The cyber insurance market and the need for clarity
While the cyber insurance (and reinsurance) market continues to develop, both insurers and insureds face uncertainty in writing and buying cyber risks products. There is an acute need for clarity and knowledge in the market which, unfortunately, may only come at a slow pace and with some degree of trial and error. However, most businesses and insurers will know the risks of cyber attacks are undeniably present and the costs to businesses can potentially be extremely high.
One of the most recent high profile cyber attacks saw several of Sony Pictures' unreleased movies being leaked along with sensitive company information and emails (some of which contained deeply embarrassing exchanges between Sony executives and have since been widely reported in the press). Sony is no stranger to the threat of cyber attack – it has previously faced its PlayStation Network being hacked, leading to the personal details of millions of accounts being stolen. Cyber attacks can be a commonplace issue for some organisations. The Bank of England said last year that it faces, on average, around eight incidents per week and, more recently, it was asked by Andrew Tyrie, the chairman of the Treasury committee, to provide assurance that it was capable of repelling cyber attackers.
The Department for Business Innovation & Skills reported in April 2014, that 81% of large organisations and 60% of small businesses suffered a security breach in 2013, with increases in severity and average costs for the worst breaches rising significantly. The average costs for small businesses were between £65,000 and £115,000 while for large business the range was between £600,000 and £1.15million.
Despite these risks, many SMEs (and even some larger organisations) will only work towards improving their cyber security and mitigating their risk of cyber breaches if there is a pressing commercial imperative to do so. When looking at a cyber insurance product, businesses will ask "is it worth it?", "how much will it cost?", and "by when do I need to do it?". These questions are impossible to answer by simply looking at a policy. Purchasing cyber insurance should form a part of a comprehensive cyber security plan including an assessment of the risks the business faces and understanding and implementing safeguards to mitigate those risks. Although putting in place a cyber security plan may, in itself, be difficult, it is a sensible first step to understanding whether purchasing cyber insurance is worth it and what limits of cover are acceptable.
For insurers, the difficulty lies in fully understanding the risks and costs which they are underwriting. While several insurers including the likes of ACE, Barbican, Brit, Aegis and Novae, are already establishing themselves in the market with dedicated cyber policies, the market itself is still developing and the types of risks (and, consequently, the types of policies) are varied. Insurers face difficulties in accurately evaluating cyber risk and, with a lack of loss data available, accurately deciding the appropriate limits for the risks.
Selling cyber products to businesses
Demand for cyber products has not yet seen a boom and price and lack of knowledge can be significant barriers to businesses appreciating the need for cyber coverage.
Businesses may find it difficult to understand why they should pay relatively high premiums for cyber cover when they may be paying a significantly lower premium for more established policies such as D&O or property damage coverage up to the same limits.
Given the current nature of the market, there can be stark differences between various policies and the coverage they offer. Compounded with the fact that different businesses will face different risks, it is not possible for a business to make a sensible comparison between policies based on price alone. It is extremely important for the business to review the policy wording carefully and consider whether the policy is effective for its business model.
However, as knowledge in the market increases (particularly with the current trend of insurers hiring security experts while developing their products) and the market develops, businesses are likely to be more motivated to purchase cyber coverage.
A key selling point of policies may well not be the limits of coverage but, in fact, the additional benefits provided to businesses and how effectively an insurer deals with a cyber breach including the network of breach response experts and services provided to the insured under the policy. A breach can require the involvement of various experts including lawyers, IT forensics experts, credit and data monitor firms, specialist PR firms, communications / notifications firms. While many businesses will be familiar with working with their regular advisors such as lawyers, accountants or brokers, they may find the number of experts needed to respond to a cyber breach, the effort required to coordinate them, and the different work streams involved, to be daunting.
There is certainly more importance being given to cyber risks and an upward trend in both the number of insurers offering cyber products and the number of businesses seeking coverage. What remains to be seen is just how rapidly the trend grows and whether, in the near future, cyber coverage becomes as standard to business needs as D&O, property or public liability policies.