Cyber insurance: is your provider really providing?

Cyber insurance: is your provider really providing? | Insurance Business

Cyber insurance: is your provider really providing?
You’ve got a great IT department. You’re investing in employee education and training. And you always make sure you’ve got the latest versions of all the best software. You even have a cyber risk governance group in place. Your cyber insurance policy is your last line of defence. If that’s the case, you may not be asking enough of your cyber insurer.

The cyber insurance market isn’t exactly new. It’s been around for over 25 years, and despite seeing huge growth in recent years, it’s still considered to be in its infancy. It still has a huge take-up problem. Out of all Fortune 500 companies, 60% are uninsured for cyber incidents, according to a recent KPMG study. That’s a striking number considering the catastrophic potential, but it doesn’t mean that companies are underestimating the risk of cyber incidents.

CEOs repeatedly cited cyber risk as the top threat to their companies, yet KPMG found that 72% of chief executives don’t feel prepared for cyber attacks. The lack of take up is not for lack of demand. Rather, companies forgo purchasing cyber insurance because the available coverage doesn’t meet their needs: insurers just haven’t been providing what risk managers need.

Risk managers often find that the amount of available coverage is limited and insufficient. Today, very few policies provide compensation for some of the large-scale cyber incidents like loss of intellectual property or large privacy breaches. The OECD recently explored some of the challenges hindering the availability and affordability of policies in today’s market and found that despite the suspected high number of cyber incidents historically, quantitative information on scope and frequency of events is limited. This shortcoming means that underwriters lack confidence. The OECD says that information-sharing by victims of cyber-attacks could help data collection and provide more confidence in the underwriting of coverage, nevertheless realising companies are often wary to disclose breaches and attacks out of fear for reputational damage.

At the end of the day, risk managers can’t rely on cyber insurance to protect them. “[Cyber risk] has got to be predominantly self-managed,” says Paul Goulding, head of insurance at Heathrow Airport. “If something genuinely catastrophic happens, then cyber insurance is there to help you through that, but it certainly isn’t an alternative to good risk management.”

Insurers are, however, listening and responding. An Aon Inpoint report highlights insurers like AIG and Beazley who are beginning to offer access to partners who specialize in services ranging from legal and forensic to response and public relations. While the industry works on creating better models, it’s finding new ways to adapt and offer broader solutions for cyber that risk managers can rely on. Indeed, the recent KPMG report concluded the cyber insurance industry is finally adapting by offering a broader range of solutions for risk managers. Insurers are beginning to provide services to help clients understand risks, prevent incidents, and respond to events when they occur.

Risk managers are already seeing some of the recent developments in the way that the insurers approach cyber risk. “They are working hard to make programs that are tailor-made and adaptable to your own company,” says Jo Willaert, president of the Federation of European Risk Management Associations (FERMA). Risk managers are increasingly demanding that their insurance coverages include advisory and technical services in addition to post event monetary protection. “If you have a major attack, insurance can give you money, but the most important thing that companies need in that moment is advice and support,” says Willaert.

Until better data enables more accurate modelling and market maturation, risk managers are entitled to demand more from their cyber policies. Insurers are listening.

Related stories:
Cyber risk governance groups: if you haven’t got one, you need one