Penetration for cyber insurance in the UK remains low but there are many reasons why firms do not buy it

James Burns, cyber product lead at CFC Underwriting divulged some of the most common objections from firms not buying cyber insurance at BrokerFest yesterday.

These objections included:

  • We invest in IT
  • We are not responsible
  • We don’t collect data
  • We are too small
  • We don’t think cyber insurance will pay out

It follows penetration rates for cyber insurance uptake still being low in the UK – hovering around the 10% mark.

This, Burns said, was partly due to brokers comfort levels with selling the product.

But since there is a huge uptick in cyber claims activity across the globe, many firms would benefit from having effective cyber insurance in place to bolster their resilience in the event of an attack.

Comfort levels 

He said: “I think part of the reason for that low penetration rate is accessibility of product for clients.”

This is partly because brokers’ comfort levels with selling the product, as well as cyber as a product having been over complicated.

Burns also pointed out that the mindset that the firm is not responsible in the event of a cyber breach does not align with privacy laws.

According to privacy law, businesses are held accountable if there is a data breach.

However, he added that when dealing with clients, it helps to explain to them that there is a difference between risk and vulnerability.

“As insurance professionals, what we should be adept at doing is identifying what the financial, economic and reputational impact could be of an event once it’s happened,” he said.

This is because plugging holes by investing in IT could make an event less likely, but it doesn’t necessarily protect the business and won’t stop a rogue employee, for example.

Burns also mentioned the dangers involved for clients not storing data with a third party, he references the SSP outage in 2017 that left hundreds of brokers unable to operate, and some brokerages subsequently switching to different software houses.

Burns said that “it irks him” some firms do not think that cyber insurance pays out, he reminded the audience that many of the reported cases tend to be bigger companies. 

Finally, he concluded that as cyber-attacks are always evolving, investing in IT may only protect the firm at a certain point in time, CFC’s data confirms that cyber risks are always changing.