Smaller firms are more inclined to lean on silent cyber cover, says Walid Youssef, head of financial institutions at Travelers Europe
Many small to medium-sized financial institutions are holding out on buying dedicated cyber insurance – even though big banks have been buying cyber policies for a long time. This contrasts with what we are seeing in professional services, like law firms or engineering companies.
Smaller firms sometimes assume they are sufficiently protected by ’silent cyber’ cover – the potential cyber protection contained within a traditional commercial insurance policy.
While these policies are originally designed to cover non-cyber aspects of a business, they might still be used to pay a cyber claim. A professional indemnity or civil liability policy might help cover cyber claims, for example, but it leaves less money in the pot for what that cover is actually meant to protect.
New cyber security research from the UK government, published in January this year*, confirmed that businesses are not going far enough to protect themselves from a breach or attack – and the consequences are damaging.
It found that among the 39% of businesses and 26% of charities that identify breaches or cyber attacks, one in five lose money, data or other assets. A cyber prevention framework that includes standalone cyber insurance can help a business contain those losses and eliminate gaps in cover. This is increasingly important as cyber risks evolve and financial institutions become more interconnected.
When traditional insurance is used to cover a cyber breach, it often leaves gaps. A liability policy could cover a claim for a liability resulting from a privacy breach, but it may not cover the costs of notifying individuals, as is required through the General Data Protection Regulation (GDPR), or pay out for the IT forensic work needed to determine the extent of the breach.
These post-breach services, which are central to standalone cyber policies, are critical to getting a business back on track after a breach. The minutes and hours after a breach are often where cyber policies prove their worth.
As part of a regulated industry, financial institutions have generally had better cyber controls than businesses in other sectors.
While financial institutions have experienced breaches in recent months, ransomware claims have hit other industries harder. When the industry as a whole has yet to experience significant claims, it can be challenging to prove the value of standalone cyber insurance.
But the risks are changing. Ransomware is no longer about stealing information. It’s about preventing access to the insured’s critical systems and threatening to publish confidential information, as well as demanding multiple ransom payments in the process.
As cyber threats evolve, so will insurance protection. Lloyd’s recently voiced concerns that silent cyber poses unexpected risks to insurers’ portfolios, which will require insurers to take more active steps to reduce ambiguities.
Protecting financial institutions from these threats is a fundamental concern we’ve had for a long time. By working together with our broking partners, we can help reduce these threats and risks for our clients.
Find out more about insurance for financial institutions here.
*Source: 2022 cyber security incentives and regulation review, Department for Digital, Culture, Media and Sport, published 19 January 2022 (www.gov.uk/government/publications/2022-cyber-security-incentives-and-regulation-review).