Cyber insurance: A comprehensive guide to cyber liability insurance

The concept of insurance dates back to the ancient world when merchants wanted to deal with the risks of shipping cargo over treacherous waters. Since that time, whenever a new risk has emerged a new insurance market has typically followed. Today, practically anything can be insured, be it a car, a home, or Cristiano Ronaldo’s legs. Due to the propensity of cyber attacks — costing the global economy $600bn annually — cyber insurance has emerged as the latest solution in this succession.

Initially adopted by financial institutes, retailers and healthcare organisations, today an increasing number of sectors are climbing on-board, including manufacturers and utilities. PwC estimates that annual gross written premiums for cyber insurance will increase from roughly $2.5 billion today to $7.5 billion by the end of the decade, with many experts warning that it’s not a question of if, but when organisations will be attacked.

>See also: What sectors are investing the most and least in cyber security?

The rise of cyber insurance

Cyber insurance is used to reduce the impact of cyber-attacks and data breaches. It first emerged because traditional insurance policies tended not to cover these sorts of risks.

Typically, cyber insurance policies provide first-party coverage against losses such as data destruction, denial of service attacks, theft, hacking and liability coverage guaranteeing compensation for damages from errors such as the failure to safeguard data.

Other policies include offerings such as: security-audits, post-incident public relations, and investigation expenses.

>See also: Cyber-insurance can reshape the way organisations do security for …

According to figures from CFC Underwriting, a cyber liability specialist, privacy breaches are one of the main types of attacks being claimed. The firm stated that in 2016 it had handled over 400 claims on cyber-breach policies it had issued.

Speaking to the BBC, Graeme Newman, chief innovation officer at the underwriter, said: “Claims on CFC policies were up 78% on 2015. About 90% of our claims by volume are from businesses with less than £50m in revenue,” he said, adding that a “disproportionate” number of claims were being made by British firms.”

He explained: “This is largely down to the fact that on the whole, UK businesses have a lower level of security maturity than their US counterparts.”

Early days

Right now, the cyber-insurance business is in its adolescence — rapidly changing, but also awkward, and not yet reaching its full potential. While many policies are currently available, many offer a lot less coverage than buyers would like.

A common problem with the current cyber insurance market is the lack of standard policies.  While the differing terminology between vendors leads to confusion in comprehending the protections a policy can offer.

Another issue facing insurers and organisations today is the lack of visibility in understanding cyber health, making it a challenge to quantify and understand premiums. Furthermore, according to a report by the insurer, Hiscox, nearly three-quarters (73%) of global firms are “cyber-novices” regarding the quality of their security strategy.

>See also: The era of cyber attacks: AI’s role in cyber insurance

Cyber insurance broker

Due to this complexity, many companies look to cyber insurance brokers for help. A cyber insurance broker acts as an intermediate between the client and the insurer. There job is get the best terms and conditions for their client. The broker can also determine the coverage option best suited to a specific industry and vertical.

According to a recent study by Fox Rothschild, the US law firm, more than half of survey respondents worked with a broker to obtain their policy. Advisers assisted in a number of ways, such as ensuring that
employee error isn’t excluded from coverage, that sublimits will cover potential fines and that companies know which costs related to business interruption will be covered.

Mark G. McCreary, chief privacy officer at the firm, said: “An executive may think, ‘We’re secure; we have a cyber insurance policy.’ But if they don’t have the right coverage, they may find themselves in a world of trouble when a breach or other incident occurs.”

>See also: A CTO guide: Standout technology predictions in cyber security

“By working with a broker or with legal counsel who can advise on insurance coverage, companies will have a true sense of security because they will have a more effective policy in place that is suited to their needs.”

He added: “Working with a broker or with legal counsel ensures that you have a much more effective policy in place – one that will offer broader and better coverage for your company’s needs.”

The claims process

Beyond being able to help navigate through the nuances and difficult terminology, brokers also aid in the claims process.

According to Fox Rothschild’s research, only 21% of companies with coverage had filed a claim over the last five years. Speaking to Insurance Business UK, McCreary said: “If I’m a broker and I have a customer that has a claim under a policy, I may not really appreciate exactly how you get to those points, and what the steps and costs are, until I go through it several times. Until you do that, even the broker doesn’t understand how the system works. It’s something that you have to really understand how the policies are different and understand how the claims made are different.”

Cyber insurance providers themselves have a responsibility to help their clients understand the claims process. According to a study carried out by Insurance Post, 2018 Cyber Insurance Survey, as the cyber insurance market develops, a cyber claims process could make or break an insurer. In the survey, firms earned a low ranking from brokers even when they had invested substantial resources into developing a cyber proposition. This is because insurers with lower rankings faced criticism for both the customer claims process brokers experienced when supporting a claim for a client and their approach to risk management.

>See also: Fico release free cyber security rating service to companies worldwide

On the other side, the higher-ranking insurers use a claims process where policyholders are directed to incident response experts who are on hand to guide them through the process in its entirety.

According to Tom Spier, director of international business development at Cyberscout: “This provides a better customer experience because policyholders have a single point of contact across all aspects of a claim, the interests of the project management experts are directly aligned with those of policyholders, and policyholders are connected to an expert with intimate knowledge of cyber events.”

Cyber insurance market growth

Research suggests that this current period of profitable growth in the cyber insurance market is bringing the benefits of competition and stability for buyers.

According to a report form Verisk, the US commercial cyber insurance market is expected to reach $6.3 billion by 2020, from $2.5 billion in 2016. Standalone cyber insurance policies will continue to account for the majority of packages, increasing to $4.2 billion by 2020, from $1.5 billion in 2016.

As cyber threats continue to develop, the cyber insurance market is predicted to become more dynamic. This agility, according to risk modelling firm RMS, will stem from the inevitable increase in competition. At present, a mere five insurers account for 60% of the US cyber insurance premiums. New firms have, however, been dipping their toes in the market. RMS says that this increased competition will impact rates — rates reportedly decreased over the last 12 months, furthermore, the market witnessed a loosening of coverage terms.

There is likely to be a growth in more industry-specific coverage options. At the moment, it often feels as if cyber insurance is a one-size-fits-all product. Hopefully, firms will be able to get more in tune with what individual firms are facing.

>See also: Could understanding the technical debt hold the key to improving …

Response to prevention

Cyber insurance, like most other forms of insurance, has tended to be categorised as an instant response product. Initially, coverage may have included a form of forensic services, however, as pre-emptive services evolve in the cyber security market, it is likely insurers will follow suit.

The market is already beginning to see more pre-breach services being included in their coverage, where firms are able to provide some kind of consultancy services to clients as they’re assessing their cyber risk.

As for shaping the future of cyber insurance coverage, executives can vote with their wallets. When considering cyber insurance policies, business leaders and brokers need to push for packages which include pre-event prevention services, such as proactive threat monitoring and mitigation.

Avatar photo

Andrew Ross

As a reporter with Information Age, Andrew Ross writes articles for technology leaders; helping them manage business critical issues both for today and in the future