The second of a series of nine articles ahead of Cyber Insight 2018, Cliff White, head of cyber at Manchester Underwriting Management (MUM) talks the future of specialty insurance with Ekaterina Dimitrova
What still prevents cyber from becoming a must for the SME market?
I think the cost is one factor. Cyber insurance is still seen as a non-essential purchase and considered an expense that can be avoided during uncertain times.
However, we are seeing more SME clients who have suffered a cyber incident coming to market after the event, sometimes as an improved risk, having implemented remedial measures post event. We firmly believe that we are in a soft market, but clients don’t necessarily feel that. For them it’s simply a new class and additional expense.
Also, education. Less to do with the risks posed by cyber incidents (as more SME clients fall victim to cyber scams and word spreads) and more to do with how a cyber insurance responds to those risks. We need to help clients to connect the dots, so that they can make an informed decision.
What are the difficulties when putting together a cyber liability product?
In the current soft market, choosing the right business partners to provide the added services, which form such an important part of any cyber liability product.
For example, we use the Berea cyber risk management solution at MUM, which we provide to all of our cyber policyholders.
Also, it is difficult to know how to strike a balance between the level of premium that we’re able to attain and the quality of cover that we can offer. Controlling volatile exposures such as social engineering fraud with appropriate sublimits can be tough.
Setting application questions so that we can garner the underwriting information that we need, whilst keeping the application as concise and commercially acceptable as possible.
What are the main implications of the GDPR implementation to the cyber insurance market?
The requirement for notification within 72 hours is a headline feature of GDPR poses a challenge to any organisation and is a contributing reason for buying cyber insurance. But the deadline also poses a challenge to the insurer to have a robust breach response panel in place and ready to act at the drop of a hat.
Like a number of other leading cyber insurers, MUM makes use of the services of ReSecure to provide it’s coordinated breach response service to its policyholders.
Similarly, whilst it seems highly unlikely that ICO fines issued under GDPR will be recoverable from insurers, the threat of such large fines under GDPR means that the insured needs to be at the top of their game when responding to a data breach.
A quality breach response will have lawyers who are regularly in contact with the ICO and who have experience of handling such matters as well as PR specialists and call centre facilities who can help with the client communications.
What initiatives should the industry as a whole take in order to better educate clients and raise awareness about the cyber threat?
Share case studies, participate in events such as Cyber Insight and continually educate. Not just about cyber threats, but also about the underwriting process that we go through.
What are the touch points that make a difference between an acceptance or declinature? What are the consequences of certain responses to application questions.
Subscribers read more
How do you see the future of cyber insurance in the next five years?
GDPR was a big shake-up in Data Protection Law and we have seen a large increase in enquiries since it came into force. Nevertheless, conversion rates have remained slow, but there are signs that they are climbing.
I think we need to prepare ourselves for the long haul, but in 5 years time we’ll be looking back on standalone cyber insurance as a mainstream purchase.
We’ll also see more engagement around insurance for the physical consequences of a cyber incident, such as property damage or bodily injury, as insurers of other classes introduce more robust cyber exclusions under their property and liability products.
Is the rate of progression in preventing cybercrime enough?
No. Many clients are investing in minimal security and leaving big gaps to be exploited – employee awareness and education, multi factor authentication for network logins and encryption of personal data can each make a huge difference, but they are often overlooked or considered too much of a fuss to implement.
It’s a similar story when it comes to incident response planning. Most clients will have a BCP or DRP, but it will be related to physical business interruptions or disasters rather than cyber incidents and these may not be tested regularly to see how robust they are in a practical situation.
What can the audience expect from you at the Cyber Insight event next month?
I look forward to debating the questions with my fellow panellists and I hope to provide a straightforward and practical approach to the questions under debate. I don’t come from a technology background and will try to avoid getting tied up in cyber jargon.
Why should people come to Cyber Insight? Why is it so important?
At this stage of cyber product evolution, it’s important that we make the most of forums such as Cyber Insight to come together, share ideas and learn from each other in order to shape the future of the cyber market.
Only by doing this can we hope to provide clients with practical solutions to the risks that they face rather than trying to sell them a product which may or may not respond to their demands and needs.