The Private Equity (PE) backed SME segment still has a very low take-up rate of cyber insurance (even in tech-heavy sectors) and insurers are excluding cover for portfolio companies from PE firms’ own cyber policies, which should prompt an urgent review into how emerging gaps in cover can be filled.
The UK is experiencing soaring levels of cyber attacks, with Royal Mail, JD Sports and WH Smith just some of the well-known names affected in the first months of 2023. These are the ones that hit the headlines – many more are equally damaging but stay under the radar – with a huge increase in malicious activity level compared to pre-pandemic and more politically stable times. The overall effects can be devastating both reputationally and operationally for business impacted, which is why insuring against risks such as ransomware attacks and data breaches is critical.
Yet as claims rise, insurers are taking a much harder line, both in introducing sweeping exclusions and pushing up rates. Specifically for PE, insurers are introducing ‘portfolio company exclusions’ relating to cyber cover, further exacerbating the policy restrictions affecting other sectors.
In recent years, it has become commonplace for private equity companies to implement insurance programmes that extend to cover losses arising within their portfolio companies where the PE firm is involved, increasingly likely where some PE firms give hands-on support including around technology enablement, systems are interconnected and sensitive data is continually transferred. But this is another restriction increasingly coming into PE cyber wordings, excluding such scenarios or any claims from portfolio companies for a cyber event striking the PE firm which also affects their portfolio.
Another long-running example is cyber war and terrorism exclusions, with Lloyds introducing a suite of increasingly restrictive clauses in late 2021 (and many insurers removing previously available carve-backs providing cover for attacks specifically targeting an insured company) with a recently announced further drive to encourage their use from end March 2023.
Complex risks
Private equity companies are also in the insurance spotlight, because there is more perceived complexity and variation when it comes to exposures and arguably, more lax controls difficult to co-ordinate across a portfolio. As a result, more stringent minimum security requirements and policy conditions as well as exclusions could mean that a private equity house could find that its portfolio holdings have no cover if they suffer a cyber attack.
Partly, this could come from new exclusions in the PE firm’s own central policy. But also many portfolio companies will either not buy their own cyber insurance at all, or in many cases, will have outgrown a very basic insurance offering targeting SMEs that provides very limited cover.
Understand exposures and act
Getting a handle on these challenging risks is far from easy. Cyber attacks are one of the fastest growing problems for companies large and small in the UK and the recent Mactavish cyber report showed businesses are 85% more likely to be a victim of a cyber attack compared to four years ago. What is more, private equity houses also face their own unique exposures.
They hold data both on themselves and their portfolio companies, which is often sensitive and commercially valuable. This data may also include details that can be highly sensitive, such as on senior management and their medical records. These could be extremely appealing to cyber criminals.
A further issue is that private equity companies may well be linked to their portfolio holdings via an interconnected system, such as a portal. This may be essential for integration, but it raises risk, further compounded by the fact more people now work from home and use mobile devices coming at the same time as a general increase in malicious activity.
The search for solutions
Clearly, a comprehensive risk assessment will be of benefit to ensure high levels of security are in place and that all are aware of the dangers – and increasing sophistication – of phishing and other attacks. Even – or sometimes especially – those in the most senior of roles have been caught out.
What also matters is working with an adviser who understands how the present insurance market is operating for cyber cover. It may involve enhanced information on systems and defences to enable you to buy cover at all, and some tough negotiations to get adequate cover. The list of pitfalls to look carefully at before buying is long and complex, for example whether the proposed policy covers all relevant data types, all applicable third party providers, all anticipated response costs, business interruption where it continues beyond systems reinstatement, accidental as well as malicious acts; the list goes on.
What matters at cover is that both parties understand the risk and that there is clarity on what is covered and that proper risk controls are in place. Without taking action, existing cyber cover may well be of limited value and the private equity company and portfolio holdings could both be denied a claims settlement.
It has never been so important to take cyber risks seriously. Experience has shown that when a claim occurs, it is not just a question of patching up a software flaw and moving on. The damage is invariably wide-reaching, requiring extensive investigation and recovery investment and affecting confidence in the business and its reputation. For the private equity house, this could affect their whole portfolio, even where a business has not been directly involved in an attack.
Quality cyber insurance and specialist support from insurers is available, but it is becoming harder to find and now is the time to ensure your protection is as comprehensive as possible.
Understanding the new cyber risk landscape
Our market survey analyses the main cyber-risk concerns experienced by UK businesses in 2022, and solutions available to mitigate businesses’ cyber exposure via risk placement.
Risk and insurance health check for investment businesses
Talk to one of our experts to assess the reliability of your insurance programme to protect your business against foreseeable risks.
Receive our insights in your inbox
Keep up to date with changing risk and regulatory environment, market insights and tips on insurance. Subscribe now.