Manchester Underwriting Cyber Q&A: Insurers must illustrate cyber threats to SME's

Which cyber event would you say has caused the greatest ramifications for the Insurance industry?

”There are a number of large US breaches which led to a brief hardening of the cyber market in 2015 and for the UK, the WannaCry cyber-attack, and its impact on the NHS, perhaps illustrates the potential impact of a broad focussed event. However, one of the most influential events would, in my opinion, be the decision in the case of Vidal-Hall vs Google, which opened the doors to compensation claims for pure distress rather than financial damages as a consequence of a data breach.”

Do you think GDPR has the capacity to create chaos through the insurance industry supply chain on the scale of the PPI scandal?

”I don’t anticipate that GDPR will create chaos through the industry.”

What do you feel will be the grey areas of GDPR?

”How and when an organisation should notify individuals who have been affected by a data breach, required when the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms.

Given their broader powers, to what extent is the ICO going to flex its muscles and impose more stringent sanctions than they have to date, and will any such financial penalties be insurable?”

The longer it takes a company to contain an attack, the costlier it will be, what do you feel is an acceptable dwell time and what can be done to reduce dwell time?

”It’s not possible to define an acceptable dwell time as that depends too much on the particular set of circumstances. Assigning key roles and responsibilities as part of a robust Incident Response Plan (IRP) is critical, as well as regularly testing the IRP against realistic scenario’s including, where possible, 3^rd party service providers as part of the IRP testing.”

Assuming hackers and fraudsters have bigger fish to fry is a classic SME mistake, therefore why do you feel there is still a reluctance amongst SME brokers to take this threat seriously?

“I don’t agree that there is a reluctance amongst brokers to take the threat seriously. However, I do think that brokers face a stern test when educating themselves and their clients about cyber risk and this is made more difficult by an array of policy wordings which all use subtly different policy language.

The media coverage often works against brokers with SME clients as only the larger events are publicised and there is little coverage given over to the threat faced by SME’s. It’s no surprise that SME’s feel that the threats are quite remote as there is a lack of connection.

Insurers need to do more to illustrate the threats to SME’s and help brokers so that their SME clients can make an educated assessment of their risk and determine whether or not cyber insurance should be part of the solution.”

What key points should SMEs and their brokers/MGAs look for from their cyber coverage and support?

”Cyber coverage is about much more than indemnification of losses. It generally includes a breach response solution and SME’s need to be certain that they understand why this is important, how the third-party response services will work in practice and how it will complement their own incident response plan.

It is a complex class of insurance with multiple heads of coverage, which to a greater or lesser extend can overlap with other insurance classes such as Professional Indemnity, Crime and D&O. However, the insured will not want to be engaged in a policy dispute as to which policy should respond to a cyber-loss. Particularly, when they have gone to the trouble and expense of purchasing a standalone cyber insurance. As such, the policy language should be structured to be primary to the other applicable insurances.

There should be no retroactive limitation under the policy. So long as there was no prior knowledge of a loss event, it should be covered by the policy within whose period of insurance the loss is discovered and notified.”

The head of UK’s National Cyber Security Centre Ciaran Martin said Britain is fortunate to have avoided a major attack already and that total protection is almost impossible, do you share this view and if total protection is impossible how do businesses achieve near full protection?

”Yes, there is no doubt that the threats are persistent and constantly evolving and that GB has been fortunate to date.

Near full protection means different things to organisations of differing complexity and maturity as well as to organisations within different industry groups. There is a balance to be struck between continued investment in physical and technological security and risk transfer in the form of cyber insurance. This is where a well-structured cyber insurance can help to plug the gap, always provided that the organisation has adopted a sensible security posture relative to its risk.

Perhaps one of the most obvious gaps in any organisations armour is within its relationships with outsourced service providers, such as cloud service providers. Typically, cloud service providers will offer very limited or no contractual indemnities at all in the event of a service failure or data breach. This leaves the organisation in a position where their continued operations may be at the mercy of the cloud service providers’ security investment, which we all accept cannot achieve total protection. Some cyber insurances will indemnify the insured in respect of such failures at third party service providers.”

The use of automation and emerging technologies is transforming the insurance industry; will this lead to greater cyber exposure for companies?

”As technological dependencies increase, so we should anticipate greater exposure to cyber disruption. However, this should be tempered by a much greater sensitivity to cyber risk with awareness and better practices pervading the insurance industry.

GDPR also requires data protection by design and by default, so this should be an integrated aspect of any automation or development of technology to support the organisation.”