In a recent interview with Insurance Business, international and UK cyber team leader at CFC Underwriting, Lindsey Nelson (pictured), stated that educating brokers and policyholders is the number one focus for CFC when it comes to increasing the market penetration of cyber. At a recent CFC Cyber Workshop focused on giving brokers the key information they need to understand this complex sector, Nelson detailed the area of reputational repercussions which, she said, is a subject that receives less attention than ransomware events.
There is still substantial variance in the market in terms of who is offering this cover, whether it is supplemented and what is actually covered under these policies, she said, and there is still a lot of confusion around what reputational harm actually means.
“Most people associate it with the PR and media costs following a cyber event,” she said, “and the cost of going out there and notifying and apologising to the public, and dealing with the crisis communication process that’s available to you in most insurance policies.”
What reputational harm actually means, however, Nelson detailed, is when, in the case of a cyber event, customers no longer trust you with their data and decide to go elsewhere. There is no requirement for system downtime with reputational harm, she outlined, it is instead the separate loss of income due to customers choosing to use an alternative business following a data breach.
“In terms of claims, it is a very rapidly changing landscape and it is not specific to any territory as with most first-party losses on cyber,” she said. “What does change between countries is the severity of fines and penalties, but even then there has yet to be any meaningful activity.”
High-profile cyber events have received significant attention in the media, she said, outlining how in the case of Target, which had 40 million of its customers’ credit and debit cards compromised due to an accidental error from a subcontractor, significant revenue was lost in the subsequent months following that event.
The cyberattack at TalkTalk, the UK broadband provider, in 2015 was another publicised example of reputational harm following a cyber event, Nelson said, and this cover is all the more relevant today due to the continual occurrence of data breach headlines. Though such examples receive a great deal of attention, she said, reputational harm has the capacity to impact businesses of any size.
“In terms of ransomware events, business interruption and reputational harm,” she said, “that’s something that affects clients of all sizes and all countries, so the exposure is very similar.”
Nelson outlined an example of an SME client of CFC who was the target of a malicious actor who hacked into the business’s systems and stole the credit and debit card information of their customers. After a forensic examination was carried out by the CFC team, she said, it was discovered that a database containing 90,000 customer card details was stolen and, due to legal regulations, it was necessary to inform these customers of this breach.
“90,000 customers were told by the company that… their information had been compromised,” she said. “And, immediately after that, the business started noticing a drop off in their income and their revenues, and particularly in the amount of people that were reordering the product.”
She detailed the process through which CFC was able to calculate how much the client had lost over the course of the 12-month reputational harm period offered as standard by the insurer, and how this example clearly identified the risk that businesses of all sizes are exposed to when it comes to reputation harm.
For brokers looking at this sector of the cyber market, she said, it is essential to have an understanding of the different types of companies which require the cover. The biggest exposure, seen by CFC, is with professional service firms as they tend to work on a contract basis, she said, and their customers can easily look for a replacement in the event of a cyber incident.
Other significant exposures are within regulated entities such as financial institutions where there may be a requirement to cease dealing with a supplier who has had a breach, she said. Customer concentration is also a key consideration when it comes to exposure, she said, and brokers should be talking to clients with a high dependency on a small number of customers, the retention of which will make or break their business.
“Coverage varies quite a bit in the market,” she said, “and not all cyber insurers cover it. I’ve seen a couple of people cover what they call reputational harm when it is, in fact, the PR and media costs that they are covering, or they will cover only if there is a requirement for system downtime, which is linked to business interruption instead.”
Making sure that there is a suitable reputational harm period is also always important, Nelson said, highlighting the example of a CFC client who was hit by a second cyber event shortly after the first. Going into the office and seeing the 400 employees who would have lost their jobs if the company had not had reputational harm covered in its cyber policy really emphasised the value of this coverage, she said, especially considering this company would never have thought this needed to be addressed within its policy.