EXECUTIVE INSIGHTS SERIES
CYBER 2021 What changes has COVID-19 brought to cyber insurance – and how will it continue to evolve in a post-pandemic world? IBUK finds out
EXECUTIVE INSIGHTS SERIES
CYBER INSURANCE
FROM PEN UNDERWRITING Our Cyber Insurance cover offers one of the broadest wordings on the market. We can provide comprehensive cover against cyber attacks and cyber crime to almost any business with up to £600M turnover Why Pen? • Online quote system, Pen Central • No long applications • Most quotes generated in minutes • Bind online with instant document availability • Range of limits available Whether you’re talking to the Head of IT at your client’s firm, or a sole-trader, they should be able to answer our simple question-set and get a quote from Pen Central in a matter of minutes.
www.penunderwriting.co.uk Pen Underwriting Limited is authorised and regulated by the Financial Conduct Authority (FCA number 314493). Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 5172311. www.penunderwriting.co.uk
EXECUTIVE INSIGHTS SERIES
CYBER INSURANCE
CYBER INSIGHTS 2021 Industry leaders respond to brokers’ most pressing questions about cyber insurance
WHAT A DIFFERENCE a year makes. Cyber insurance has grown steadily in uptake over the past decade, but it’s really over the last year that it has enjoyed accelerated recognition. The rapid shift to remote working enforced by COVID-19 lockdowns has raised the profile of cyber risk, even among organisations that never considered themselves vulnerable before. A recent study by the City of London Corporation and Accenture identified cyberattacks as among the greatest risks to the world economy as society moves to a digitalfirst standard post-pandemic. Corroborating this concern, a report on the state of the cyber insurance market from claims resolutions firm Mactavish found a “dramatic” increase in the number of cyberattacks in the past year and suggested that the pandemic may have helped exacerbate this problem. Meanwhile, data from the National Cyber Security Centre reveals a 10% increase in cyber incidents between September 2019 to August 2020, 194 of which were categorized as COVID-19-related. Cybercrime is an epidemic, according to Tom Reagan, Marsh’s cyber risk practice leader for the US and Canada. While facing the COVID-19 pandemic, business leaders have had to recognise the role digital operations will play in the future of work. Anxiety around cyber is at an all-time high, and correspondingly, the cyber insurance sector is in a place of transition. A key element of this transition has been the changing profile of companies that are aware of the threat cyber risk represents to their business continuity. Tom Spier, commercial director of global markets at
Cyberscout, told IBUK in a recent interview that the cyber insurance sector’s traditional focus on commercial lines products and large corporate risks has only recently shifted to encompass businesses in the mid-market space, where brokers and insurers have long struggled to convince companies of the need to protect themselves. Maya Bundt, Swiss Re’s head of cyber and digital solutions, notes that COVID-19 has enhanced how aware businesses of all sizes are of the protection gap they face. The pandemic has blurred the lines between what a private individual does on a home computer/network and what a business does, Spier adds, which is opening organisations’ eyes to the vulnerabilities their employees represent. While US companies have traditionally accounted for most cyber insurance uptake, the sector has become increasingly popular in the UK in recent years, according to the Association of British Insurers (ABI). In the fourth quarter of 2020, the ABI found year-on-year growth of between 25% and 50% within participating UK cyber insurers. However, in an interview with IBUK, CFC cyber development leader Lindsey Nelson noted that, despite significant strides, the UK cyber market still only has a penetration rate of about 10%, and more must be done to encourage greater uptake by businesses of every size. The ABI’s report emphasised the important role brokers play in the cyber insurance value chain. According to an insurer interviewed in the report, larger businesses often deal with specialist cyber brokers, while small companies tend to deal with generalist brokers. Whether a cyber specialist or a
generalist, all brokers operating in this space must identify and quantify clients’ exposure, source appropriate cover, and effectively communicate the need for this cover. It’s the latter of these responsibilities that has come into focus in recent months as brokers have been recognised by insurers as the front line of communicating the value of cyber insurance. For brokers, meanwhile, the nature of this obligation has been intensified by two key changes to the landscape. First, the business interruption insurance test case taken out by the FCA has emphasised the need for brokers to explore the full extent of the risks faced by their clients and the legal recourse available to those who feel they haven’t been adequately protected. Linked to this, the increased threat and severity of cyberattacks on UK businesses means that now more than ever, brokers must educate clients not just on the need for cover, but also on the proactive cybersecurity services that can offer protection. Given the complexity and ever-changing nature of the cyber insurance market, IBUK reached out to four experts in the space to explore the key themes and questions likely to dominate the sector in 2021, from the ongoing impact of COVID-19 to newly emerging threats. Through their insights, this report aims to provide brokers with an enriched view of both the challenges and opportunities of the cyber insurance market in 2021.
Mia Wallace News editor Insurance Business UK
www.insurancebusinessmag.com/uk
1
EXECUTIVE INSIGHTS SERIES
CYBER INSURANCE MEET THE EXPERTS
An actuary by profession, Hamir Patel joined Pen Underwriting five years ago Hamir Patel and is currently responsible for the Head of cyber performance and development of Pen’s Pen Underwriting dedicated cyber practice. Launched in 2016, the cyber practice is focused on devising and delivering cost-effective, comprehensive cover solutions to protect businesses against fast-evolving digital risks, while providing emergency cyber incident response and service restoration. Its online facility enables broker partners to quote and bind SME cyber risk in less than five minutes and is underpinned by a team of experienced specialist underwriters with open market capacity for larger accounts.
As the UK cyber team leader at CFC Underwriting, Simon Hughes manages a team of 10 underwriters focused on supporting UK brokers to deliver cyber insurance solutions that meet the needs of their clients. In addition to educating brokers about the evolving cyber risk environment and developments at CFC, Hughes works closely with colleagues across CFC’s 100-plus global cyber underwriting and claims teams, constantly reviewing policies, risk management and claims services to ensure CFC continues to set the benchmark for the market.
Simon Hughes UK cyber team leader CFC Underwriting
Tom Draper set up Gallagher’s cyber practice in 2012. The practice is Tom Draper responsible for supporting Gallagher Head of cyber partners and clients globally on cyber Gallagher risk products and services, including professional services liability, cyber liability, privacy and network security liability, media liability, and patent liability. Prior to joining Gallagher, Draper held senior positions at Lockton Companies, where he worked predominantly on US-focused exposure, and at Willis Group Holdings, where he focused on major European technology and cyber risks.
Following five years of private legal practice, Davis Kessler joined the Davis Kessler Travelers product development team Head of cyber in the United States in 2012 and Travelers Europe quickly began focusing on cyber coverage issues. In 2018, Kessler transitioned to Travelers Europe to develop the company’s standalone cyber proposition. He has led the cyber underwriting team since launching that product in May 2018.
2 www.insurancebusinessmag.com/uk
How has COVID-19 impacted the cyber landscape, and what should brokers be aware of in 2021? Hamir Patel: Without doubt, the onset of the global pandemic in March 2020 shifted an already shifting cyber landscape significantly. It increased the vulnerability of businesses and individuals and created something of a perfect storm in terms of heightened risk. Almost overnight, the sudden and wholesale shift to remote and online working for large chunks of the population created a vastly expanded potential surface area for cyberattacks. Not only did this uptick in exposure relate to the increased likelihood of successful malicious attacks – with many forced to work outside of secure networked environments, alongside a concurrent surge in IT dependency – but the rapid, unplanned change to unfamiliar ways of working also resulted in a greater number of inadvertent and accidental data breaches. To put this in perspective, six months after the announcement of the first lockdown in the UK, we registered a 150% increase in claims relating to both spoofing – a broad term covering a range of criminal activity that disguises the true source of a communication, including the familiar social engineering tactic of phishing – and accidental data breaches. In short, the COVID-19-related perfect storm of unprecedented circumstances undoubtedly increased the risk, especially relating to human error, which has always been a significant driver of cyber claims. This then layered onto a landscape that had, in 2019 into 2020, seen an exponential increase in ransomware attacks and social engineering incidents. That said, as we move through the first months of 2021, we have reached a point where the worst period of exposure for companies should have passed. This is thanks in no small part to the concerted efforts and actions throughout the remainder of 2020 by many organisations, small and large, in refining their approach to remote working. Whether that has involved the purchasing of suitable equipment and software or implementing more robust processes, protocols and procedures, the net effect is that it will have increased their resilience and mitigated
the risk of loss and disruption. So the ‘COVID effect’, as it relates to the risk of cyber losses, remains high, but arguably not as high as a year ago. It does, however, leave a legacy of lessons learned – a legacy that brokers and their clients need to be alive to. All cyber underwriters will now be placing a greater emphasis on controls around processes, system security and training. Active engagement with risk management and mitigation measures will be even more important going forward, as will the ability of insureds to demonstrate they are
responded to in 2020 related to COVID-19. Shifting almost overnight to remote working in March last year proved to be a logistical challenge for many organisations, but also a prime opportunity for cyber criminals to exploit vulnerable home workers. Organisations of all sizes have seen a marked increase in phishing attacks in particular, preying on employees’ fears by encouraging them to open infected attachments and links or to enter their credentials via email. Examples include emails offering COVID-19related tax relief, links to masks and hand
“Cyber is no longer a peril where brokers and their clients should expect to find an underwriter with the appetite to quote unless they can demonstrate they take their cybersecurity seriously” Hamir Patel, Pen Underwriting engaged in their own cybersecurity and care about their resilience. Cyber is no longer a peril where brokers and their clients should expect to find an underwriter with the appetite to quote unless they can demonstrate they take their cybersecurity seriously and be willing to detail the steps taken to mitigate their exposure. No organisation can ever be 100% secure, true enough. But no building can be 100% secure, and yet we still put locks on doors. So the effective utilisation of the plethora of risk management tools now available – whether that’s scans which monitor and detect cybersecurity risks or certification schemes such as the government-backed, industrysupported Cyber Essentials – will become a more expected and valued prerequisite as the market matures. Tom Draper: The pandemic changed the way we live and work instantaneously, with an increased reliance on technology providing cybercriminals with a new means to attack businesses with greater levels of intensity and frequency – around a quarter of the incidents the National Cyber Security Centre [NCSC]
sanitiser, and warnings about fines for breaking lockdown rules. Weaknesses in cybersecurity in employees’ homes have also been exploited, with the increase in video conferencing, remote access and virtual private network [VPN] services expanding the attack surface that cybercriminals can exploit to gain entry into a corporate network. The new cyber risks brought about by the pandemic present brokers with an opportunity to further entrench themselves as trusted advisors, helping clients navigate the changing cyber risk landscape, assessing the full scope of their risk and arranging suitable cover to insure them against any new risks they are exposed to. Business interruption coverage has drawn heightened attention in recent months due to the pandemic-related shutdowns and their ongoing disruption of commerce around the world, and has highlighted the need for brokers to provide clients with clarity about what may or may not be covered in their cyber insurance policy, given the complex and varied policy language that exists in cyber policies from insurer to insurer.
THE CYBER PERCEPTION GAP AMONG SMEs
15%
of SMEs have purchased cyber-specific insurance coverage
91%
of SMEs say they’re concerned about cyber risk
60%
of employees of employees at micro-SMEs have received no cybersecurity training
48%
of SMEs rate cybercrime as a top risk facing their business Source: Sedgwick, 2019
Simon Hughes: There has been a consistent headline running through many media channels – including our own market titles – over the past year that a remote workforce must naturally mean that businesses have increased exposure to cyber risk. It’s an understandable narrative; however, our data has shown us that claims were increasing long before COVID-19. Even in parts of the world where some form of normality has returned,
www.insurancebusinessmag.com/uk
3
EXECUTIVE INSIGHTS SERIES
CYBER INSURANCE
“Small businesses are the low-hanging fruit due to their lack of security resources and vulnerability, falling victim to first-party losses that are only financially detrimental to themselves” Simon Hughes, CFC Underwriting claims are still on the rise. Rather than increase the exposure for clients, COVID-19 has significantly increased awareness amongst businesses, which were forced to critically look at their internal practices and transform their IT security – or lack thereof – overnight. As a result, we have seen a surge in demand for cyber policies. And whilst the scams cybercriminals are undertaking may look slightly different, our experience has been that it’s the same old tactics. Over the past year, we’ve seen phishing emails purporting to be from the UK government – rather than, say, a bank – asking for account details to fine individuals for breaking lockdown rules. Or we’ve seen emails purporting to be the World Health Organisation – rather than phoney HMRC communications – offering important safety
4 www.insurancebusinessmag.com/uk
information on COVID-19 with malicious attachments that ultimately lead to ransomware being installed on the victim’s systems. As both threat actors and the cyber insurance market evolve throughout 2021, we see two main trends for clients and brokers to watch out for. First, cyber events are increasingly a small business issue. The latest statistics show that more than 70% of ransomware incidents impacted companies with fewer than 1,000 people and less than £50m in revenues. This resonates with CFC’s experience from the 2,000-plus cyber incidents reported to our team last year. Large companies may appear to be the more frequent targets, as they hit the news. However, small businesses are the low-hanging fruit due to their lack of security resources and vulnerability, falling victim to first-party losses that are only financially detrimental to themselves. Or, as we’ve seen more recently, they may not be the target, but rather collateral damage in larger attacks aimed at MSPs or cloud service providers. Second, cyber insurance and security services are increasingly merging into one. In what is now a proper in-or-out class, wellestablished cyber markets are not simply providing reactive cover – they’re proactively seeking to prevent claims. They’re using scanning tools to determine the security posture of a company as part of the underwriting process, informing clients of any potential vulnerabilities – for example, open RDP ports that may lead to a potential ransomware event or credentials being sold over the dark web – and working with them to remediate the problem. Davis Kessler: COVID-19 impacted the cyber landscape by changing how we do business. Some firms were more prepared than others, but regardless of where you fell on that spectrum of preparation, just about every type of business had to change how their workforce functioned – and they had to do it practically overnight. In the long term, this will probably be a good thing. Even though there’s an end to the pandemic in sight now that vaccines are starting to be distributed, and we will one day return to working in offices, the changes
EXECUTIVE INSIGHTS SERIES
CYBER INSURANCE International & Financial Lines division.
What’s your key area of focus in the insurance ecosystem?
Adrian Scott
CYBER EXPERT
PEN UNDERWRITING Year founded: 2015 Headquarters: London, UK Leadership: Adrian Scott, managing director, International & Financial Lines
Tell us about Pen Underwriting. Pen Underwriting is a multi-class, multiterritory MGA that operates as a virtual insurer, meaning we can and do fulfil all the typical functions of an insurance company, with the exception of carrying risk. From a ‘super startup’ of a dozen or so brands back in 2015 to a single cohesive £600m GWP business, Pen has set its sights on the next milestone, having detailed our clear ambition to become a £1bn GWP underwriting and distribution business. Already one of the largest underwriting agencies in the UK, we’re able to offer our broker partners more than 60 products, with a national branch presence across 13 locations and more than 350 insurance professionals. Cyber is a core specialism of Pen, with our dedicated practice established in 2016 and sitting within the
6 www.insurancebusinessmag.com/uk
As an MGA, by design, we are equally focused on serving brokers, coverholders and end customers through the development and delivery of effective risk transfer solutions, while producing a strong underwriting result for our capacity providers. Our heavy investment in the ‘virtual insurer’ proposition pays dividends for clients and capacity providers alike. Our partners know that when they come to Pen, they reap the benefits of not just substantial distribution and technical underwriting experience, but our risk and governance, pricing and product innovation, analytics and actuarial expertise, and specialist in-house claims teams. We also know that to create a great customer journey, data has to be our one overriding focus. Pen’s investment in this area has enabled us to create a single source of the truth and better harness quality data to make it work for us, our customers and capacity providers. This drives our ability to sharpen our risk selection and pricing; to monitor and manage our own loss ratios; to produce complex reports for capacity partners with certainty, speed and frequency; to support diversified portfolios; and ultimately to differentiate Pen in a market where capacity is constrained and has to be hard-fought and -won.
How does your cyber product work? Pen Underwriting first entered cyber insurance in 2016 with a groundbreaking online facility, which enables broker partners to quote and bind SME cyber risks in minutes. The speed, efficiency and flexibility of our Pen Central e-traded proposition is underpinned by our team of experienced specialist underwriters, who also support larger accounts with openmarket capacity. Our standalone cyber insurance solution in the UK covers breach costs; costs for damage to data or programs; income loss
and extra expense of an insured’s network failure; cyber extortion and ransomware; network security, privacy liability and confidentiality liability; multimedia liability; cyber terrorism; and fines, penalties and assessments under the payment card industry data security standard. Extensions include income loss and extra expense for an outsourced service provider or cloud service provider failure, as well as e-theft/crime. Pen continues to have a broad under writing appetite with very few industry exclusions. Typically, any company with up to £600m in revenue can be considered for cover.
What problem are you solving in the cyber insurance space? Various factors combine to make cyber insurance seem complex and over whelming: the headlines about large-scale attacks, the technical terminology, the rise in ransomware and data exfiltration, and the constantly shifting tactics of cybercriminals. At Pen, we look to help, not scare. Our goal is two-pronged. First, to raise awareness amongst smaller businesses of the potential risk and catastrophic effects that can occur if a breach/attack occurs, as well as the simple steps around securing their electronic environment that can significantly reduce the risk and potential impact. Second, to provide a solution that blends with those risk management steps to provide support when initial risk management fails. We demystify the risks by making the risk relatable to the insureds and then ensure SMEs and others can access affordable standalone cyber cover that will provide a coordinated response. Our aim is to minimise losses by providing emergency cyber incident support and service restoration, as well as responding to the notification and liability issues that can arise. And we offer that cover in an efficient, intuitive way with no lengthy underwriting applications for brokers. Just a few simple, straightforward questions on our e-trading platform, and cover can be quoted and bound in a matter of minutes.
we were forced to make to be able to work remotely have benefited us. They have given us greater flexibility in how we do business and improved resiliency in case anything else like this happens down the road. In the short term, though, it’s been bumpy for some. For many of the companies that weren’t prepared when pandemic lockdowns began last year, the first question they asked was, “How do we get back to business? How do we get back to what we were doing before?” I think in that haste to get systems back up and running, security measures may have taken a back seat in some cases. You’ll recall that early in the pandemic, Zoom meetings were getting infiltrated. If you didn’t already have preparations in place to manage situations like the one we’re in now, you may have cut corners. I think there’s concern among cybersecurity experts that problems may be lurking as a result. We’ve definitely seen record levels of spamware and phishing schemes, and there’s been a lot of activity with fraudsters taking advantage of the pandemic itself by posing as government agencies, knowing that people are going to naturally want to click on links about how to
protect themselves, how to obtain vaccines and so on. But there are other concerns about what may be coming in the near future. If a fraudster successfully gets onto a single end user’s computer via spamware or a phishing email, they may not do a lot of damage – or gain many capabilities – from that single computer. But some experts fear that once we plug those computers back into the corporate network when we return to the office, we could see a flurry of activity. I think one of the overarching themes brokers need to be aware of is the changing cyber insurance market, starting with those who have insurance portfolios in the US, where we have seen an incredible uptick in the amount of losses in the last two years. Beginning last year, there were changes in pricing in
“Where cybercriminals used to adopt a scattergun approach, with attacks spread widely and indiscriminately, we are now seeing more targeted attacks” Tom Draper, Gallagher
www.insurancebusinessmag.com/uk
7
EXECUTIVE INSIGHTS SERIES EXECUTIVE INSIGHTS
CYBER INSURANCE TOP 5 CYBER TRENDS TO WATCH OUT FOR IN 2021
1
Increased social engineering attacks
2
Exposure of known and unknown internet-facing vulnerabilities
3
Exploitation of system administration tools
4
Lack of instrumentation and monitoring of critical systems
5
Human-operated ransomware Source: Security Magazine, 2021
8 www.insurancebusinessmag.com/uk
the US market, and that is kicking into gear this year. We’re also seeing changes in underwriting and discussions on changes to the scope of coverage. We will see that trickle into the UK market this year, first in the corporate space, where we’re already seeing it, and then in the SME market.
What do you see as the top cybersecurity challenges facing UK businesses right now? Which threats are moving to the forefront? Simon Hughes: The combination of IT budget constraints in the increasingly challenging economic environment and the growing sophistication of threat actors are creating the perfect storm for cybercrime. Lockdowns and ongoing restrictions continue to put tremendous strain on a huge amount of businesses. As a result of trading environments caused by the pandemic, purse strings have been tightened across the board, and many businesses simply do not have the budget available to spend on strengthening or implementing security systems or to invest in dedicated security practices. And in a hardening market, when faced with increasing rates in other parts of their insurance programmes, cyber insurance may well fall down the pecking order. At the same time, threat actors are capitalising on a growing remote workforce – one that may become the new norm – and the susceptibility of employee and human error, enabling them to override any IT security solutions that do work in practice. This is true across all industries. This is where brokers really need to press the value that cyber insurance delivers – it provides businesses with access to cybersecurity professionals who can complement and work hand-in-hand with any in-house IT resource they may already have. What’s more, while ransomware undoubtedly remains a significant threat to businesses and continues to dominate the headlines, it’s important that brokers remind their clients that cybercrime such as theft of funds and business email compromise has not gone away. As I’ve already alluded to, the criminals have simply adapted their tactics to take advantage of the pandemic, and many busi-
nesses have fallen victim. And finally, nor should reputational harm be ignored. It’s become a growing issue as regulations such as GDPR come into force, obliging businesses to notify customers when their data has been compromised. Reputational harm can include greater and more long-term costs such as cancelled contracts or customers taking their business elsewhere, yet it’s a threat and a cost that few talk about when discussing cyber policies. Hamir Patel: Ransomware is definitely still up there, and with a growing emphasis on data exfiltration. While not a new threat, the rise in ransomware attacks here in the UK was very much a consistent and common theme throughout 2020. And, as with many other risk developments over past decades, the UK tends to follow the US experience when it comes to the trajectory of cyber threats and losses. To put some numbers around that, we have seen the number of ransomware losses in the UK increasing by over 100%, with severity approaching £100,000 per claim. These were the levels seen in the US during 2018 and early 2019. The rising severity of ransomware losses ties in with another trend: a shift from the scattergun approach of hitting large numbers of organisations with relatively small demands to the reconnaissance-based ‘big game hunting’ of carefully researched specific firms. After infiltrating an organisation’s systems, the cybercriminals will tend to take their time inside a network, identifying the biggest pain points at which to deploy their ransomware to maximum effect. And this trend has been growing in step with another method of extortion: data exfiltration, where data is leaked purposefully and without authorisation. So, criminals first steal the data, before any file encryption, then threaten to publish that information – a practice known as doxing – unless payment is received. Maze, for example, which at the end of 2020 announced it was shutting down, was a notorious data-stealing ransomware group that not only encrypted a victim’s files but also threatened to publicly release them. In effect, you’re talking about a ransomware attack and data breach in one, with firms
CYBER EXPERT
CFC UNDERWRITING Year founded: 1999 Headquarters: London, UK Leadership: Dave Walsh, founder and CEO
Tell us about CFC Underwriting. CFC is a specialist insurance provider and a pioneer in emerging risk. We offer a broad range of commercial insurance products that are purpose-built for today’s risks, and we aim to give our customers everything they need in one easy-to-understand policy. With a track record for disrupting inefficient insurance markets, we build technology that helps us deliver high-quality products to market faster than our peers and makes it easier for brokers to do business.
What’s your key area of focus in the insurance ecosystem? Our focus is on emerging risk and the modern exposures brought about by the intersection of business and technology – from cybersecurity to intellectual property, telemedicine to e-sports.
How does your cyber product work? As one of the pioneers of cyber insurance, having launched our first product 20 years ago, we’re continually enhancing our suite of cyber insurance solutions to offer comprehensive cover for businesses of all sizes against the very real and growing threats of the digital age. Our Private Enterprise product combines data breach, cybercrime and business interruption cover tailored for SME organisations. Built with global businesses in mind, our Large Corporate policy is designed to protect their balance sheets against the impact of catastrophic system failures and major security breaches. In addition, our Cyber Excess policy is designed to offer extra peace of mind for businesses that want to top up the cover and limits supplied by their primary policy. However, setting the market standard in cyber insurance is not simply about offering the best product. When a broker sources a
Dave Walsh
cyber policy for their clients from CFC, they’re providing them with access to 20 years of cyber claims experience, the largest in-house incident response team in the market and an award-winning cyber incident response mobile app. Our technical expertise and real-world claims handling experience can make the difference between a business suffering a catastrophic loss or getting back online quickly.
What problem are you solving in the cyber insurance space? The cyber insurance market is currently at the most challenging point in its history due to a marked increase in the severity of losses being experienced, which is being driven almost entirely by bigger ransomware events. We believe that we have a central role to play in not only being the first line of defence for our customers, but also in identifying what the next big threats are and ensuring that our customers are protected before the worst happens, not just afterwards. For example, we launched a major upgrade to our cyber incident response
mobile app at the end of last year. Leveraging our proprietary data enrichment platform and threat intelligence feeds, along with insights from active cyber insurance claims, we can now notify policyholders of critical, time-sensitive threats and vulnerabilities in real time. The app also boasts an Ask the Expert service, enabling our customers to access our specialist team for help with their cyber risk mitigation and general cybersecurity questions, including best practices for their business, as well as compliance and legal advice. Cyber insurers are arguably better positioned than anyone else to confirm which vulnerabilities have the most catastrophic impacts and can make sure that their customers receive the highestpriority threat alerts to avert the most dangerous attacks. So at CFC, we’re devoting an incredible amount of energy and resources to further building our risk mitigation services throughout 2021. Our goal is to help policyholders stay one step ahead of the hackers, while reducing both the number and severity of cyber claims.
www.insurancebusinessmag.com/uk
9
EXECUTIVE INSIGHTS SERIES
CYBER INSURANCE facing all the attendant costs and potential fines commensurate with the latter, as well as any original extortion. The important thing to take on board here is that, although businesses are working hard to address key vulnerabilities giving rise to ransomware attacks, cybercriminals will continue to look for the low-hanging fruit. Prime targets will always be those using outdated systems or less frequent or erratic patching policies. This will continue to be a significant cybersecurity challenge as businesses adapt to the challenges of remote working. And it is lucrative: criminal groups can target vast numbers of organisations that they pinpoint as lacking in infrastructure and controls, with relatively minimal effort, and most perpetrators are based in jurisdictions that have little to no extradition danger and so act frequently with little potential for any consequences. Tom Draper: Ransomware attacks have become even more pervasive and effective during the pandemic, with the NCSC handling more than three times as many ransomware incidents in 2020 than in 2019. These attacks are now a lot more sophisticated than when this form of cyberattack first hit the headlines in 2017 with the Wannacry and NotPetya attacks. Where cybercriminals used to adopt a scattergun approach, with attacks spread widely and indiscriminately, resulting in a high number of organisations being hit, we are now seeing more targeted attacks. Hackers are breaking into networks of organisations ranging from tech companies to governments and encrypting servers, services and files with ransomware before demanding a ransom, often requesting hundreds of thousands or even millions of pounds. Beyond the obvious financial losses and the lack of productivity that can result from systems going down as a result of a ransomware attack, more recently there has also been a trend for cybercriminals to threaten to release sensitive data stolen from the network during the attack if the ransom is not paid. Before ransomware is even deployed, criminals often lurk on networks, looking for specific sensitive data that the victim wouldn’t want to be made public – such as a
10 www.insurancebusinessmag.com/uk
“Clarity as to when cover will and won’t be triggered is vital, and for that reason, cyber risk will always be best addressed via specialist standalone policies” Hamir Patel, Pen Underwriting secret patent or information about staff salaries – and follow through with their threats by releasing sensitive data to the public, often via ‘name and shame’ websites on the dark net. Increasingly, cybercriminals are also using social engineering techniques to exploit the weakest link in the security chain – people – with attackers using a variety of means, both online and offline, to con unsuspecting users into compromising their security, transferring money or giving away sensitive information. Social engineering attacks typically involve some form of manipulation, often featuring emails that invoke urgency or fear, leading the victim to promptly reveal sensitive information, click a malicious link or open a malicious file. Social engineering attacks show no sign of slowing down, with the Department for Digital, Culture, Media & Sport reporting that there has been a 14% rise in businesses experiencing phishing attacks – the most common social engineering tactic – between 2017 and 2020. In 2021, we are likely to see additional social engineering methods become more prevalent and advanced, including ‘baiting’,
which involves cybercriminals enticing victims into inadvertently compromising their security, often by inviting them to sign up for free giveaways; ‘pretexting’, which involves the con artist inventing a scenario to convince victims to divulge sensitive information, having often researched their victim in advance of their first conversation; or ‘scareware’, which usually involves a pop-up that warns victims that their security software is out of date and tricks them into visiting malicious websites. Davis Kessler: Remote working remains a concern, and I think we’ll definitely see an increase in ransomware. This has been hitting cyber portfolios in the US hard. No industries have been unscathed by ransomware activity, but certain ones – like education, healthcare, government organisations and professional firms – have all been particularly vulnerable. We’re starting to see it more in the UK portfolio and reading more about it in the press. It takes just one employee to fall for a phishing scheme and give a criminal a foothold into a network they can exploit. The price of Bitcoin is skyrocketing, and since ransoms are almost always demanded in
Bitcoin or some other alternative currency, a high price makes it all the more appealing to commit this kind of fraud. More run-of-themill financial fraud will certainly continue – somebody falls for a phishing email and a fraudster gains access to the person’s email and manipulates invoices by changing bank routing numbers, for example. That won’t go away, but I think we’ll see an uptick in ransomware in the UK in 2021. One of the most critical tools we recommend to minimise these risks – and something we are going to start looking for as we underwrite – is multi-factor authentication. This is easy and often free protection for an entity to put in place. If you’re a global corporate entity, it’s trickier, but if you’re a smaller office and, for example, use Microsoft Office 365 for your email platform, multi-factor authentication is a tool already built in – it just needs to be enabled. Multi-factor is great at stopping fraud from occurring because it stops it at the beginning. Phishing emails will still happen, and even with the right training – which is highly recommended – some employees will inevitably fall victim to such schemes and input a username and password into a fake login screen, essentially giving the criminal their login information. But when the fraudster tries to use those login credentials, that triggers the need for authentication via a mobile phone or a separate email account. That usually stops the bad guys. There are ways a criminal can get past this type of barrier, but what we have seen is that there is so much low-hanging fruit out there that if a criminal gets stopped by a protection like multi-factor authentication, they won’t go through the effort to get past it. They will simply go to the next company and hope it doesn’t have that protection in place. Another action companies can take is to protect certain open ports, which control the flow of information to and from the internet. There are a few open ports that can cause problems, but the primary one is remote desktop protocol, or RDP. We’ve probably all had the experience of having someone in IT use remote desktop to legitimately access our computer to fix a problem. Unfortunately, it
can similarly be used by fraudsters. It’s particularly challenging, as your computer actually tells the internet if you have remote desktop open. As a result, criminals can scan the internet and find companies with this open back door. So if you don’t have a strong password, have reused passwords or have been part of another data breach, a criminal can access your computer and have desktop control of your computer. They can read your email, commit data breaches or financial fraud, and potentially install malware and ransomware. Having multifactor authentication and making sure open ports aren’t incorrectly open are probably the two easiest things that go the longest way in preventing this sort of fraud.
How have silent cyber mandates impacted the market? Where does cyber as a peril properly reside? Davis Kessler: For non-cyber markets, it varies by class of business. Some P&C markets have started attaching cyber exclusions, exclusions with limited write-backs for coverage, sub-limiting coverage or making it less robust than it was before. However, it’s not uniform across all P&C policies. For some lines of business, there is no change from before. They may
www.insurancebusinessmag.com/uk
11
EXECUTIVE INSIGHTS SERIES
CYBER INSURANCE
“When it comes to breach response or business interruption costs, that’s where I expect to ultimately see clarification that pushes cover towards the standalone cyber insurance market” Davis Kessler, Travelers Europe
12 www.insurancebusinessmag.com/uk
attach an endorsement to adhere to the silent cyber requirements that Lloyd’s has in place, but there is no effective change to coverage. If it was covered before, it is covered now. In financial lines, it’s too early to gauge the impact. It was just the turn of the year when these endorsements started getting used, and most of the market has been taking a ‘wait and see’ approach. Initial indications look like most of the endorsements per these mandates will affirm that if coverage flowed from a cyber incident before, there will be coverage going forward. We haven’t seen much of the exclusions limiting cyber cover in financial lines, but it’s too early to say definitively. In terms of how this impacts the cyber market, there has been an increase in firstparty property coverage on the cyber side. It’s not something Travelers is currently writing, but it is becoming available in limited quantities. And because we’ve yet to see much change in the financial lines in response to the mandates, there hasn’t been a large impact as a result in the cyber market. Where does cyber as a peril properly reside? There is probably no right or wrong answer. As long as it’s underwritten and priced correctly, it probably doesn’t matter. But from a purely functional standpoint, if you have a building to insure from fire or any number of perils but also cyber, it probably doesn’t make sense to buy a full policy limit that would protect a total loss from every other type of peril and then buy a separate policy just for cyber. When it comes to breach response or business interruption costs that flow from a cyber incident, that’s where I expect to ultimately see clarification that pushes cover towards the standalone cyber insurance market. There are currently non-cyber products that may do some of this, particularly in financial lines – they will have a bit of breach response or business interruption cover that leaks in. It may make sense to clarify that this belongs in a dedicated cyber policy, but it’s still too early to tell. Wherever coverage for cyber-related events lands – whether it stays in the P&C market or it becomes established that there is a cyber property insurance market – we
definitely need to work collaboratively. In the case of insuring a building, a cyber team may be able to underwrite the security controls in place that would increase or decrease the likelihood of being breached, but a normal cyber underwriter won’t know what causes, for example, a boiler to overheat and result in damage to the building. That’s something we’d need to work on with the property team, and going forward, companies and markets will have to think holistically wherever cyber exposure is insured. Simon Hughes: Broadly speaking, silent, or non-affirmative, cyber has existed in property and general liability policies for as long as insureds have used technology as part of their business practices. It’s likely that many may have previously believed – erroneously so – that cyber coverage existed in other areas of their insurance programme, which may have prevented them from seeking a standalone policy in the first instance. For example, there may be elements of a thirdparty liability suit as a result of a privacy event being addressed under a solicitor’s PI policy, or a traditional crime/fidelity policy might extend to electronic crime or social engineering by way of endorsement. Non-affirmative cyber became a speaking point in the market because significant losses were accumulating, and clients were seeking clarity of cover to address these losses. There is rightly an argument to be made that the growing frequency and severity-driven losses that clients were experiencing were impacting the market long before exclusionary cyber language on other policies. Ultimately, the crux of silent cyber mandates has been behind insurer intent of never having underwritten these risks or priced them in the first instance. That’s why cyber as a peril properly resides in an affirmative standalone policy that gives clients not only clarity, but more importantly, access to cyber specialists who can properly help them navigate their way through a cyber event. In fact, what all other non-affirmative cyber policies have in common is the lack of specialised claims expertise behind them. Is the property market the best equipped to negotiate a ransom payment? Is the crime
market best positioned to conduct forensics over the insured’s network in the event of a business email compromise? Is a PI department best placed to provide dark web monitoring for clients? The answer here is largely no, and this has turned the attention of brokers and clients alike towards standalone cyber policies that adequately address and respond to cyber perils in a rapidly changing threat landscape. Tom Draper: In theory, excluding or affirming cyber cover sounds like a straightforward process. However, in practice, it has been far from plain sailing, with policyholders often receiving inconsistent responses from their insurers and finding themselves with gaps in their cyber coverage. Many of the proposed cyber endorsements on traditional property & casualty policies in particular have lacked consistency or have been simply too broad. For example, some have excluded losses stemming from previously covered physical perils, given that technology use was involved in the chain of causation. Many proposed wordings by insurers fail to address the fact that in this day and age, technology is at the heart of business operations across all sectors. As new emerging risks and technologies are increasing organisations’ exposures and coverage requirements, brokers have an important role to play in terms of reviewing their clients’ current policies and identifying any exclusions proposed which might create issues to ensure they have adequate cover and to fill any coverage gaps. Hamir Patel: The reality is that cyber risk is complex, fast-evolving and arguably many perils in one. Consequently, clarity as to when cover will and won’t be triggered is vital, and for that reason, cyber risk will always be best addressed via specialist standalone policies. But, as we know, that is not how much of the market has developed over the years, with cyber typically sold as an add-on or embedded in property or general liability policies. The inconsistencies and coverage challenges this has thrown up have been exacerbated by the lack of any clear definition for buyers and brokers over what ‘cyber risk’ is. For that reason, the silent cyber mandates
driven primarily by Lloyd’s of London – with its phased implementation across different classes coming into force over the past 12 months and set to culminate this July – are to be welcomed. By mandating that all policies clearly state whether they offer affirmative cover for cyber risk, clarification has been brought to bear on non-cyber-specific policies as regards inclusion and exclusion. That can only be good news for brokers and their clients in understanding whether they have the cover they need or not. Unsurprisingly, given the scale of some of the disputed ‘silent cyber’ losses that drove the introduction of such mandates, the net result is the rise of more policy exclusions. This should help drive take-up of standalone cyber policies as a must-have and no longer nice-to-have, which is something we would always advocate. That said, the current position of the market remains one of inconsistency when it comes to traditional non-cyber-specific policies. So it is vital for brokers, on behalf of their clients, if they are still looking to rely on these for cyber cover, to take time to fully understand the intended coverage, as well as pinpoint – and, most importantly, explain – any cyber gaps that may exist for that
TOP 5 SECTORS AT RISK FROM CYBER THREATS IN 2021
Small businesses
Healthcare institutions
Government agencies
Energy companies
Higher education facilities Source: CDNetworks, 2021
“These days, cyber insurance policies are service-driven solutions, and a good policy should offer proactive risk management services upfront” Simon Hughes, CFC Underwriting particular client’s activities. This comes back to the question about where cyber as a peril properly resides. From accidental data breaches due to employee error to criminally motivated ransomware attacks and data exfiltration, it is in itself multi-peril. The threats that can impact businesses are so many and varied that trying to shoehorn cyber into another line of business, or break it up into different lines, would diminish the value of any response and make
www.insurancebusinessmag.com/uk
13
EXECUTIVE INSIGHTS SERIES
CYBER INSURANCE dealing with an incident extremely difficult. One carrier could be general liability, for example, and another providing property, while a third is errors & omissions. Quite how that could all fit together to create and deliver a seamless response to a multi-peril cyber breach is difficult to comprehend.
Which restrictions or exclusions should brokers be particularly wary of in cyber policies? Simon Hughes: Historically speaking, standalone cyber policies have always provided incredibly broad coverage for the price point at which they’re offered, given a company’s largest exposure, more often than not, is their intangible assets. In fact, cyber insurance is commonly referenced as one of the product lines with the highest claims acceptance rate of any in the insurance market, given they intend to respond not only to actual events, but even suspected cases of malicious activity. On that basis, restrictions and exclusions have always been synonymous with ‘cyber light’ policies or extensions onto other product lines rather than true stand alone policies. Fast-forward to today, and both clients and brokers alike are fairly wise to what is expressly stated as an affirmative restriction or exclusion within policy language. However, one restriction that is becoming increasingly commonplace in cyber policies, as part of a market-wide reaction to severity-driven ransomware losses, is coinsurance provisions being applied as a condition on larger clients where they lack certain basic minimum security practices. It’s easy to understand why some cyber insurers are treading this path – it’s broadly similar to how a traditional property policy will act less favourably towards an organisation that leaves its doors wide open. What’s less obvious – and certainly where we see a gap in the market – is how often clients are scrutinising what their cyber policy does or doesn’t offer beyond the policy language itself. This is most evident when attempts are made to compare and contrast the various cyber wordings in the market. There are lots of comparisons made between specific insuring clause sections of a
14 www.insurancebusinessmag.com/uk
policy, but rarely do clients ask their broker about what claims expertise or risk management services are also provided. These days, cyber insurance policies are service-driven solutions, and a good policy should offer proactive risk management services upfront – after all, it’s in the best interests of both the client and insurer to prevent claims before they happen. [It should also offer] in-house claims expertise so that should the worst happen, an event is managed and resolved as quickly as possible. This should be the first thing a broker or client should be asking of a cyber insurer. Products in the market won’t expressly state services are included or excluded as part of the policy language, so it’s essential that they are critiqued when selecting a cyber product. Tom Draper: Standalone cyber policies typically cover incident response expenses, data breach liability, non-damage business interruption, data restoration expense, liability for compromises of confidential information, cyber extortion and non-damage hardware replacement. However, though standalone policies offer broad coverage for financial risks, they often offer limited physical damage coverage. Buyers have traditionally found cover for physical loss or damage in non-cyber policies, such as property insurance. Not all cyber policies are equal – this line of insurance continues to evolve, and there
are often significant variations between different insurers’ products. Brokers play an important role in ensuring businesses are familiar with the specifics of what a particular policy entails before buying, and highlighting the extent of the cover provided and any exclusions in order to avoid confusion or misunderstanding later down the line about what may or not be covered in the event of a claim. Davis Kessler: This is going to be a formative year in cyber insurance. Cyber insurers – particularly those with a US portfolio that has taken some hits recently – will be trying to right the ship that has been rocked a bit. We’ll see different approaches to this. On the one hand, insurers may take a product coverage approach where they restrict coverage, either by removing coverages altogether or adding sub-limits to certain coverages. Another approach may be adding conditions – saying they will only pay out if X, Y or Z controls are in place. Coverage in that instance may be left unchanged, but the insured will have to demonstrate after the fact that it had some controls in place, such as multi-factor authentication or up-to-date patching, for example. Brokers should be mindful of potential changes to the scope of coverage. Another approach by some insurers will address this from the underwriting side, focusing on certain precautions as a requirement for offering coverage in the first place.
KEY BARRIERS TO CYBER INSURANCE UPTAKE BY SMEs Cost of cyber insurance
69% Concerns over the breadth of cover
46% Concerns over limits of cover
43% Source: Sedgwick, 2019
how it works, and how to secure appropriate cover for clients. Hundreds of brokers have taken our training over the past 10 months. It’s a strong part of what we do.
How does your cyber product work?
Jon Davies
CYBER EXPERT
TRAVELERS Year founded: 1853 Headquarters: New York, NY Leadership: Jon Davies, vice president, bond and specialty, Travelers Europe
Tell us about Travelers. Travelers is one of the world’s leading property & casualty insurers and has a long-standing record of financial strength. At our UK operation, we specialise in doing a few things and doing them really well, with the resources of a global enterprise behind us. We often recruit people from the industries we cover, which helps us understand the customer perspective from the outside in. Our dedicated experts have a deep understanding of underwriting and claims handling for the business classes we write. I have loved working at Travelers for the past 28 years because we are a company that always tries to do the right thing.
What’s your key area of focus in the insurance ecosystem? I run the financial lines specialisms we write – professional indemnity, directors &
officers, management liability, financial institutions, transactional liability and cyber, which is one of our newer specialties. My background is in underwriting, which involves assessing which risks we should write and at what terms and price, and also promoting the benefits of our excellent claims service. We put a lot of emphasis on ensuring our proposition helps address our customers’ needs. Cyber risk is a growing area of concern, whether you’re a massive global firm or a tiny one. In the last 10 months, we’ve all had to rely on all things cyber, even in our private lives, so everyone can understand the consequences of when things go wrong. Travelers is especially strong in the US and is the only insurance company on the Dow 30. The cyber market is far more advanced there than it is in Europe, as are the claims issues they face and their ability to understand where claims originate and how to mitigate them. We have the benefit of taking learnings from Travelers in the US and applying them to our European offering. We spend an extensive amount of time helping brokers understand cyber exposures, what cyber insurance covers and
Our cyber product is focused on SMEs and is available alongside our management liability insurance, allowing clients to buy crime and cyber cover together. It is available through our online insurance portal, which makes it quick and easy for brokers to add coverage for businesses that don’t currently have cyber cover. It includes low limits up to very large limits and also offers breach response support. We use the strength of our global portfolio to negotiate a great panel of breach response vendors – trusted partners of our organisation who can assist before, during or after a cyber incident to rebuild systems and identify how things can be improved. This is critical because when a business experiences a cyber breach, there isn’t time to waste on trying to identify quality people who can help in the moment. Time is of the essence with cyber, more than many other areas we insure.
What problem are you solving in the cyber insurance space? We want to make sure the great UK SME industry is better protected, so we’re helping brokers feel confident about cyber insurance, understand what it covers and know what clients need to do in the event of a cyber incident. Our global portfolio helps fuel the education we’re able to provide. In the US, there are many more ransomware claims than we have in the UK, but I can’t think of a reason why we wouldn’t have the same problem here in the future. Having protection like multi-factor authentication greatly reduces exposure to ransomware, but we wouldn’t necessarily know that if we didn’t have a global portfolio. That resource allows us to provide better advice to customers and help them make relatively simple technology changes that keep the door bolted when cybercriminals try to enter.
www.insurancebusinessmag.com/uk
15
EXECUTIVE INSIGHTS SERIES
CYBER INSURANCE And then there may be a blend of the two approaches – and brokers will need to be aware of this. Hamir Patel: There are no two ways about it – the cyber market is currently at a tipping point in terms of ransomware losses. Consequently, 2021 is likely to be a year where a great variability in approach to this peril emerges, whether that be through restrictions in cover, sub-limits or higher retentions. Indeed, some underwriters and insurers are already taking a blanket approach [and are] no longer prepared to offer ransomware cover to certain types of business with particular types of exposure, whether that be industryor size-related. At Pen, our overriding intention is to keep offering as broad a policy as possible, and any future restrictions in cover would never be undertaken lightly. But as we’ve said before, cyber as a risk is incredibly dynamic and fastmoving, with creative criminals finding ever more inventive ways to breach organisations’ defences. So underwriters must be ready, prepared and able to adapt and adjust their risk appetite as evidence accumulates. Looking across the market as a whole, crime and social engineering coverages are an area where there tends to be a vast array of conditions across the various policies. So this is definitely something brokers need to be alive to and aware of. Aside from coverage levels, there tend to be differing requirements on conditions to be satisfied for crime covers to pay out – for example, conditions relating to payment verification. Insureds should be aware of what they are agreeing to or submitting as their process around payment verification procedures. As a result of claims activity and trends, we are also seeing some policies in the market with increased conditions on areas such as timescale requirements to deploy software updates, exclusions relating to software or hardware reaching end-of-life/support, and controls around back-ups. All of this comes back to the importance of firms taking responsibility for cybersecurity seriously. Organisations demonstrating the right behaviours and embracing a culture of risk management and mitigation to known
16 www.insurancebusinessmag.com/uk
areas of exposure and vulnerability will always be the best placed to secure the broadest cover at the best terms possible.
To what degree is cyber insurance suitable for brokers to e-trade, considering its fast-evolving underlying risk profile? Hamir Patel: Incredibly well suited, in the SME arena in particular. Despite its dynamic nature, at heart, a handful of key questions can enable you to understand the risk profile at a macro level, and modern underwriters are enhancing this client-led input with publicly available information, such as web addresses, to recognise the cybersecurity risk landscape relevant to a specific business. But it’s essential that simple, streamlined question sets are matched by simple, streamlined systems. That’s where the important investment lies – in creating quick, slick quote-and-bind facilities that genuinely
virtual, Connect works off the premise of single-question quoting, taking advantage of the insights we can gain about the security posture of a small business client without the questions upfront. Our UK broker partners have responded with huge enthusiasm and are leading the pack globally in terms of number of quotes to date, whether it’s interacting directly with Connect or through an API that allows them to plug it into their back-office systems. And it’s easy to see why cyber as an e-trade solution works and is perhaps the future direction of the product. The platform provides instant access to quotes, varying limits, excesses, dynamic pricing and coverage – and in a world where service wins the race, this largely allows brokers to get back control in the terms they receive from their markets. Connect also gives our brokers and clients access to all of our proprietary benchmarking information, limit profiles and claims exam-
“It’s definitely true that cyber insurance has a fast-evolving underlying risk profile, but there is good insurance to be found on an e-commerce platform” Davis Kessler, Travelers Europe enable brokers to self-serve, provide costeffective cover for customers and yet still deliver the right underwriting result for capacity providers. Effective e-trade in cyber insurance is wholly dependent on two things. First and foremost, system ease of use and simplicity of the application – the more complicated and clunky a broker self-serve system, the less likely brokers are to use it. Period. Second, but of equal importance, is that cyber e-trade has to be a supported sale to help brokers explain the coverage correctly. Simon Hughes: CFC has been e-trading cyber policies for over 20 years now, so in our view, it’s perfectly suitable. We’ve evolved how we do this over the years and most recently launched our new cyber trading platform, CFC Connect, last May. In the year where everything became
ples, based on what industry the client is operating in. Access to relevant information is scarce in a market where large FTSE losses making the headlines are being presented to SMEs, and overwhelmingly, clients want to see claims examples of companies who look like them. Our e-trade solution now allows our brokers to deliver the most accurate data to their clients about their cyber posture, next to a quote, at no cost. And in our experience, explaining the value of cyber insurance specific to a business always helps explain the price. Tom Draper: E-trading is becoming more and more prevalent in the insurance industry, with both cyber brokers and insurers using technology as an enabler to improve process efficiency. Throughout the pandemic, electronic and online capabilities have played an even more vital role in cyber
insurance transactions as we adapt the way we operate to support remote working. At Gallagher, we make extensive use of e-trading platforms in cyber insurance transactions, and the volume of cyber insurance we trade electronically will continue to increase. However, technology is not a substitute for customer advocacy, and human negotiation will remain an essential component of discussions surrounding larger, more complex risks. Davis Kessler: It’s definitely true that cyber insurance has a fast-evolving underlying risk profile, but there is good insurance to be found on an e-commerce platform. Brokers just need to study the product and make sure it’s fit for purpose. First, they need to confirm there aren’t restrictions in place or sub-limits where full coverage may be available elsewhere. Then they should ensure it’s a proper dedicated cyber policy. There are some online platforms with the ability to add a bit of cyber cover onto a packaged policy. I don’t want to suggest that this should be avoided, but it’s often not a substitute for a dedicated cyber policy. These add-ons will usually be low-limit, narrow in what is covered and have limited or no postbreach assistance or risk management tools available. Some may have no underwriting whatsoever – which could mean it has restrictions or conditions on the coverage. It may be cheap, and it may be a bit of coverage where the client wasn’t buying cyber separately, but it also may be insufficient to cover the client’s cyber exposure. It’s still suitable to e-trade, but it’s important to study the product and study the insurer.
If you could give one key tip to brokers selling cyber insurance in 2021, what would it be? Hamir Patel: Keep the conversation going – with both your clients and your underwriters. Ongoing dialogue with clients will help you prepare them for the changing market, while working closely with underwriters means you’ll understand exactly what clients can do to improve their cybersecurity as risks evolve. Bombarded by some of the sensationalist
headlines around cyberattacks, brokers may be surprised by the significant number of simple, inexpensive actions clients can take to dramatically improve their risk profile, potentially resulting in lower prices or enhanced coverage. Linked to this, there are likely to be supplementary offerings provided as part of a cyber policy that will help address key vulnerabilities your clients are facing. But beyond everything else, ensure the cyber insurance policy being put forward matches and covers not only a client’s chief areas of concern, but also where their actual exposure for the on-risk period ahead lies. Just as the risks and threats underlying cyber insurance shift notoriously fast, so too will your clients’ risk profiles – now more so than ever. Just look at how it changed for everyone globally in 2020. Much of that dispersal of workplace location and subsequent reliance on technology will continue beyond the pandemic. Online trading is a case in point. Even pre-pandemic, the proportionate degree of online trading undertaken by clients was bound to be on the up, with some making sizeable shifts year-on-year. And if necessity is the mother of invention, then COVID is surely a close cousin, compelling hundreds of thousands of firms to adapt fundamentally simply to survive. So perhaps more so than in any other area of their insurance portfolio, expect your clients’ cyber risk to continue to shift, and assess it accordingly. Simon Hughes: The single most important piece of advice that I would give to a broker is to explain the value of a cyber policy to each client in a way that is specific to each client’s business. Clients need to understand why they have an exposure in the first place – especially for those less obvious industries, such as construction, for example. The easiest way to do this is to provide industry-specific claims examples that show how a cyber policy has worked for businesses in their industry. What’s more, brokers need to be able to demonstrate that a cyber policy is an investment into a company’s overall IT security, so they should ensure they know and can articulate the services the client will receive from a policy. For example, a CFC policy provides
WHERE UK ORGANISATIONS STAND ON CYBERSECURITY
96%
of UK businesses have shifted their cybersecurity strategy due to COVID-19
50%
of UK businesses say cybersecurity will form part of every business decision
56%
of UK businesses plan to increase their cyber budgets in 2021
38%
of UK businesses believe their cyber budget is allocated to the most significant risks Source: PwC UK, 2021
www.insurancebusinessmag.com/uk
17
EXECUTIVE INSIGHTS SERIES
CYBER INSURANCE COMMON MYTHS ABOUT CYBER INSURANCE “We don’t need cyber insurance. We invest in IT security” “We outsource all of our IT, so we don’t have an exposure” “We don’t collect any sensitive data, so we don’t need cyber insurance” “Cyberattacks only affect big businesses. We’re too small to be a target” “Cyber is already covered by other lines of insurance” “Cyber insurance doesn’t pay out” Source: CFC Underwriting, 2019
their client with access to over 50 technically led security professionals, who are there to enhance the security posture of the client’s business before a loss. They not only act as a sounding board for technical advice, but will also be the same people to respond should the worst happen – whether negotiating to get the client’s data back, determining whether funds can be recovered following a social engineering scam or navigating them through the legalities of a privacy event. This is the value that investment in a cyber policy should represent. The likelihood of a cyber loss happening to a business has a much higher frequency rate than that of a fire, so the fact that only 15% of businesses are purchasing a policy is worrying – sadly, many businesses only seek out a cyber policy because they’ve already had an uninsured loss and understand they need a dual layer of protection. The cyber insurance conversation therefore needs to be framed around the ‘must have’ rather than the ‘nice to have’, and it should be at the forefront as something that can complement an existing IT department. Tom Draper: As companies depend more on technology to conduct business, they are also increasingly subject to technol-
18 www.insurancebusinessmag.com/uk
ogy’s unique vulnerabilities – even the remote conducting of insurance renewals via videoconferencing tools has created new risks by presenting a greater surface attack area for criminals to exploit. As the cyber risk management landscape continues to evolve, brokers must keep abreast of the current climate to ensure they have an in-depth understanding of their clients’ exposures to emerging cyber threats, can educate them about their own vulnerabilities and can tailor their advice and solutions accordingly. Davis Kessler: Brokers really need to become advisors to their insureds to help them know what to expect from the cyber insurance market. They will need to demonstrate they know what insurers are looking for, communicate it to their clients and then frame up their client’s position in the best light possible to insurers in order to get the best terms. If I were a broker, I would pay attention to which markets are wholly relying on restrictions to coverage and which are taking more of an underwriting approach. Pricing may be going up in the UK SME market to some degree, but I think there is still good insurance out there without strings attached. Full-limit ransomware cover is still available,
but the markets offering the best cover may be looking to raise the bar in terms of underwriting standards. Do your clients have multifactor authentication in place? Open ports that can be exploited? I think it’s critical to understand that it’s not just about paying the premium this year. Brokers can also help their clients access the tools they have at their disposal to protect themselves from cyber risks. A lot of cyber insurers – and not just Travelers, although we have made a big push in this regard – will offer some risk management tools to their insureds. We heard from brokers that this is what their clients want from a cyber product, so this was partly to meet that demand. But we also really do want our insureds to make good use of these resources. Employees are the gateway for fraudsters to commit cybercrime. Almost all cybercrime starts with a phishing email that an employee has fallen for. There’s a lot of good training that Travelers and many other organisations offer, but usage is strikingly low. So, I would urge brokers to encourage their clients to take advantage of the valuable – and often free – tools available that can make them a less appealing target for cybercrime.
www.insurancebusinessmag.com/uk
19