Adrian Scott, head of cyber at Pen Underwriting, explains the nuances of cyber insurance and why this type of cover should be imperative for UK businesses
Despite having specialist underwriters who are prepared to provide broad, affirmative cover and brokers committed to helping businesses protect themselves effectively, the cyber insurance market remains a paradox.
Logic dictates that with the almost daily headlines around data breaches, ransomware demands and fresh phishing scams — not to mention the business paralysis and compromised capabilities that go hand in hand with this — UK brokers should be falling over themselves to ensure clients have comprehensive standalone cyber cover. And, you’d expect clients to be similarly hungry to offset their exposure.
Yet take up of such policies, while on the rise, continues to be lower than projected. The misguided notion that specialist cyber cover is only for the big brands continues.
The reality is that every company with any degree of dependency on digital systems faces real and rising exposure.
So, that means we first need to ensure we are asking the right practical questions of potential insureds - helping firms understand the risks they are running, as well as the high potential cost of resolving issues in terms of both hard financial costs and lost time.
Cyber cover is complicated, so the key is to make it relatable. We have to paint a clear picture of why it is a business imperative. That means understanding how long systems will be down. How much will that downtime cost? How many hours, days or weeks can you survive lost income from lost capability? Who will perform the response work? And who can you trust?
We need to stop thinking about cyber cover in the traditional insurance sense of an entitlement to financial compensation — that’s to say, you make a claim, it is adjusted and you receive a cheque. At its core, cyber insurance is a service proposition, pure and simple.
We need to start communicating the policy as the cavalry coming to the rescue — a dynamic, quick-responding ‘business capability protection’ toolkit with a single point of contact to manage a wide range of specialist services and teams of people who can understand exactly what’s happened and what to do next.
What use is a cheque when your systems have shut down, customer data lost, monies siphoned off, payroll and account information rendered inaccessible and strategic business plans or trade secrets stolen?
What you need are forensic services to determine causes and fixes, specialist legal assistance, crisis communications consultancy, restoration and recovery experts and individuals experienced in dealing with cyber criminals, who understand how to orchestrate a bitcoin payment if needed. And fast.
Sourcing these specialist skills is not in the traditional skill set of a chief executive or business proprietor.
When crisis hits, and it is a crisis in all senses of the word, customers need tailored, real-time support and intervention to recover as quickly as possible and minimise long-term damage. That’s the value that dedicated cover brings. The ability to restore businesses’ capability for its vendors and customers.
Choosing to self-insure against such risks doesn’t just mean having to potentially fund thousands of pounds worth of losses out of your own cash flow; it means not having the skills in-house or easily available to tackle the crisis you’re facing when time is of the essence.
Only with the right interventions can businesses hope to overcome the commercial paralysis that inevitably goes hand in hand with cyber incidents.
In the simplest terms, standalone cyber insurance is a response solution to a whole bunch of problems that your clients can neither afford or will have any idea how to figure out.
From a business downtime, reputational damage and rising cost of losses point of view, can any UK business really afford to keep cyber risk on their own balance sheet?