Briefing: Will cyber insurance be the casualty of the next ‘black swan’ event?

By Editor Katie Scott

It’s fair to say that the Covid-19 pandemic has tested the insurance sector in a multitude of different ways and that alongside the list of industry successes and innovations, there is an equally prominent scorecard of lessons learned and ‘we could have done that better’.

The elephant in the room of any coronavirus conversation is, of course, business interruption (BI) cover and how this played out in both the High Court and the Supreme Court as a result of the FCA initiating its test case action.

The pandemic has hit insurers, and consequentially some brokers, both financially and reputationally, so it’s only natural that many in the industry are now looking forward to what could potentially be the next ‘black swan’ crisis event and what insurance policies may be tasked to respond.

Enter stage left: cyber insurance.

Chatting to Simon Laird, head of insurance at law firm Reynolds Porter Chamberlain (RPC), earlier this week, he agreed that cyber insurance could be “the next BI issue”.

He told me: “When people are talking about [cyber insurance] as potentially the next BI issue, in terms of testing an unknown against the policies that exist at the moment, I think that’s probably true. I think it’s slightly different to BI though - cyber is a maturing market, whereas BI is an established marketplace.”

He explained that regarding the pandemic, the UK hadn’t “really experienced something like this in terms of how the policies would respond”, especially bearing in mind the duration of the pandemic, compared to catastrophic events such as a storm or an earthquake, as well as the fact that there has been government intervention, “which nobody had anticipated would play out quite as it has”.

“You’ve got the same risk with cyber,” he added. “If you were trying to imagine another major catastrophic event which might test how a number of policies respond in a way they haven’t really thought about, you could dress up a roleplay scenario with cyber.”

The ABI’s director general Huw Evans also pointed to cyber insurance as having “certain parallels” to 2020’s BI debate when he addressed delegates at the trade body’s annual conference at the end of February.

He said: “If we’re going to look at any other single area of the market where we would be most worried there would be a repeat scenario, I think cyber is probably the most obvious area because it shares many of the similar characteristics.

“It’s an area that is typically underinsured – most businesses either don’t have cyber insurance at all or they don’t have sufficient cyber insurance.

“A major cyber attack can disproportionately hit small businesses that don’t have sophisticated defence systems and can’t afford to invest in them.”

As a product, cyber insurance is undoubtedly evolving as it attempts to keep pace with the new methodologies of cyber criminals, such as data exfiltration. And as Laird pointed out, it is still a maturing market compared with other commercial covers.

As cyber crime becomes more sophisticated, it’s not out of the realms of possibility to suggest a cyber-based catastrophic event could form the basis of the UK’s next black swan event and that cyber policies will, therefore, be pressured to respond to claims.

With this in mind, I wonder whether the proactive, service-centric element of cyber policies will be ramped up in the coming months and years to counteract any potential harms of this scale, or maybe firms that fail to take adequate cyber security hygiene measures will fall foul of policy exclusions?

Cyber insurance as a market continues to grow; it will be interesting to see whether this nervous undercurrent of it possibly being “the next BI issue” will play into its development and evolution at all.

In my mind, there’s no harm in being prepared. Cyber insurance is naturally more of a preventative service that is closely woven with risk management, so it certainly makes sense for players in this field to practice their set pieces, review policy wordings and look for potential coverage gaps they can fill or clarify.