companies that can risk-select and charge appropriate premiums and give appropriate cover.
“Over the last few years, some people have not been able to do that,” he told Insurance Business. “But now most are figuring out how to do that, and therefore those companies are succeeding in the cyber market.”
On the other side of the insurance equation – the policyholders – there’s an even bigger room for learning and figuring things out.
The FTA boss conceded: “Some clients don’t understand how important cyber insurance really is. We still see public companies that are not buying cyber insurance. We see large infrastructure clients that are not buying cyber insurance. They don’t see themselves as having a risk, or they are comfortable that their IT security is good enough to protect them.”
Both, in Garling’s view, are a fallacy.
“Most larger companies are actually a target,” he stated. “In fact, many smaller companies are also a target. And, secondly, you can’t defend against all cyberattacks. Eventually, someone will get through somewhere. And that’s no reflection on the lack of your IT security – it’s just that you can’t defend against them forever.
“So, I think there are two fallacies there. And I think the third issue with it is they don’t understand the benefits that have been offered by cyber insurance – the incident response that they’re receiving, which means that someone is there straightaway to assist them to get through a cyber breach.”
Garling cited the cost implications to balance sheets as well, and the crucial role played by the business interruption part of a cyber policy when it comes to first-party losses, such as loss of profits or increased cost of working. He also highlighted the important role played by insurance brokers.
“We talk to our brokers a lot about it,” Garling told Insurance Business. “By helping increase our brokers’ awareness of the product and understanding of the product, we know that they will increase their clients’ awareness and understanding of the product.
“And, secondly, we do a lot of client meetings where we will talk to the client directly, in the presence of the broker, about the product and about the dangers that we are seeing.”
The managing director went on to stress how clients depend on their brokers for advice about risks to their business and ways to mitigate those risks via insurance.
He said: “The rising dangers posed by cyber are a very good example of why you should need insurance brokers, because those brokers can warn clients about it and can educate them about products in place to assist them with that and protect them. Whereas a client with no insurance broker might have no understanding of the increased risk that cyber presents.”
“And this is what we do by having a local presence in Queensland,” added Garling, whose Sydney-based business recently expanded into Brisbane. “We have someone there who can talk to our brokers about these products, about these risks, about underwriting appetite, and about what’s going on in the market.
“This is as opposed to larger companies that have underwriting hubs located away from their brokers, with a higher staff turnover - we’re investing in people on the ground who have relationships with our brokers and who can pass on expertise to them.”
The Australian Cyber Security Centre (ACSC), over the 2020-2021 financial year, received more than 67,500 cybercrime reports. According to the ACSC, government agencies at all levels, large organisations, critical infrastructure providers, SMEs, families, and individuals were all targeted during the period.