Now may be the time to review your cyber risk mitigation strategy and give serious consideration to whether the financial cost of cyber attacks could be transferred to insurers at a fair price.
Cyber security is amongst the leading risks for organisations around the globe. In the last few years most organisations have suffered cyber attacks of some sort and a series of notable breaches have received heavy media coverage and regulatory scrutiny. Breaches damage not only organisations but also their customers.
Governments have started to wake-up to the potential national security and economic impact of cyber attacks, and legislative change is afoot in a number of jurisdictions.
To date relatively few organisations (outside the US) have purchased standalone cyber insurance policies. That appears about to change.
What can be covered?
Cyber insurance is a broad banner that covers a number of risks, which broadly breakdown into two categories:
- Indemnifiable first party losses including, for example, crisis management costs (such as legal and public relations costs), data privacy and security breach notification expenses, forensic investigation costs, network business interruption (which would not ordinarily be covered under traditional property/business interruption insurance), reputational damage (although this may be constrained to public relations costs), reconstitution of damaged digital assets/software and cyber crime/extortion (which may be covered under traditional comprehensive crime insurance); and
- Indemnifiable third party liability exposures (where someone else has suffered the loss) including, for example, third-party liabilities for data privacy and security breaches, multi-media liability from published content, defence costs, regulatory investigation costs and potentially some fines and penalties.
Why is the take up of cyber insurance relatively low outside the US?
The cyber insurance market is still in its infancy.
In the US, take-up has been relatively high amongst large organisations driven by laws mandating notification of data breaches. These notification requirements can give rise to significant potentially indemnifiable costs of, for example, large-scale customer contact exercises, setting up call centres, forensic investigations and credit/identity-theft monitoring – as well as third party liabilities and regulatory fines/penalties.
However, in other jurisdictions such as Europe, Asia and Australia, where mandatory data breach notifications are generally not yet required (although the position is not uniform), take up has been relatively modest. Why is that the case? In our view, the answer is really three-fold.
First, a lack of understanding of the risk – Some large organisations, such as banks, tend to invest heavily in cyber security. But others are simply not geared up to dealing with cyber risk, carriage of which often rests with IT departments (who may not be thinking about insurance) rather than the Board.
As such, senior managers may only have a basic understanding of the risk, leaving the organisation ill-equipped to evaluate and quantify the potential impact of a security breach, let alone engage in stress testing or recovery planning.
In these circumstances, substantial work may be required before the organisation is ready to consider the pros and cons of insurance cover and make a sensible approach the market. The fact that an application for cover may drive that work to be done is often cited as a benefit of cyber insurance. Ultimately, however, the objective should be for the Board to take ownership of cyber security issues including any coverage requirements.
Secondly, a lack of understanding of insurance – Many senior managers are unaware whether or not the organisation has bought cyber insurance or have misconceptions about whether such insurance is required and what it may cover.
Some confusion no doubt stems from the complex legal framework, including the patchwork of national laws and regulation around cyber security and lack of global harmonisation.
Further confusion may arise from the fact that aspects of cyber cover can be found in various traditional classes of business (such as comprehensive crime and professional indemnity insurance), which may result in a misunderstanding or overestimation of what is covered – in reality, there are many gaps (the costs of dealing with data privacy breaches or network business interruption are good examples).
Some of these gaps may be covered by standalone cyber insurance policies but, given the complexities here, input will be required from experienced insurance professionals to undertake a proper gap analysis exercise and put the organisation in a position to understand the availability, cost and utility of cover.
Thirdly, issues with the coverage presently available – There is a degree of scepticism about the efficacy of standalone cyber insurance policies, which are often complex and lack uniformity across the industry.
Underwriters are also struggling to get a real handle on cyber risk and how to quantify it. This is not helped by a dearth of underlying claims data to model the risk.
Large policyholders in particular may face market capacity limitations, not least given concerns about systemic aggregation risks – for example, exposure to multiple policyholders using the same Cloud service provider to store data. The result is that cover may be expensive (relative to other classes of business) or not as extensive as the policyholder would ideally like.
How is the landscape changing?
Given the increasing threat, sophistication and profile of cyber attacks, we believe that the take up of cyber insurance is likely to increase quite markedly as organisations get a handle on the nature and severity of the risk and what insurance can (and cannot) do for them.
There are already signs of this happening.
Another real driver in the short to medium term is likely to be the introduction of privacy laws mandating notification of data breaches, which are on the cards in Europe, some Asian countries and Australia.
If the US example is anything to go by, these changes are likely to fuel a very substantial uptake in the purchase of cyber cover around the world.