Cyber insurance ‘needs to evolve’ as it is ‘not the right product’ for the future – Hiscox

Cyber insurance policies “needs to evolve” because the product that is currently available for policyholders is “not really the right product for the market as it goes forward”, according to Aki Hussain, Hiscox’s group chief financial officer and incoming chief executive.

Speaking to Insurance Times following the publication of the insurer’s 2021 first half financial results yesterday (3 August 2021), Hussain explained: “I expect the product to begin to evolve.

“The old product, which is an indemnity product with a service component, that’s not really the right product for the market as it goes forward.

“Insurance is there for idiosyncratic events, whereas right now, with the onslaught of ransomware claims, the nature of that product needs to evolve.”

Hiscox’s financial report noted that cyber rates have increased on average by 20%, “primarily in response to the increased frequency and severity of ransomware claims across the industry”.

Hussain continued: “Our expectation is that rates will continue to increase and that’s reflective of the claims environment – there’s been quite a significant increase in ransomware claims and activities over the last couple of years and that’s being reflected now in the prices that are being charged. So, I do expect rates to go up.”

However, Hussain didn’t commit to making any predictions too far into the future around cyber.

“This aspect of the insurance world has evolved so quickly and so fast, any prediction I make is going to be out of date pretty much within days. I don’t see a change in the next six months I would say,” he noted.

Back to basics

Within its results, Hiscox said it “has experienced an increased frequency and severity of cyber claims across a number of markets, particularly in the US region, impacting both Hiscox USA and Hiscox London Market”.

Because the business spotted “early signs of this emerging trend three years ago”, it has “been undertaking portfolio actions since 2019” – this includes adjusting the group’s cyber risk appetite, implementing “corrective actions including repricing, focusing on customers with lower revenues in Retail and writing at higher excess levels in London Market”.

Hiscox also attaches “great importance to mitigation actions taken by customers, as human error is by far the biggest business vulnerability when it comes to cyber attacks”.

With this in mind, the insurer launched its Hiscox CyberClear Academy, a National Cyber Security Centre-approved cyber training programme, back in April 2018 for its small business customers with revenues under $10m (£7m) that perhaps don’t have their own IT departments.

The programme aims to help businesses learn how to counter cyber risks and develop a positive culture of cyber resilience.

“We train staff [on] the basics because once you drill into this, more often than not, it’s the basics that are forgotten, for instance clicking on an email when perhaps you shouldn’t, that then results in infiltration and ransomware claims,” Hussain said.

Over the last three years, Hiscox has trained 20,000 people from 5,000 businesses using this scheme. Hussain added that the insurer is seeing “the benefit of that in terms of claims frequency from those businesses is significantly lower”.

Hiscox has also introduced internal measures to accommodate its revised stance on cyber, for example training underwriters “at the same standard as IT security staff”.

It has also changed its cyber product – in the US, for example, Hiscox has “added new features such as co-insurance and a sub-limit for ransomware”.