“A lot of clients can be deterred when they come to the market. They think ‘am I ready?’ Look, we’re not going to judge”.
When looking for cyber security insurance, the best thing is effectively to design your own policy, say experts.
Looking for cyber security insurance is daunting. Where to go, what to ask for when you get there and whether the firm will even pay out if you need them to are all looming questions that get heavier the longer they are left unanswered.
According to a report by Lloyd’s of London released in January 2019, the cost to businesses and insurers of one major global ransomware attack could hit $193 billion, with 86 per cent of that uninsured. That figure is scarier than looming questions.
With high-profile lawsuits about contested insurance policies hitting headlines, many businesses are still cautious about whether cyber-specific insurance is worth the paper it’s written on; experts say it categorically is.
The Notion Cyber Insurance Doesn’t Pay Out is a “Myth”
“According to the ABI (Association of British Insurers) 90 percent of cyber claims made in 2019 were paid” explains Catherine Aleppo, the cyber client director at the insurance firm Aston Lark.
She told Computer Business Review: “The notion that cyber insurance is not paid is an absolute myth. [And] unless you know what you’re looking for with this sort of risk, you should seek advice from a broker to talk about your exposure.
“Fire walls, educating employees, two-step authentications [are all important, but… ] Ultimately it’s the employee on the Friday afternoon who clicks the link to the ransomware. It’s honestly belts and braces”.
One of the best ways to get a cyber insurance policy that fits your business is to start by assessing your own security and presenting that information to an insurer.
Rob Smart, the technical director at insurance consultancy Mactavish, emphasised the importance of tailoring policies: “Corporate insurance is always complex. They tend to go one size fits all, which doesn’t work in cyber.
“It really is up to clients to prepare for this by bringing in their own risk profile, for example. As a company, you must [also] be more demanding to make sure that the protection you have will provide for your needs”.
Look Out for Exclusions
That’s not to say there aren’t policy exclusions that shouldn’t looked out for. Will Wright, a Partner in the Cyber Risk practice at Paragon Brokers, highlighted some in this recent Q&A: “A cyber product may have social engineering coverage grant for funds transferred erroneously to a third party, but also reference a theft of funds exclusion.
“If the funds were stolen (not transferred, even if duped by criminal or illicit behavior), then here is the first battle line: this is deemed a crime loss, and therefore excluded so as to be covered by the crime market. War is pretty clear-cut – there is a specialist war market – and any other markets are usually prevented from insuring war risks, either by their own mandate, by that of their reinsurers, or by their regulator (Lloyd’s of London for example, but only for those syndicates it governs).
He added: “Terrorism is where most discussion should be focused, because in a desire to cover a cyber peril otherwise not always covered by the terrorism market, cyber policies have started to offer coverage for cyber-terrorism… [all in all though] stand-alone cyber insurance is vital, if for no other reason that the coverage is fit-for-purpose and broader, and the critical incident response services provided will be by specialists who handle these events on a daily basis.”
“Insurance has a bad record in cyber because it sells a relatively commoditised product” Smart continued meanwhile. “Customers can moan that it’s difficult, but it must be demand-led”.
Knowledge of what the firm needs will deliver the necessary edge to pull an entity back from disaster. “Don’t buy the bits you don’t need is easier said than done, but nonetheless explaining what your actual exposure is will inevitably make that more cost effective” continued Smart.
“Consider; is my exposure first party or third party i.e is it my own staff who could potentially do something wrong, or is it outside threat actors?”.
You Have a Risk Profile, Now What to do With it
Once a company is aware of its level of cyber hygiene, the plunge can be taken to (for many) uncharted territory as the firm finds the right policy.
Michael Shen, the head of cyber and technology at the insurance provider Canopius, spoke to Computer Business Review about the underwriters’ perspective on creating policies for cyber: “Cyber security insurance is still a relatively new class compared to other insurance classes. The product is probably twenty years old now, and we do have a certain amount of data back from 2013.
He added: “The actuarial models that we are using are built using data purchased from third parties, building in historic events. You can’t underwrite cyber policies using data alone however, you need underwriters immersing themselves in research”.
First party losses cover funds supplied to restore damaged, corrupted or lost data, or lost income following a cyber-attack. An example of third party losses would the costs to settle a privacy lawsuit, or to settle a law suit citing the failure of network security practices in creating a loss to a customer or client.
“In terms of the response solution” Shen continued, “we have an incident response provider who is a globally accessible third party. We don’t want to loose an agreement. We have to maintain certain standards. They will be buying access to a club effectively, and a club that has worked on thousands of incidents”.
An Outline of the Process
He added: ““The bigger the company, the more expansive a risk profile we’ll be provided with. We’ll get access to their Chief Information Security Officer (CISO) and we’ll be able to meet with personnel to identify with controls they have in force”.
The insurance company will then need all of the information on their customer’s assets; what protection they are using, how the company functions together to mitigate risk and how it identifies up and coming risk.
Modelling a customer’s cyber-risk and exposure is ideally managed through a client/broker evaluation. Whether this is achieved by carrying out a risk-register review with a client, or by the more up-to-date introduction to some of the technological capabilities available these days, it is plausible to establish a client’s risk profile and potential financial loss with reasonable accuracy.
As long the coverage is available under their chosen policies, the client’s broker’s priority should be to help them to understand where exactly they will need coverage with regard to their insurance portfolio, as well as making sure that their respective policies respond in the correct and most financially beneficial order.
The ABI estimates that a standard cyber security insurance policy can cover costs for anything from £100,000 to £5 million, although significantly higher amounts of cover are available for firms with more complex cyber risks.
Is your company ready to look for Cyber Security Insurance?
Shen assuages worries when it comes to putting off buying insurance:
“A lot of clients can be deterred when they come to the market. They think ‘am I ready?’ Do I have enough to obtain insurance?’ Look, we’re not going to judge”.
The cyber technician emphasises the fact that research needs to be conducted by humans to make successful policies, and that you have provided training.
“Bad actors will always take the path of least resistance” he reiterated.
Essentially the cyber security insurance landscape is constantly changing. Both underwriters and potential customers need to work towards a common goal of creating that policy that works for them.
Underwriters have their work cut out, having to constantly factor in the potential impact of every new attack as they evolve in complexity and sophistication.
But, as Michael Shen quipped before I put the phone down:
“For us, this is just the typical day in the life of a cyber insurer”.