This article was produced in partnership with CFC
Mia Wallace, of Insurance Business, sat down with Jim Dixon (pictured above), senior cyber underwriter, UK, at CFC, and Andrew Marvin (pictured below), chair of Gallagher’s cyber strategy group, to discuss where the cyber insurance market in the UK currently stands.
As the proverb goes, the best time to plant a tree is 20 years ago and the second best time is now. So those insurance businesses which planted the foundations of a strong cyber insurance proposition some decades ago are now seeing those roots take hold and flower as cyber risk takes its place at the top of the agenda for C-suite executives across every region and industry.
Discussing the current lay of the cyber insurance land and the changing tide of public opinion on cyber insurance solutions, Andrew Marvin, chair of Gallagher’s cyber strategy group and Jim Dixon, senior cyber underwriter, UK, at CFC highlighted what they are seeing in the market. From discussions with insureds, Marvin said, the biggest risk they are seeing is the ransom piece, largely because it represents such a broad threat to their businesses.
“That could be business impact caused by encryption, or the exfiltration of data and that data being used for blackmail, or poor PR,” he said. “Or it could be from a manufacturing point of view, with even some smaller manufacturers are starting to see this – that they can’t manufacture because their kit might be controlled by computers, or they can manufacture but they don’t know the logistics of where that’s going, who needs it etc.”
An essential element of Marvin’s role is to work actively with insurers and insureds alike to promote education and knowledge around cyber risk. He highlighted the changing attitude of businesses towards cyber risk. Going back just a few years, he said, most businesses of any size didn’t really understand this risk or their own exposures to the peril but certainly, in the last two years, C-suite executives, in particular, have gained significant insight into the operational impacts of cyber risk.
This is in large part due to the attention paid to cyber incidents by the mainstream press, with every week seemingly bringing new news of a major cyber attack. And it’s conflating down to smaller businesses, he said, which is reflected in the questions now being asked of brokers regarding cyber risk.
“That real increase in awareness of the exposure they’re facing, particularly on the larger end of things, translates nicely across to us as the insurance providers,” Dixon said. “Because it gives us a lot of headroom and the opportunity to field the concerns these businesses have by giving them the protection they need.”
As to how CFC is seeing the concerns voiced by businesses translate into notifications and claims, he highlighted that the team is seeing that threat actors are still focused on making money as quickly and easily as possible – with fund transfer fraud and ransomware key areas of focus. But while the end goal is always the same, he said, what is constantly changing is the tactics and procedures that threat actors are using to initiate those attacks.
“That is being reflected in the claims and notifications that we see, which is why we try to focus on staying ahead of them to actually try and reduce the claims and notifications coming through,” he said. “We can look at our claims data and how it changes. And by spotting these trends and specific tactics and procedures, we can use that intel to predict their behaviour on other businesses, and then get ahead of them to actually work with our insureds to reduce those notifications coming through in the first place.”
Looking across the UK market, Marvin noted the increasing penetration rates in existing cyber books, which, within Gallagher, he credits to the broker’s recognition of and investment in knowledge-sharing and education around cyber risk. Creating a holistic overview of a client's risk profile is vital, he said, and with this in mind, Gallagher has fully brought into this concept of proactive cyber solutions aimed at reducing losses.
“When we talk to our clients, yes it’s about them reducing their risk but it’s also about us helping them reduce their risk,” he said. “We have a 16-strong risk management team who do nothing but help their clients reduce their cyber exposure - whether that be understanding the risk with something like a full penetration test, or bespoke staff training… And staff training and education will become in the future, and to be fair it’s the case now too, de rigueur.”
While getting stronger, Marvin said, there is no doubt that the insurance industry needs to do a better job of educating and informing clients – particularly when it comes to acronym-heavy risk controls and intel. In an effort to combat this, both CFC and Gallagher have produced glossaries of terms to support insureds and prospects in navigating the market.
Looking at the uptake of cyber insurance across the UK, Dixon noted that, particularly among SMEs, there does remain a real gap in the understanding of the exposure that they face, and he reinforced Marvin’s call for increased education around cyber. For while news of high-profile breach incidents may propel larger corporates into action, he said, it can lead to a false sense of security among smaller businesses which do not view themselves as a viable target.
“At the smaller end of the market, SME clients throughout the UK don’t really appreciate their exposure,” he said. “Then you couple that with the fact that most businesses don’t really realise what a cyber policy actually offers and what’s actually available. And there’s such a variety out there, from a very basic cyber insurance policy to what we provide which is an all-singing, all-dancing proactive service that offers real value throughout the whole life of a policy.
“But it’s not just about educating the end client, for us as the insurance provider we know we need to work closer with our brokers to help educate them. Obviously, Gallagher has hit this hard and they’ve deep-rooted expertise and ability, and specialist teams. But if you look at the regional UK market, our job as insurance providers is to help educate those brokers so they can have easier conversations with their clients. So, it is about education – but educating both end insureds and the brokers. And that’s where we’re stepping up.”
The role of the broker is to move with their clients, Marvin said, and to be risk advisors first and foremost, and cyber is a risk that is not going anywhere. Threat actors are not going to just close up shop, and so it’s up to insurance and risk management teams to look after policyholders and provide them with the best coverage and the best risk mitigation solutions.
What’s critical for brokers to understand, he said, is that their responsibility is not going unrecognised by insureds. He highlighted a recent example, wherein a manufacturing business reached out to discuss a coverage concern after their cyber proposal form resulted in their premium jumping from £3,000 to £10,000 – with an exclusion for ransomware.
“No-one had really read the forms and the broker didn’t really understand the forms,” he said. “And with ransomware cover wiped out in this market, it would be the most expensive piece of paper they’d ever bought. As a result, the business had no cover and didn’t understand what they needed to do to get cover, because they and their broker didn’t understand the market.”
Brokers need to register how the market has changed and that it’s constantly moving, he said. And that means actively partaking in any education and development opportunities that will boost their understanding of where it’s going next.
There’s a real wealth of opportunity for brokers to get ahead of the cyber risk piece and provide a true value-add service for their clients around cyber, Dixon said, and looking across the market he is positive about the future of cyber insurance in the UK.
“When you see the number of inquiries that we're getting for new business, when we talk to our broker partners and see the number of them that are really waking up to this huge opportunity in the UK market – it all looks very promising,” he said. “There’s also the signs of pricing stabilisation and with that comes new entrants in the market. And the more people we’ve got in the market, talking about cyber as a line of business and the threats companies face, the better. So, I think it's a very exciting place to be right now.”
Jim Dixon serves as senior cyber underwriter, UK, at CFC while Andrew Marvin is chair of Gallagher’s cyber strategy group.