Last year, we commissioned a report into buyer attitudes to cyber insurance. One of the stand-out findings was that fewer than one-in-three respondents told us they already had distinct, standalone cyber policies. Therefore, it wasn’t surprising to learn that only 40% felt their organisations had adequate cover.
Over the last twelve months, with increasing attention on the scope and scale of cyber threats, we might have expected that the number buying a standalone policy would have increased. Yet, based on the many conversations we have with our clients and prospective clients, I would guess that if we ran that research again the numbers wouldn’t have changed much – if at all.
This presents us with something of a paradox: we know that cyber threats are top of the agenda, but we also know that there is a real wariness around buying the cover. More often than not, this mismatch seems to be caused by uncertainty. Insurance buyers are wary of a rapidly evolving, immature product that is yet to be truly tested on a full range of policy triggers or circumstances.
To help bring a little clarity to the picture, I wanted to explain how we encourage our clients to approach cyber risk.
Assessing your requirements:
Firstly, there’s the question of precisely what type of risks your business faces. There are a myriad of threats out there, but these are some of the key areas of concern that we routinely encounter:
Each of these is potentially a large and complex topic in its own right, but the first step is to seek a far greater level of understanding of your own business’s risk profile by conducting a thorough risk mapping exercise. With a clear idea of the relevant risk areas, you can begin to model realistic loss scenarios that give you an idea of the size of exposure you may face.
Working out a placement strategy:
Once you know what you need cover for, the next step is to look at your existing policies to reveal any gaps.
While lines such as PDBI may include an element of cyber coverage, they may not reflect the actual situation you face. Indeed, there is some evidence that these policies will tighten up at the beginning of the New Year as a Lloyds mandate will ask insurers to state whether these ‘silent’ cyber policies cover both malicious and non-malicious losses. While this transparency will be welcome, we share some concerns that underwriters will simply exclude a number of cyber provisions outright.
If you decide to buy a standalone policy you face a further challenge: standardised wordings. We find that many brokers and insurers now offer a default ‘best in class’ wording that is offered to a wide variety of clients across a range of industry sectors. Unfortunately, this one-size-fits-all approach can lead to misunderstandings and – in the event of a large loss – potential for contested claims.
Finding the right support:
If you have determined that you need to assess or review your cyber risk profile or are contemplating the need for a standalone cyber policy, all of that uncertainty can be a major additional hurdle – meaning that it’s more important than ever to find the right partner to help you through this ever-changing landscape.
Whoever you work with, we would recommend that you ask them to start at the very beginning – by working forward from your unique risk profile through to the insurance solution. Interrogate the wordings you are presented with and test them diligently against the real-world loss scenarios that you have identified.
If you would like to discover more about how we can provide you an independent perspective or simply to discuss some of the issues raised in this article you can get in touch with me directly, or via the Mactavish website.
If you’d like to see more of our work on cyber insurance click here to download our report.
Matt Pellowe
Head of Business Development