Cyber insurance is breaking out of its niche position as more companies acknowledge increasing electronic security threats. Anita Anandarajah assesses the challenges faced by brokers and the industry as a whole, in adapting to this ever changing market.
?Cyber insurance, while little known, has slowly but surely been making inroads into the UK in the past seven years.
We are now familiar with terms like industrial espionage, unauthorised access, identity theft and malicious intent which are much like the premise of a James Bond movie.
Indeed, an attack on data from the inside is of ever increasing concern today, compared to as little as two years ago when threats were largely external, appearing as viruses paralysing computer networks.
Cyber insurance remains a niche product and there are fears that the industry been too slow to respond to new threats.
Nationwide Building Society suffered a serious set-back last year when an employee’s laptop containing confidential information on 11 million customers was stolen from his home.
The FSA found that Nationwide did not have adequate information security procedures and controls in place and that the building society was not aware that the laptop contained sensitive customer information.
Nationwide was subsequently fined £980,000 in February by the FSA for information security lapses.
Jeremy Smith, of Jardine Lloyd Thompson’s technology liability and cyber risk team, says: “These days, digital assets can be more
valuable to a company than the physical hardware.”
Yet, most organisations have little or no
insurance to cover operational risks related to electronic data, applications and computer networks. Smith says that property insurance markets have either not offered or have withdrawn cover for non-physical events like loss of data.
Some organisations have purchased policies that offer limited cover and uncertain methods of determining loss. Often these policies contain inadequate limits for contingent business interruption or exclusions that limit cover for inside perpetrators or computer crimes.
Marcus Brese, UK technology personal indemnity manager at Hiscox, believes there is a lot of interest in cyber insurance in the UK and Europe but people do not spend money on it because there are no privacy exposures here unlike in the US.
US companies in the finance and health sectors are bound by the Gramm-Leach-Bliley Act, which controls the ways that financial institutions deal with the private information of individuals and the Health Insurance Portability and Accountability Act of 1996, which deals with the standardisation of healthcare-related information systems.
So what exactly is cyber insurance? Rick Welsh, unit head of management liability at Novae, explains that it is a grouping of specialist insurances that cater for network security liability, intellectual property protection, media liability and privacy liability.
Brese describes it more simply as first and third party cover associated with breaches in security and online publishing.
Barrie Lloyd, technical underwriting officer of QBE, says insurers selling cyber insurance are like “voices in the wilderness”. There are probably only half a dozen or so companies specialising in it.
There is a lack of awareness of cyber insurance, particularly for identity theft, among end consumers and the industry itself.
Lloyd says: “Brokers would be more keen if there were a market for this product. You can’t sell to an individual because there is no return on it. You have to sell en-masse, to financial institutions for example.
“Also, many brokers haven’t worked out how to sell it. If you don’t understand the technology, it will be difficult to understand the client’s risk profile and correlate this with existing products in the market. A lot of people selling these products are generalists.
“Many brokers havenâ€™t worked out how to sell cyber insurance. If you donâ€™t understand the technology, it will be difficult to understand the clientâ€™s risk profile and correlate this with existing products in the market
Rick Welsh, Novae
“A broker has to ask the question: what exposures am I able to insure? If you think your client may have insurable exposures, speak to an underwriter.”
Simon Gilbert, account executive at UIB, says that businesses can historically insure any risk for a price.
“As a security breach incident affects many different areas of business, cyber risks are ‘
‘ extremely complex to evaluate. “Insurers are currently providing policies that respond to some areas of cyber risks as they have statistical information, commonality of risk profiles among companies and understand the potential cost of some types of security breach.
“However, they are not able to provide policies where this information is not available.”
Explaining prohibitive costs may be another reason why people shy away from this product. Gareth Tungatt, senior underwriter for IT and cyber risk at Ace Insurance, says: “Historically, cyber insurance has been massively expensive with premiums starting from £2,000 for a standalone policy and £650 as a combined product. This is inevitably based on loss history.”
Biba technical services officer Steve Foulsham says that it is a question for the
broker and client to look at the agenda at every renewal meeting.
Foulsham says: “In terms of cyber insurance generally, to my mind it is like how directors’ and officers’ (D&O) insurance was received a few years ago. Brokers didn’t understand D&O and therefore tended to shy away from it. That is part of the reason why the cyber insurance market hasn’t developed over the past few years.
“With more being done over the internet now and identity fraud becoming more prevalent, there needs to be an impetus to bring it to the table.”
That impetus will come in the form of Biba and the ABI, working together to provide industry guidelines for a more joined up approach in terms of dealings with clients. Cyber insurance will form a part of those guidelines.
Responding to the suggestion that cyber insurance products in the market are inadequate, Freeman says that they are improving in scope. “There are some underwriters that write more sophisticated coverage,” she says, while suggesting that perhaps the capacity available for the damage of a company’s own network could be an issue for large companies.
Tungatt explains that it takes specialist brokers to sell cyber insurance. “It is very uncommon for businesses not to buy business continuity cover. However, this doesn’t always respond to network breakdowns or viruses as there is no tangible loss and therefore no trigger for the policy.
“Cyber risk is so new and is continuously changing because of the nature of technology where new bugs are always coming out. Some underwriters wouldn’t necessarily underwrite it.”
Smith shares the same view, pointing out that a cyber policy that is right for a firm one year can become almost obsolete the next. “It is therefore imperative that that companies use knowledgeable cyber risk brokers who can re-evaluate risks on a frequent basis. This will result in a bespoke wording tailored to meet the changing exposures of the client.”
Another accusation thrown at the market is that cyber insurance is elitist. To this, Freeman says that the key on the product is selection. “An underwriter needs to select people who have invested in business continuity and the prevention of security breaches otherwise it will be difficult to write these accounts.”
Freeman cautions that cyber insurance is not a substitute for security risk management – for example, it cannot cover loss of reputation or brand. “It is a complement to a risk management programme and allows you to transfer risks that cannot be fully mitigated.”
Lisa-Hansford Smith, of Marsh’s financial and professional services practice, says that improving a client’s risk profile is the first port of call and that insurance is one of several options at the end of the process.
“Underwriters are not necessarily there to write any bad risks – it is important to look at what risk is left and can it be insured,” she says.
QBE’s Barrie Lloyd says that the problem of providing insurance in this area is that owners of computer systems need to take due precautions with respect to their systems. “In accordance with BS7799 (guidelines for information security risk management developed by the British Standards Institute), a company is supposed to carry out an assessment of its risks – be they physical or electronic – and define a policy and strategy to address those points. It could be something as simple as logging out of an idle system after five minutes.”
Cyber insurance is becoming more of a talking point in the UK and Europe and has become a core boardroom risk. The onus is now on the industry to adapt to the needs of its clients, or risk being left behind.
The history of cyber cover dates back to 2000 when policies focused on privacy liability. This cover protected a client from being sued for breach of privacy and security liability which related to unauthorised access and identity theft with malicious intent.
Then came the idea for creating insurance for direct loss, where a network or data is damaged due to a virus.
Emily Freeman, executive director for technology-related risk at Lockton explains that in the last year, the liability side has been broadened to cover regulatory defence as a regulator like the FSA can now take a financial institution to task for breach of security.
Freeman says: â€œThe latest cover involves notification cost. In the US, it is mandated by law in 36 states that if a company suspects a security breach of customer data, it is obligated to inform its customers.
â€œNotification has become a significant financial cost involving sending out letters to customers with offers of restitution and support. Some businesses offer credit monitoring and free credit reports which will tell a client whether unauthorised charges have been made on their credit cards.â€
Notification is not required by law in the UK as yet but some larger companies are already voluntarily doing this.
Vinod Bange, associate at Eversheds LLP who specialises in data protection says that there has been an increased awareness of data loss recently and a resulting culture to notify clients of this loss.
One reason for this is that many companies now have global data arrangements. Companies are increasingly using global databases and it is more difficult not to notify customers in the UK about a breach in data security while notifying those in the US.