This article was provided by Walid Youssef (pictured), managing director - head of financials institutions for Travelers Europe.
Big banks have been buying cyber policies for many years, but many small- to medium-size financial institutions are still holding out on buying dedicated cyber insurance which can often leave them exposed. And this contrasts with what we are seeing in professional services like law firms or engineering companies.
Smaller firms often assume they are sufficiently protected by “silent cyber” – the potential cyber protections contained within a traditional insurance policy. These policies are designed to cover non-cyber aspects of a business, but might still be relied on to pay a cyber claim. For example, a professional indemnity or civil liability policy might help cover cyber claims, but it leaves less money in the pot for what that cover is actually meant to protect.
When traditional insurance is used to cover a cyber breach, it also often leaves gaps. A liability policy could cover a claim for a liability resulting from a privacy breach, but it may not cover the costs of notifying individuals as required by GDPR, or the IT forensic work needed to determine the extent of the breach. These post-breach services, which are central to stand-alone cyber policies, are critical to getting a business back on track after a breach. The minutes and hours after a breach are often where cyber policies prove their worth.
The UK Government’s 2022 cyber security incentives and regulation report confirms that businesses are not going far enough to protect themselves from a breach or attack – and the consequences are damaging. It was found that among the 39% of businesses and 26% of charities that identify breaches or attacks, one in five lost money, data or other assets. A cyber prevention framework that includes stand-alone cyber insurance can help a business contain those losses and eliminate gaps in cover. And this is increasingly important as cyber risks evolve and financial institutions become more interconnected.
As part of a regulated industry, financial institutions generally have had better cyber controls than businesses in other sectors, and for a longer period of time. While some financial institutions have experienced breaches, ransomware claims have hit other industries harder. And, when the industry as a whole has yet to experience significant claims, it can be challenging to prove the value of standalone cyber insurance.
The risks are changing. Ransomware is no longer about stealing information. It’s about preventing access to the insured’s critical systems, threatening to publish confidential information, and demanding multiple ransom payments in the process.
As cyber threats evolve, so will insurance protection. Lloyd’s has previously voiced concerns that silent cyber poses unexpected risks to insurers’ portfolios, which will require insurers to take more active steps to reduce ambiguities. Protecting financial institutions from these threats is a fundamental concern we’ve had for a long time. And by working together with our broking partners, we can help reduce these threats and risks for our clients.
Find out more about Travelers Financial Institutions insurance
