New types of firms are buying cyber

A change is occurring in the type of companies interested in buying cyber protection, according to Jimaan Sane, underwriter, international cyber and tech at the Beazley Group.

Beazley has been underwriting cyber for the last 13 or so years and has grown this area of business by concentrating on service. Sane has seen an interesting change in the companies buying cyber protection in recent years.

He said that in the main Beazley had previously dealt with traditional buyers of cyber because their focus was around privacy and regulations such as the EU General Data Protection Regulation.

But for the past 24 to 36 months cyber coverage has shifted to more “non-traditional” buyers.

An example of this group is manufacturers. Historically, if something went wrong in a manufacturing plant they would be able to send someone to go and physically fix it. By contrast, firms with more integrated technology are more exposed to cyber risk. If the tech goes down a fully integrated or connected firm cannot function.

As these non-traditional buyers—like manufacturing firms—become more technology and data-focused they are exposed to more risk. Sane said that the losses can be smaller for less interconnected businesses but that shouldn’t put people off taking up advanced technology. “It’s about getting a balance between investment in technology and potential losses if that technology goes down,” he explained.

Energy firms are becoming more prevalent in the cyber risk area. Like manufacturers, in the past when something went wrong at an energy plant someone could physically go in and fix it. Now, with the integrated technology an energy firm could be hacked from outside. The flipside is that greater tech use allows better control and for some things to be run automatically.

Sane added: “Before the current rise of technology many companies didn’t talk to IT about processes, but now many of those processes are driven by IT.

“I would never tell a company not to use technology, but they do need to balance it against potential losses. So, it’s about having a continuous evaluation of risk exposure.”

The underwriter said that when he writes cyber risk he makes sure that what is put in place “speaks to the risk of the whole business”.

“Cyber can trigger other losses, for example in property, so it’s about making sure whatever we put in place for cyber is across everything,” Sane said.

Looking ahead, he said it can be difficult to predict what risks might come in the next 12 months as cyber risk is different from other catastrophes.

“The difference between cyber insurance and traditional sectors such as property is that a hurricane does not learn, and nor does a flood. In contrast, past losses in cyber cannot help to predict future losses or what the next type of malware will be.

“We could not predict them because behaviour is not predictable, so we have to model all possible scenarios. We have to expect the unexpected, and cyber is not going away.”