February Big Question: Could the increasing demand for cyber insurance see it becoming compulsory in the future?

Neil Hare-Brown, chief executive, CyberDecider

Mondelez’s $100m claim against Zurich will be the first major test case for cyber insurers and one that throws into focus the desperate need for clarity around cyberinsurance policy wordings.

Demand for cyberinsurance is rising, for many businesses systems and data now hold more value than their premises, and soon cyberinsurance will be a higher priority than buildings insurance for most.

Managing cyber risk will never be an easy task because of the constantly evolving nature of the threat, yet it has become a key concern for most boardrooms because an attack could have disastrous consequences.

Cyberinsurance is fast becoming a compulsory purchase for businesses that take a proactive approach to managing cyber risk, particularly as any sophisticated investor will demand assurances that core cyber assets are insured properly.

Nicholas Hartley, head of business improvement and innovation, Ecclesiastical

Compulsory insurances such as Employers’ Liability and the Road Traffic Act required an act of parliament to make purchase a legal requirement. These were introduced to meet the cost of compensation for employees’ injuries or cover a road user’s legal liability for injury to others and damage to their property rather than compensating a business.

Whilst statistically speaking, organisations in the UK have a greater chance of being impacted by some form of cyber attack than a physical break in and it is probable that the UK will face a significant attack sometime in the near future, I believe it is unlikely that the government will make it mandatory for businesses to purchase cyber insurance.

As companies develop a greater understanding of both the regulatory and financial implications of not having cyber insurance the sector will have to adapt. I predict that we will see the development of enhanced cover, greater inclusion within existing product lines for small businesses and improved preventative solutions that help customers understand their cyber risk and meet the ever-changing threat landscape.

Tim Smith, partner at BLM

There is no doubt that for many businesses buying cyber insurance would be a very good idea. To this extent I think it will become a ‘compulsory purchase’ in the same way that property or D&O insurance is. However, I do not expect it to become ‘compulsory’ in the sense that the Government will make it obligatory. This has tended only to happen where physical injury can be caused e.g. in EL/PL or where professional bodies have required it. Nevertheless it seems inevitable that more businesses and individuals will buy cyber cover either because it is a good idea or because business partners insist on them doing so.

Erica Constance, portfolio manager, cyber, QBE Europe

Cyber insurance is unlikely to become a compulsory insurance for all businesses in the near future. However, as technology becomes increasingly integrated in critical infrastructure it would not be out of the question for these companies to be required to protect their cyber risk.

There are few compulsory covers for all businesses, which mainly cover physical damage/bodily injury. What we are likely to see is cyber insurance becoming a catalyst in setting minimum standards of risk management in much of the same way other types of cover have set safer standards, for example, the requirement of sprinklers to obtain property insurance.

Erica Mordue, senior broker at Shepherd Compello

The fact that cyber insurance is not compulsory is worrying because around 60% of UK small businesses experienced some kind of on-line data breach which costs £75,000 on average per breach to remedy. With cyber policies costing anything from £100 upwards, surely it makes sense to protect companies against data loss or breaches just as you would against fire, theft and property damage.

Whilst cyber is not compulsory in the UK, most companies in the US buy cyber as a matter of course mainly because US companies are ‘tech savvy’ and also 46 out of the 50 US states have called for cyber to be a compulsory class of insurance.

Mark Hawksworth, global technology specialist practice group leader, Sedgwick

Maybe one day, but not in the foreseeable future (over the next five years at least). The problem is that people tend to purchase cyber cover for their breach exposure, when the truth is that they have other significant exposures such as fraud and loss of turnover.

People are still reticent to buy cyber cover; the market probably needs to be exposed to more cyber incidents with larger financial and more widespread losses which may stimulate a mandate for compulsory cover. Financial penalties will drive the purchase of cyber insurance because directors with an exposure need to protect themselves and their businesses.

If cyber events escalate significantly to the level where incidents become pervasive, ultimately I could see the possibility of such cover being made compulsory.

James Gordon, managing director, cyber and technology division, BMS

Compulsory insurance usually exists to protect an otherwise innocent party from the negligence of others. As a product, cyber is still in its relative infancy: whilst awareness is rising, penetration remains relatively low.

However, cyber incidents increasingly threaten not only financial loss to third parties, but also both physical and property damage.

If it were to become compulsory, it would likely be specific to highly regulated industries, such as certain areas of financial services or the healthcare industry (where highly sensitive patient data and use of network connected critical life support equipment can be compromised). Becoming an obligatory purchase is still a long way off.

James Burns, cyber product leader, CFC Underwriting

There is definite potential, it is difficult to tell. I think it’s become mainstream, there are lots of mainstream lines of insurance where there aren’t necessarily government mandated. I’d compare it more to a property type insurance as opposed to maybe car insurance. Where car insurance tends to be lots of big third-party liability, whereas in cyber claims we see 95% as first party. So, it is definitely a possibility, but it is one of those ones that depends on appetite of government to do something like that.

Rose Howarth, insurance expert at MoneySuperMarket

Whilst cyber-attacks are a very real and consistent threat to businesses, regardless of their size or client type, cyber insurance remains in its infancy as a product and relatively unknown across the market. Risk awareness of cybercrime and the threat this could have to your business still needs to be addressed.

With this being said, cyber insurance is unlikely to become a compulsory purchase in the near future. However it will no doubt become a recommended purchase and only compulsory if contractual by third parties or regulatory bodies.

Joshua Motta, chief executive and founder of Coalition

To some extent, it already is. A growing number of corporations now contractually require the purchase of cyber insurance by all of their business partners. I believe this trend will only continue to grow.

Beyond this, and with the growing regulatory focus on data breaches and privacy violations, the mandate to purchase cyber insurance could well expand. It is no longer out of the question that regulators might require cyber insurance coverage in a similar way that companies must purchase workers compensation insurance today. Public sector mandates are more likely if private sector solutions fail.