Speaking to Insurance Business UK,
Andrew Barratt, managing director of Europe at Coalfire, has warned that brokers need to work more closely with risk officers to sell better and more applicable cyber cover solutions to ensure the integrity of the very young industry.
Coalfire started in 2001 as a cyber risk management consultancy firm, providing compliance and cyber risk assessment in the US, and ever increasingly in the UK and Europe. Over the last several years it has been working with underwriters in the Lloyds market on both cyber liability and attack policies, including Brit Insurance’s cyber-attack product.
Barratt said working with Coalfire means underwriters can manage their longer term policies far better, and allows them to better understand and assess cyber risks.
Barratt said since the cyber insurance market is very young and constantly developing, there isn’t yet much consistency on what cyber insurance actually covers. This is leading to changes in the way businesses split their costs between cyber security and insurance.
“What we’re starting to see now is the CFO and chief risk officers are starting to say ‘look, we’re not negating this investment in security, but what we know is some of our security controls and management processes may take long periods of time to be implemented, or may not always have the immediate effect that we’re looking for, so we need a financial security layer as well’, and the insurance provides that,” said Barratt.
Naturally the cyber insurance industry is moving very quickly to keep pace with technology and the needs of business, although this pace is leading to a lack of consistency between products.
“One of the biggest issues I’ve seen working with a number in the market, there’s such a wide variety of products,” said Barratt. “Everything from ‘we’ll cover a minor loss of paper with some sensitive information on it’, which could be information security that would fall under cyber, right through to ‘have a billion in cover with a very formal risk assessment as part of the on boarding process’, and everything in between.
“The thing that gets really frustrating is you also have other traditional insurance products, like the standard all-risk policies, and then you have brokers who have perhaps conflicting incentives, who may be dealing with an assured and say ‘actually, this all-risk policy is probably the way to do this for you’, and then just throw everything into an all-risk policy because it’s a faster sales cycle.”
The challenge for brokers, according to Barratt, is finding the right coverage for businesses in a field that requires specific technical knowledge. With the variety in coverage offered by different policies, it’s a hard field for businesses to navigate.
Barratt said while brokers do an excellent job of communicating the risk events to clients, they need to be stronger with the technical details relating to a policy and understand exactly what a business needs to cover.
“Sometimes I do think some of the brokers just need a little more training, perhaps they just need to be given better scenarios in terms of the kind of threats that are real,” said Barratt.
“If the brokers were able to work closely with the risk officers and help them properly evaluate the risks that they had, the broker could then turn around and say ‘you give us your risk register, we’ll provide that to an underwriter and ask them just to cover your residual risk and give you a value for it’.”
Barratt also said some kind of standardisation needs to happen within the market, such as an evaluation of the technical measures that are undertaken by underwriters to ensure they are taking on an appropriate level of risk.
“I would like to see, in the same way you have in other financial regulations, things like treating customers fairly,” he said.
“Cyber is a very, very complex risk with an unbelievable amount of permutations. Unless underwriters are well advised they could very quickly take on board a large risk and they’ve not really evaluated it, and then, potentially, the losses could be catastrophic.”
Keeping on top of cyber risks
Is cyber coverage included in general liability policies?