The first of a series of nine articles ahead of Cyber Insight 2018, James Burns, cyber product leader at CFC Underwriting spoke to Insurance Times’ Ekaterina Dimitrova about the struggles creating a cyber policy

What still prevents cyber from becoming a must for the SME market?

For me, it is still probably confusion, particularly in the UK market. Looking at the history of cyber insurance, I think cyber insurers have been particularly bad at communicating what it is and what it does.

It is still in a place where you have got multiple markets offering multiple products all with slightly different names with slightly different coverages.

So I think that confusion is what really is still potentially acting as a barrier to the development of the SME market in the UK.

Is it progressing enough or is it still pretty slow?

It is definitely moving in the right direction.


James Burns, cyber product leader at CFC Underwriting

Different carriers are offering different coverage enhancements in different ways which can add to the confusion, because you know brokers are now trying to set up a product which it says it does all of these other things and making that relevant to the end-buyer can become more difficult.

But I think the fact that carriers are willing to enhance products and broaden coverage does mean we are moving forward and hopefully it means we are arriving at a place where the product is appealable to a wider range of businesses.

What are the difficulties when putting together a cyber liability product or policy?

The biggest difficulty actually is not necessarily in the policy wording itself, we are talking about cyber products, we are talking about the wording but the most important part is the infrastructure that actually sits behind it. And without doubt, that is the most difficult part of any cyber proposition.

It is easy for any insurers to release a piece of paper with some contractual language on it, call it a policy but then actually having the claims infrastructure which sits behind that offering is the really hard part that we have sort of learnt throughout the past twenty years that we have been doing this.

It has taken time, resource and effort to really build up a capability, build up the right people within our claims department and underwriting function to make sure we are offering more than just a piece of paper, so I think that is without doubt the most difficult part of cyber.

And the changing demand? Recently, with GDPR so you’ve got to change the infrastructure to adapt.

Absolutely, you have got to be adaptable, and that is something that not every insurer is able to do. I think it helps if cyber is a big part of the overall business because it means that you can prioritise it in ways that perhaps other types of business can’t.

GDPR is a really good example, the way we have looked at how are we going to adapt our offering to account for that new exposure and being nimble and agile and be able to react quickly is something that cyber insurers should be able to do but I don’t think it is necessarily that easy.

Is it up to the insurer or up to the customer to be able to understand the policy wording?

The insurer. That is one of the big challenges is making the wording accessible and making sure that we are clearly communicating what the product does.

It is easy to lapse into lots of jargonistic language with a product like cyber where by its very nature it is new age, it is digital, it is technology-based. It is very easy to suddenly fill a policy wording with lots of lots of terms and phrases that most people wouldn’t necessarily understand.

I think keeping the policy accessible and digestible is really important, it is on one of the biggest challenges as well making sure that we are continuingly enhancing it and adapting it to counter new threats as they come along. The threats are always changing so we need to be changing too.

How can these clients be better educated and understand that this is actually a huge threat?

For me, it is all about knowledge sharing in a way that is relevant. Cyber attacks and cyber threats get huge levels of press coverage in this country and around the world. There is always something in the news about some sort of a cyber attack but usually affecting very large organisations or organisations that the public might have an interest in,

It’s great in one way because it raises the general awareness of cyber risk but in another way it can make it feel detached from your every day organisation, so I think the onus is on the insurers, especially the insurers who have been doing it for a while because they have got the experience with claims.

Obviously, it is good to take note of these big events that are happening on a global scale but actually we have got companies such as XYZ who have suffered these events in real life and here is how the event impacted their business, here is what the costs were to their business and here is how the insurers responded and that is something that we do at the moment.

We have got a big campaign now that we are trying to release at least one in-depth cyber claims case study per month and the idea is that it picks an industry and it goes into depth obviously an anonymized example of a real-life case of a client of an insurer of ours that have had a cyber event and all of the fallout from that. And I think if we can push more of that content onto our brokers they can share it with their clients and suddenly the clients are looking at examples that they can say ‘ that can actually happen to us’.

Cyber insurance has been growing rapidly over past ten years, what would you say will happen in the next 5?

I think it is going to go mainstream. I think that is almost inevitable, we are talking about exposure which affects nearly every single type of entity in every single territory and I think demand for protection against digital threats is going to grow as the nature of those digital threats grows and become more pronounced.

I think from an insurance market perspective, there are still probably quite few twists and turns to come. Insurers are still trying to get to grips with what cyber risk looks like on their books.

We are still in a place where we are seeing how claims develop, what loss ratios are going to be and there is already a divergence between the insurers who have been doing this for a while. They are starting to build a lot of claims data, there are lots of new places where they haven’t necessarily built their claims data and that makes it a really interesting market place.

You have got development of products and if you have got different insurers with different experience, it means that there are mixed messages.

If it goes as mainstream as you say, can the government step in and make cyber insurance compulsory?

There is definite potential, it is difficult to tell. I think it’s become mainstream, there are lots of mainstream lines of insurance where there aren’t necessarily government mandated. I’d compare it more to a property type insurance as opposed to maybe car insurance. Where car insurance tends to be lots of big third-party liability, whereas in cyber claims we see 95% as first party. So, it is definitely a possibility, but it is one of those ones that depends on appetite of government to do something like that.

What can the audience expect from you at Cyber Insight?

Hopefully some unique insight to what this class is all about. But I think CFC are fairly uniquely positioned. Cyber has been the forefront of our business for nearly twenty years now. We have seen a risk landscape change, we have seen products change and the market develop. But I think most importantly we insure over 30,000 businesses against cyber risk.

We have been the first responders to thousands of insureds that have suffered cyber attacks and I think that gives us real life experience to share which I think it is invaluable so hopefully as part of the panel session I will be on, we will be able to share some of this real life experience and I am looking forward to debating the questions with the fellow panellists.

Why should the delegates come to Cyber Insight 2018?

Cyberattacks are the biggest threats faced by businesses today and it is a threat which doesn’t discriminate by size, doesn’t discriminate by industry, doesn’t discriminate by territory.

So, the conversation really is relevant for absolutely everyone and I think events like Cyber Insight provides great opportunity for brokers to be able to speed latest developments both in the risks that customers face, how insurers are responding and how it can better articulate the benefits of the product to support brokers and sales process.


James Burns is appearing on the panel discussing whether cyber should be in a standard commercial product or as a sparate one.

Book your tickets now!