Cyber coverage dislocation—why buyers and sellers struggle
Cyber insurance holds great growth potential for insurers as digitisation increases the exposure of all industries, but many buyers still need to come to grips with this emerging risk and insurers need to figure out the best way of packaging and selling it—meaning the purchase process remains cumbersome.
Demand for coverage is burgeoning and insurers are obliging. The standalone cyber market reached an estimated $3.5 billion in written premiums in 2016, and many analysts suggest that this figure will double over the next two years, largely driven by the incoming EU General Data Protection Regulation (GDPR).
But it’s not only new data protection regulation that is driving cyber insurance demand—recent cyber events have exposed the vulnerability of companies such as Maersk.
“It happened to us,” said Henriette Guespereau, lead risk advisor at Dutch logistics giant Maersk at a cyber conference in London organised by Advisen. “People could not book containers on our website for around 3 weeks,” she explained.
Maersk fell victim to the NotPetya cyber ransomware attack in June 2017. The company subsequently reported that its third quarter results were negatively impacted by $200 to $300 million as a result of “business volumes being negatively affected for a couple of weeks in July” due to fallout from the cyber attack.
The company later acknowledged that its commercial insurance policies, including liability insurance for assets such as vessels and other materials, come with exclusions for cyber. The commercial insurance products it purchased didn’t meet the full scope of its risks, including the reality that a cyber attack on the firm’s operations has a direct, real-world impact on the company’s physical assets and commercial operations.
As a result of the attack, Maersk moved its incident department into the IT department and decided to purchase standalone cyber insurance. The cyber event helped to convince management that buying separate cyber cover was a sensible move, Guespereau said.
“After the incident, there were directions given to purchase a lot more limit than we were originally looking for,” she noted. Even so, there were still voices in the company suggesting that the money would be better spent on information security measures.
An easier argument to win
Cyber is still a relatively new risk and businesses and individuals are only gradually warming up to the idea of purchasing cyber insurance, although it is easier today to convince stakeholders of the need for cyber cover than a few years ago.
“In the old days, the IT people would not understand what they had to do with insurance,” said Elizabeth Queen, vice president, risk management at information services provider Wolters Kluwer. “But even today you have to reach out, you have to be proactive,” Queen noted.
While there may be a lot of growth potential in cyber insurance Inga Beale, the CEO of Lloyd’s, recently criticised the state of the market saying that it has not developed as much as it should have in the past 20 years and remains “frustratingly immature”.
Some may disagree with Beale, but others see the fact that the industry cannot decide whether cyber insurance should be a peril or a standalone policy as evidence that she may be right.
Both sides of the dispute had proponents present at the London conference. While some experts believe that the cyber business needs to be treated as a standalone policy to become more professional, others think that cyber risk has to be seen in conjunction with the assets that may be impacted by a cyber event.
Because the market is still developing, it may make sense for insurers just to focus on the clients’ requirements and deliver services based on those, panel participants suggested.
Every company that operates a digital business needs cyber cover, Queen said. “How you craft it is up to the company,” she said.
Maersk for example, an asset-heavy firm, has traditionally bought property/casualty insurance, but digitisation has changed its purchasing routine.
“We want to remove the exclusions we have on some of the P&C programmes,” said Guespereau. “In these programmes, cyber should be included like any other peril. We don’t want to end up in a claims debate of whether a damage was caused by a cyber event or not, and having to discuss two insurance programmes and which one should be triggered,” she explained.
For exposures for which Maersk has not bought cover in the past, such as the loss of revenue due to system failures, a standalone product may be required, Guespereau noted.
New buyers
UK bank Barclays purchased cyber insurance for the first time in the summer of 2017. In order to enable the purchase, the bank gathered information around perils and scenarios from all stakeholders, particularly from the information security team. In a manner similar to that of Maersk, the lender decided to take a mixed approach and purchased both standalone cover and additions to existing policies.
Barclays went through its insurance policies, determined the cyber cover included in those and then built a policy for cyber exposure and peril. Some of the purchased cover is “a tagalong to some of the existing policies and some are a policy for itself,” said Jeremy Harvey, vice president, group insurance at Barclays.
“Over time we might get to more of a peril-driven policy,” Harvey added.
Meanwhile, Barclays plans to work continuously on a dynamic gap analysis process. The bank wants to reduce exclusions in existing policies in negotiations with insurers while adapting cyber insurance policies accordingly, he explained.
Wolters Kluwer had a combined traditional general liability insurance and some years ago, started to move cyber inside that as part of the same tower, Queen said. At the same time, the company continued to add layers and blocks on top of it to protect the core business. As the company’s risk profile is data-heavy and data security-oriented, certainty over cyber risks and cover is paramount.
“We do not want, in case of an event, to have to figure out who we go to for what,” she explained.
Selecting the right policy
Perhaps because the cyber market is still developing, it remains difficult for potential cyber insurance buyers to shop around for cover because insurance forms of different providers differ significantly. An increased standardisation of policies and language could help clients to better compare and choose the appropriate insurance, but it might be too early for that , Guespereau suggested.
“I think the market is not mature enough to have a standardised product,” Guespereau said. “We went for a bespoke wording because we felt it was necessary to describe what we are doing and where we see the exposure,” she explained. At some point, the sector may be ready for a standardised product, which can then be adapted to the specific needs of the client, she added.
Arguably however, the market might never reach such a state of maturity because of the dynamic nature of cyber risks. Nevertheless, Queen pointed out, the market has already undergone significant development in wording of policies as well as experiencing an increase in capacity and number of players.
Furthermore, regulation such as the upcoming GDPR in Europe is set to give the market another boost as businesses need advice on how privacy and cyber risk are linked. Cyber cover may be part of a solution to avoid significant fines for breaching the new rules.
As the market matures, cooperation between insurers and their clients is expected to grow with regard to incident response and protection.
Wolters Kluwer, for example, developed an incident response command system which includes regular staff training to manage any cyber event. “We get better every time,” Queen said.
“We worked with our brokers and with our carriers to talk about what we need to do, what do they need to see to underwrite,” she explained. “It’s been a continuous sharing process.” While Wolters Kluwer is focusing on training people and practising, the next level of maturity will be to include insurers in a one-day simulation to stress-test the policies.
“Connectivity has a lot of pluses but it also comes with a certain amount of vulnerability and responsibility,” said Queen.
Before businesses are ready to purchase cyber cover, they need to be able to assess and quantify their risks.
It is important to quantify the risk exposure to allow the management to understand it and to identify the most important risks from a cost perspective, Guespereau explained.
Afterwards, there can be a debate on possible mitigating action and on the potential risk transfer to insurers, she noted, at which point one needs to decide on what limits the company may want to purchase.
Harvey added that if you are using a model you have to know all the numbers and everything behind them.
Knowledge and capabilities in the cyber area are scarce at the moment and demand for talent in the cyber space is high, Queen suggested.
Anyone who has cyber in their CV is suddenly a potential candidate to fill an opening, she said.
In addition, property/casualty underwriters may not be that comfortable with cyber risk and might need to work more closely with their colleagues in the cyber department.
“There are still some silos between the property/casualty and the cyber teams,” Guespereau said. “Insurers should try to bridge that gap,” she added.
