Cyber insurance is a rapidly developing sector of the insurance industry and the issue of educating both brokers and clients on exactly what cyber insurance policies entail has never been more essential. Senior claims underwriter at Hiscox, Tony Kriesel, spoke with Insurance Business at the 2019 NetDiligence Cyber Risk Summit in London to discuss information and misinformation in the cyber insurance sector.
Originally working in a US law firm, Kriesel first came to London on secondment and, after a year in the Lloyd’s market, he enjoyed being at the cutting edge of insurance enough that he decided to stay. In 2014, Kriesel joined Hiscox and, in 2015, he became the claims adjuster for Hiscox’s new cyber offering for Lloyd’s business.
Since its inception, this cyber offering has developed to become well-reputed within the Lloyd’s market and Kriesel outlined the importance of a strong team in creating this positioning.
“Unlike some other lines of business,” Kriesel said, “in cyber it’s really important to have an integrated team. That’s not just strong underwriting and wordings teams but also claims providing input, and helping to market and sell the claims offering to clients and brokers.”
Cyber is unique from the standpoint that a lot of clients are looking for a service offering, said Kriesel, and he outlined how, from the perspective of Hiscox, it is often claims that present this offering. Hiscox’s claims experience is helpful, he detailed, “as we can talk about various claims scenarios that we’ve seen and help convince clients why cyber insurance is important for their business.”
A central focus for Hiscox when it came to developing its initial cyber insurance offering, Kriesel said, was ensuring that its policy form was easy to understand by the public as, at the time, many cyber insurance policies were being built with lots of bolt-on coverage.
“We sought to draft a policy that was very simple, that had one insuring agreement and listed on the front page everything we insure in the event of a data breach or security failure,” he said.
The newest version of this policy was launched in May, Kriesel said, and though it included more areas of coverage, the focus was once more on maintaining simplicity, and it has received positive feedback from clients and brokers.
A central goal for Hiscox’s cyber offering, he said, is maintaining the client’s and broker’s relationship with the insurer through the lifecycle of the policy, by offering services with the policy and providing educational information.
“As part of the cyber insurance industry, it’s our job get out there and be sure we are educating people,” he said, “whether they are potential clients or brokers who aren’t as familiar with cyber policies. It’s important to emphasise the breadth of coverage and that cyber insurers are paying claims, both small and large.”
When it comes to educating brokers on cyber, Kriesel outlined how the London market has very sophisticated brokers who are very good at what they do. Where brokers tend to need more help, he said, is on the retail side abroad, with client-facing brokers who are less familiar with cyber needing help with respect to the cover itself and, beyond the coverage, how to educate the client in terms of the service offering provided.
An essential element of this education, according to Kriesel, is ensuring the client understands the importance of making a claim as early as possible in the process. Many cyber incidents, he stated, may not appear severe at first but are only showing the tip of the iceberg.
Hiscox enables this by establishing policy incentives for early notification, Kriesel said, with some policies offering a decrease in retention if the claim is notified within 48 hours of the first discovery of the incident.
If an incident occurs out of hours, Kriesel outlined, a lot of the time the client will worry about needing consent to engage with assigned vendors, so Hiscox clearly outlines in its policies that, in the event of a suspected incident, the client can utilise any vendor which has been assigned to them, or agreed upon previously, without first gaining Hiscox’s consent.
These service-led policies often provide not only claims assistance but also educational services on how to prevent a cyber incident. The offering has been received well, particularly by SMEs, said Kriesel, who, he noted, often do not have the resources or the time to invest in educating employees themselves or establishing a panel of vendors to help them in their moment of need.
Educating the public is particularly essential due to a misperception in the mainstream media regarding whether cyber insurers are paying claims, he outlined. Often in these reported cases, Kriesel said, the policy being discussed that has denied coverage for a cyber claim is not even a cyber policy so “we need to be out there, talking about how insurance does pay in this area and how important cyber insurance is for clients.”