Lockton's Brett Warburton Smith on the impact of GDPR, 'poor brokers' and the progression of cyber insurance

What still prevents cyber from becoming a must for the SME market?

I think that it is a combination of things. A lack of knowledge, general misunderstanding of what it offers and how it works are most likely.

Poor broking, poor articulation of the coverage and a general feeling that you won’t be hacked are also factors..

Furthermore, many SMEs rely on third party providers, the cloud etc, to offer a secure environment and whilst they rarely offer 100% security, SME’s expect the third party to secure their data giving a false sense of security.

What are the major difficulties when putting a cyber product together?

Again, I think it is misunderstanding of what it covers and how it works partly driven by poor brokers being confused with which elements of cover sit within a crime, cyber or professional indemnity policy.

An element of miscommunication between the finance and IT teams can make it difficult to put a cyber product together. Often the FD instructs the IT person to complete the proposal form in order to secure a quote. The IT team naturally can feel defensive and, as we know, giving binary Yes and No responses to what appear to be simple IT security questions can be difficult.

What are the main implications of GDPR for the cyber market right now?

GDPR has been a very good tool to help brokers raise awareness amongst their clients of the impact of a cyber-incident. It has been the catalyst for many companies to explore and investigate specialist cover. Some have decided to purchase cover but many have not.

Interest has been heightened but few are buying solely because of GDPR. This may change as Regulatory investigations occur and the costs associated with these becomes clearer. Coverage for GDPR fines is still a topic up for discussion; if it transpires fines are insurable, very unlikely in my opinion, interest and SMEs binding cover will increase markedly. If compensation and litigation rises premiums will have to increase in time. The market is very competitive currently with little room to soften so any frequency in legal action will likely impact pricing reasonably quickly .

Is it up to the insurance industry to educate SMEs about cyber threats?

I don’t think its solely the insurance industries responsibility to educate. I believe it’s the SME and the specifically the company directors who should make themselves aware of the threats out there. It’s then the brokers job to explain how a policy could help protect against the different threats but awareness needs to start at the company level. In general, most companies are quite surprised by the breadth of the cover available and the capacity available. If communicated effectively with an articulate and succinct explanation of the cover this will certainly create more opportunity, there is no question.

How do you see the development and the future of cyber insurance in the next five years?

It will continue to evolve around aspects such as non-damage business interruption, system damage and reputational harm. Dependant on Regulatory action associated with GDPR its likely to become a little bit more expensive in the future too.

Would you say that the rate of progression in preventing cyber-crime is enough or should more be done?

No, I don’t I think progression in preventing cyber-crime is enough. But we are doing a lot more now than we have done before.

Is it fast enough? No, of course it is not but then you’re never going to keep up with the malicious criminals, are you? They are quite willing to invest a lot of money in targeting sensitive data in order to secure a lot more money by selling or holding the organisation to ransom. Keeping ahead, or even apace with the fast moving world of cyber criminals is virtually impossible.

They are always a step ahead of everybody?

Yes, most certainly.

So, what can the audience expect from you at the Cyber Insight event next month?

I suppose a number of years’ experience dealing with and extolling virtue of what cyber insurance can do and how it can help organisations protect their revenue stream, profitability and ultimately ongoing success.

And finally, why should people ultimately come to Cyber Insight and why is it important right now?

If the focus is the SMEs and third parties that the brokers and intermediaries are targeting, I think it should be on the tip of every one of those brokers’ tongues when they are talking to their clients. If they’re not talking about it then a competitor of theirs will be. If nothing else they are protecting their own position. In my experience people/clients are genuinely interested in the subject because it goes beyond a corporate subject, impacting clients personally. It is quite an emotional subject.