The fourth in a series of nine articles ahead of Cyber Insight 2018. Graham Whyatt, group head of SME at James Hallam spoke to Insurance Times ahead of his appearance at the event on 14 November
What is stopping cyber insurance from becoming a must-have product in the SME market?
I don’t think it is one specific thing that you can pinpoint but I would say, the main is probably education. SMEs still don’t necessary believe they are going to be affected by cybercrime and I think communication from brokers around this could be much better.
I think the pricing is now much better, if you would have asked me three or four years ago, pricing would have been completely different to what is now. It has almost become an affordable commodity for SMEs to buy compared to traditional insurances.
So I would say these are the two main issues but we are getting better at both, certainly the pricing. I think cyber is now a very sellable product so it is now the education we need to focus on to make SMEs more aware.
What initiatives can the industry take as a whole to better educate clients about the potential cyber threats?
I think, personally, it is around marketing in general. Brokers still control the majority of the SME market when it comes to commercial insurance, it is about brokers doing their job right and educating the clients.
Holding seminars, sending information out on renewal and business reports advising clients around cyber cover is important and usually well received. I think the more we put out on a marketing side, whether it will be a newsletter or a one off bulletin around cyber cover, all helps raise the awareness.
If we can break information down in to trade sectors so we can identify in the particular sector ’these are the problems,’ it could have more of an impact.
Cyber liability appears to be a very complex product. What would you say are the main difficulties when putting together a cyber liability product?
The cover needs to be adequate, cyber liability is a little misleading as it should really be cyber insurance. Cover insurance is more than just liability as policies pick up system and data damage, business interruption as well as liability. There are some good SME products now that have lower levels of cover which can be a good start point. I have seen products with limits of indemnity starting at £50,000. Whilst this is probably not enough you can buy this cover at a reasonable price, and if price is key to the purchase of cover, something is better than nothing.
If you look at some of the reports about the average hit on SME’s, it seems on average that a potential claim would be ranging from £40,000 to £70,000 . So, I will certainly look for a minimum level of cover at £100,000 but of course the larger the SME, the more cover they are going to need.
The products that are clearly important, the majority of the cyber covers that I have seen tend to vary. I don’t think anybody has got any gaping holes in any of their insurance products but some are better than others and it is also about the response that they give to the cyber issue and how efficiently this can be dealt with.
As well as stand alone cyber cover you can get products that offer this and additional covers within a product. Management liability protection is a good example, where you get cyber cover and you will also get a crime cover, corporate entity cover, and directors and offices cover.
Some of these MLP product which are in the market and include cyber and crime are pretty good and it gives the added benefit of having several covers with one insurers avoiding any issues of who pays on what section of cover in the event of a claim.
Last May, we had a major legislative change with the implementation of GDPR. What would you say are the main implications of GDPR for the cyber insurance market?
The data breech reporting is a big thing. As soon as you are aware of having an incident or your systems have been attacked in some way and there is a loss of data, then the reporting process is hugely important. Awareness has been raised by GDPR to SMEs about what they have to do and I think that is one critical area which it has brought change.
GDPR certainly helps to raise awareness to SMEs about cyber insurance and potentially crime insurance as well. We look after a large number of businesses in the travel sector such as tour operators and travel agents.
There has been a real uplift in take-up of cyber and crime insurances for those who fall under ABTA which is a travel agents’ governing body as they have really helped raise the awareness in that particular industry.
Would you say that GDPR is kind of a booster for buying cyber insurance in the SME market?
Yes, I think it definitely has been. It has made SME’s more aware of what could potentially happen to them if things go wrong and, obviously, if things do go wrong, you have the potential costs of having systems checked and data cleaned and potential fines as well.
Looking at the future, where do you see cyber insurance in the next 5-10 years?
I think cyber will be probably one of the main insurance products bought.
Cyber will be part of everyday insurance cover. Insurance requirements have and will continue to change, the use of computers and technology has been on the increase for years but now with the use of them being even more reliant in day to day business, and the fact we hold more data and information, people will continue to find ways trying to access and try to hurt businesses.
I think it is going to become no different to the traditional insurances required, understood and bought today.
So it is just going to become mainstream?
In terms of cybercrime, would you say the rate of preventing it is enough or there is definitely more to be done?
Probably not, I don’t know on that, I have to be honest and I am no computer or cyber expert, when it comes to the actual systems themselves.
I think everybody is more aware about the need to change passwords, keep security up to date and checking adequate firewalls are all in place etc. so I’d imagine most companies are working at it now and are trying what they can to protect their systems.
Whether there is anything out there which will helps us stop it, I don’t really know, there are a lot of unsavoury people who can find the holes, thankfully though there are plenty of clever people who can quickly fill them. That said, without the right insurance cover, that might not be enough.
What can the audience expect from you at the Cyber Insight? Why should people come to? And why is it important right now?
The audience can expect fair and open conversation, I suppose. I am as interested in this topic as anybody else is and I think it’s great to get different opinions from different people.
Eventually cyber will become mainstream so I think it is important now that as insurance industry that we get this right. There is plenty of cyber products out there, plenty of understanding on cyber. I think it will be great to share ideas with different companies, different brokers and different insurers to find out are there clients buying cyber, why are they buying cyber, what is really prompting them to sort of look at this and go ‘this is something I must have’.
And companies which are struggling to sell cyber, they may gain real benefit from other people how they have actually done it.
Graham Whyatt will appear on the rountable “Cyber Insight gets personal” at the event on 14 November