New research from Cyber Decider shows gaping holes in broker’s cyber policies

New research from cyber insurance comparator, Cyber Decider has shown that some brokers are being left vulnerable to cyber attacks as their cyber insurance policy fails to cover many of the common threats.

Typically, brokers get their cyber insurance from their major insurance partners, meaning most smaller and regional brokers are covered by just a handful of standard policies – which in many cases will not be the policy most suitable for their needs.

Neil Hare-Brown, chief executive of STORM|Guidance, Cyber Decider’s creator said: “It is an FCA requirement that all insurance brokers can demonstrate cyber resilience: cyber insurance plays an important part in ensuring cyber resilience – especially as most policies include immediate access to incident response services.

”This is vital because brokers need to be able to provide a service to their clients at all times and investigate data breaches effectively when they occur.

“Brokers use data (personal and other third-party data) in their service, and whilst their professional indemnity policies may provide some liability cover, it is the first-party losses which tend to be much more serious – and these are not covered by a PI policy. Additionally, the broker may not be the primary target but a conduit to a bigger prize – a large insurer.

“Also, brokers, like other businesses, are outsourcing more and more, but only half of policies cover losses caused by incidents at the premises of such essential providers as payroll and trading platforms.

“A significant example of the potential costs from cyber incidents at vital service providers was the SSP system outage that lasted for 11 days in August /September 2016.

”The problems were especially bad for the many brokers who were completely reliant on SSP {it provides email and productivity services as well}, so they were unable to service their clients for the period. Many lost clients and incurred additional costs because of the outage.”

Cyber Decider examined the 18 policies most commonly used by brokers, and found:

  • Only 22% provide business interruption cover on a “revenue basis” – some are even limited to net profit only. This means that 80% of brokers’ policies may not cover income lost by failing to acquire new business, and some would not cover costs like overtime.
  • 88% include cover for the loss of earnings resulting from damage to their reputation, but many have cover that ends when the computer incident is resolved and do not provide any cover for continuing client loss (some have cover for only 90 days). 
  • 72% include cover for payment card costs (incurred in accordance with the PCI contract terms), although in several this is optional cover that must be specifically requested.
  • Only 55% include liability cover for breach of a confidentially agreement in your contract or terms of business agreement (TOBA), despite the broker-insurer TOBA template from the British Insurance Broker’s Association (BIBA) issued in July 2018 including confidentiality conditions for non-personal data.

“Brokers and other insurance businesses of all sizes need to develop a ‘security culture’, from the board down to every employee. Currently few have it,” Hare-Brown added.

“Our experience investigating hundreds of cyber incidents has led us to understand those issues common to those organisations who suffer breaches. Issues such as lack of investment in technology and skills are just two of what we refer to as the Seven Deadly Cyber Sins.

“Importantly, can brokers adequately advise their clients on which cyber insurance policy is right if they cannot even be sure they have bought the right policy to cover their own business?”