When head of cyber and TMT, international financial lines, at AXA XL, James Tuplin moved into technology PI in 2006, it was a very niche class and there were only a small number of underwriters in London who wrote PI specifically for technology companies around the world.
At that time, he said, a lot of cyber covers were built and designed in technology PI cover as the underwriting between the two risks had strong similarities. Indeed looking at the current cyber market, Tuplin noted that a large proportion of the senior leaders within the sector today are ex-technology PI underwriters like himself.
When Tuplin joined AXA XL three years ago, the business did not have an international cyber practice, he said, and his role was to build this new division by implementing a new P&L, a new strategy, new guidelines, new ratings, new wordings, new claims handlings and a new team. The division is now well-established with operations in 15 countries, and Tuplin outlined how his global portfolio has given him a clear view of how the cyber insurance sector has developed internationally in recent years.
“You have to think of sector as a moving feast,” he said. “Every market across the world is in a slightly different stage when it comes to purchasing cyber and it’s a peculiar and particular mix between the law, claims and buying habits.”
There are several stages to the cyber insurance sector following the implementation of new laws, Tuplin said, and the first of these is what he refers to as the ‘let’s talk stage’, where the client has been hearing about cyber and wants to know what it does and what it covers. In this stage, the client receives an indicator for the price, he said, and generally comes back saying they are not interested at that time, if they come back at all.
A period later, often between 12 and 36 months, he said, the client will come back with a renewed understanding of the importance of the cover often due to a problem at their own or a peer’s organisation, or board pressure.
“That is three or four years after the law,” he said. “It takes a little bit of time for people to learn, for the brokers to learn, for the clients to learn, and then to find and get the sign off for the budget which can often be a difficult thing to do.”
The next step is the ‘first purchaser stage’, where those who are at high risk of exposure and with big enough budgets are buying the product. Finally, the ‘flush stage’ is reached, he said, where the market knows what cyber is and how it works and has a fundamental grasp on what is and is not covered. In this stage, he said, those who are at high and medium-risk are buying the product and the focus moves on to those with smaller risks or less understanding of the sector, who are either less worried about their exposure or who simply do not have the available budget.
America had the first data breach laws which really focused the mind back in 2004, Tuplin stated, and, as these laws are now 16 years old, they have proliferated and progressed, being amended and adapted over the years, thus giving this market a lot of time to consider the necessity of these products. The US has been through each of the stages outlined above and is now firmly in the flush stage, he said, with cyber insurance uptake estimated at being somewhere between 40% and 60%, depending on which report you read.
GDPR came into Europe in 2018, Tuplin added, and up until then, it was very hard to sell cyber insurance in this market. It was a misnomer that there were no claims in Europe prior to the introduction of GDPR, he said, but these claims were not publicised and did not have the same level of impact on operations as they do now in the climate of instant delivery.
“We’ve come a long way when even just two or three years ago I would walk around Europe and people would say ‘I don’t have exposure to this, I don’t need cyber insurance’,” he said. “For most of us, if you weren’t US-focused you were a tech PI underwriter who also did cyber. Then NotPetya and WannaCry happened as well as other claims. And then in 2018, GDPR turned up and Europe took notice.”
Most of western Europe is now in the first purchaser stage, he said, though it is not a flush market by any means. In the UK, France and Germany, however, the move to the next stage has started, he said, with medium-sized accounts now increasing uptake but this growth has been significantly slower in eastern Europe. In Australia, the market is similar to western Europe and is very viable, he said, operating firmly in the first purchaser stage while in Asia-Pacific it is very much still in the initial stage, though change is slowly taking root.
The LATAM region is somewhere between the talking and the first purchaser stage as pushed by American law, Tuplin said, and he outlined the ability of all markets to change very quickly once the right laws are implemented which highlight the value of the product. All this growth occurs on a tiering, he said, and the US is the only market really in the flush stage while everywhere else is very much still growing.
Though global uptake of the product is still low, Tuplin fully expects it to reach 50% to 60% in the jurisdictions where laws have been instigated, due to the strict liabilities which come with these regulations. The mandatory nature of these laws is similar to GL and property, he said, and he believes that everybody will start treating cyber in a similar way to those lines.
Though the market is still small-to-medium-sized, Tuplin said, it is going to become very large as, eventually, businesses will not be able to operate without having their IT covered in a global environment where your systems are everybody’s business.