Cyber offers opportunity and innovation

The Insurance Times Cyber Insight 2017 conference opened with a warning: If a broker breaks ICO rules over GDPR then it is likely that the FCA will also get involved, according to RWA Compliance technical director Ash Patel.

Brokers will want to ensure they are compliant in time for the 25 May 2018 deadline, or they may have to face a double-edged regulation sword. An ICO representative has already warned insurers that the industry cannot expect special treatment.

Patel said that brokers should look for the opportunity in GDPR, which should open a window to push cyber insurance to clients. He added that changes are just an improvement on current regulation, from which there have been no huge breaches so far. However, Patel explained, brokers cannot get complacent and must make sure they have begun preparations now, starting with a data audit.

Rapidly changing landscape

Understanding of cyber and the cyber products on offer is changing rapidly, according to a panel comprised of Lloyd’s underwriting performance executive Christian Stanley, Ashley Page director-cyber & tech division Julie Donkin, and Hiscox UK lead cyber underwriter Stephen Ridley.

GDPR will change the way the industry deals with cyber, claimed Ridley, with more focus needed on an immediate claims response due to the 72 hour limit for notification of data breaches.

“Cyber is a very dynamic market,” Stanley said, adding that “we are evolving with the market as the threats evolve.”

Stanley explained that there is more to cyber insurance than FNOL – clients also expect ongoing risk consultancy after a loss.

Donkin highlighted a lack of broker understanding around cyber, though she said that by hiring cyber security professionals, insurers had ensured that there are fewer not-fit-for-purpose policies than 18 months ago.

Policy wording problems

If Donkin felt brokers lacked knowledge on cyber, next speaker UKGlobal director Richard Hodson had one answer why. In his session on selling cyber insurance, Hodson complained: “Insurers don’t help when it comes to selling cyber policies. The insurance industry is full of jargon, and when you add cyber on top it becomes more confusing.”

Hodson warned brokers that they must inspect policies carefully despite difficult language, as some omissions could spell big trouble. For example, some cyber policies exclude terrorism as standard and omit coverage for non-specific viruses (viruses not specifically designed to attack your business).

Hodson was not optimistic that GDPR was going to lead to a rush in SME cyber take up, though he did forecast more interest and expected SME clients would be asking their brokers more questions about cyber in the future.

So should cyber insurance wording and definitions be standardised by law to make it easier for brokers like Hodson? Perhaps not, according to a later panel comprised of DAC Beachcroft partner Hans Allnut, Biba Cyber Focus Group chairman John Pennick and Jelf insurance and risk consultant Gemma Sword-Williams. They discussed the challenge of non-standardised cyber policy wording and definitions.

Two on the panel were less inclined to standardise cyber policy wording. Sword-Williams felt it would stifle “creativity and innovation”, as well as reduce policy wordings to the lowest common denominator. Doing this could also boost price competition, she added.

“It is far too early to standardise cyber wordings,” Allnut agreed, though he did add that he could see minimum standards and terms in the future. Pennick, however, warned: “We [the industry] are looking at a mis-selling time bomb.”

SME v other market segments

CFC Underwriting head of incident response Anthony Hess gave the audience an insight into the different types of claims faced by large corporates and SMEs, explaining that for SMEs it is more about technical incident response than PR.

Although the numbers may not be huge yet for SMEs, they are growing. Hess says CFC saw 200 non-US SME claims over the last 13 months. 77 of these were from the UK.

Willis Towers Watson executive director Darryl Brophy offered delegates more insight into dealing with cyber as a large broker. In 2011 customers were more interested in risk management that purchasing cyber insurance, according to Brophy, but now this is changing. Smaller ransoms are making it easier for people to pay up.

Underwriters are now more focused on people risks, Brophy explained. Meanwhile, the cyber risks differ a lot from sector to sector.

One questions Brophy addressed was: How much cyber cover should a client be buying? Brophy did not need to think about the answer twice, responding with an emphatic: “As much as you can afford.”

Out of office

It is not just the workplace that is at risk from cyber attacks. HSB Engineering alternative distribution manager Paul Cullum spoke about the “false sense of security” that individuals have. In his own home he counted over 30 wifi-connected devices, all of which could be vulnerable to hackers. The internet of things (IoT) can leave homeowners vulnerable.

Cullum also introduced many in the audience to the concept of Twibel, or libel on social media, and warned that as families spend more time online they are opening themselves up to issues like online bullying. HNW individuals could be even more at risk from cyber attacks than organisations, Cullum warned.

Scottish Business Resilience Centre chief ethical hacker Gerry Grant and his assistant Aaron Cameron provided a live hacking demonstration. “Hacking is easy. You can watch YouTube tutorials on how do it,” warned Cameron.

Will it always be a case of running to catch up with hackers? Not quite, as Cameron continued, “It is not necessarily the case that hackers will be one step ahead of users. Hackers tend to be lazy. The majority of hacks are due to human error being exploited. One example is WannaCry, where a lack of software updates left computers vulnerable.”

Bolt-on or bolt off?

The final panel of the day was comprised of Swinton Business broking manager Lucia Grossi, Willis Towers Watson executive director Jamie Monck-Mason and Brit Global Specialty global cyber, privacy & technology underwriter Adelle Gruber. Panellists looked to the future of cyber insurance, covering topics including bolt-ons and market trends.

Bolt-ons proved controversial, with a majority of the audience siding with Grossi, who felt they did not offer secure coverage. Manchester Underwriting Management’s Richard Webb offered his view from the audience that there is room for bolt-ons for specific areas and risks.

Cyber is innovating

“Cyber remains one of the most innovative parts of insurance. It is as interesting as insurance gets,” Gruber enthused. There was plenty of space and demand for innovation, the others agreed.

In an increasingly digital landscape where cyber risk is evolving, insurers and brokers need to keep up with the pace of change. Cyber is not just an emerging threat, it is already here. It is man-made, progress-driven, and it bears down starkly on unwary businesses.