MARCH
INSURANCE BUSINESS UK CYBER INSURANCE SPECIAL REPORT Brokers’ Key Questions Answered
SPECIAL REPORT
CYBER
FOREWORD PAUL LUCAS Managing editor of Insurance Business
IF THERE’S ONE thing that’s easy to understand about cyber insurance, it’s that very little is understood. What we do all know is that there’s a problem that needs to be addressed, a risk that needs to be mitigated after headline-grabbing attacks such as WannaCry – which was estimated to have cost the cash-strapped NHS around £92 million - and Petya in 2017, which was estimated to have cost Maersk alone between $250 million and $300 million. Indeed, the statistics speak for themselves – a report by CSIS in February 2018 pointed to the global cost of cybercrime reaching $600 billion, or around 0.8% of global GDP. Rapidly growing – with a catch In the face of a rapidly growing threat appears a swiftly expanding market for insurance. The problem, however, is that most of the market is based in the US. According to research by both PwC and Marsh in 2016, 90% of the cyber insurance market is located in the USA – compared to just 5-9% in Europe. In its Understanding Cyber Insurance – A Structured Dialogue With Insurance Companies report, the European Insurance and Occupational Pensions Authority pointed to a number of key reasons as to why this may be the case. It stated that there is a clear need for a “deeper understanding of cyber risk, both on the supply and demand side,” including the understanding of clients’ own needs; that cyber cover is largely focused on being a commercial proposition although there is increasing interest among individuals; and that there is a “lack of specialised underwriters”, data and qualitative tools that present a roadblock for the industry’s development.
What do brokers say? One issue that brokers in the UK are encountering is that many businesses simply don’t think that cyber risk applies to them. Speaking to Insurance Business, Peter Goddard, managing director of Daulby Read Insurance Brokers, highlighted the following challenges in selling cyber insurance to small corporates and SMEs: • “It seems to have happened to most of these companies but they are largely still unaware of the ‘passive’ threat from cybercrime. • “ They often believe their IT support companies look after their security. They generally are unable to secure more than the network. • “Most IT support contracts don’t deal with security, it is usually an implied service. • “Clients often believe they have no need for the cover as their IT support companies will restore their systems, however they don’t realise that they won’t be any help around the consequential loss of a breach. • “Most companies have not budgeted for cyber resilience.” Confusion among brokers The problems are not just with the clients
either - there is generally a lack of wider knowledge in the insurance market about cyber risks, Goddard stated. “Brokers and clients have always had concerns how cyber policies would respond in the event of a claim,” he said. Indeed, there appears to be a lack of clarity across the board. “Cyber means different things to different people, the covers are variable and wide, some insurers bundle it into a combined offering and some offer it stand alone – so all in all it can be rather confusing if you don’t know what you are talking about,” Nick Houghton, managing director of JM Glendinning Group Ltd told Insurance Business. “This is the challenge and a risk to insurance brokers.” Houghton explained that he feels insurers and MGAs do offer sufficient levels of support to their broker partners in this area – but that the focus is very much on their own products, which can vary widely. This in turn leaves brokers to try and plug the gaps and find solutions for clients that may not ordinarily fit the bill. “Covers that are included in other general combined covers worry me considering the breadth and scale of cyber risks out there,” he said.
www.insurancebusinessmag.com/uk
1
SPECIAL REPORT
CYBER
Rollercoaster ride Despite the apparent problems with cyber insurance in its current forms, there is no denying its potential. Many in the industry have suggested it could yet grow to become part of a “big three” alongside home and motor insurance – a sentiment that both Goddard and Houghton concur with. “As it’s such an immature product I believe it certainly has the potential to become the ‘third’ biggest insurance depending on where the insurance premium rates find their levels,” said Goddard. “As the market is so immature for cyber and SME, I believe premium rates will go on a rollercoaster of a ride before they level out at the correct rates.” Houghton agreed, adding “and I think it’ll be some time until we fully understand
2
www.insurancebusinessmag.com/uk
the rating of these covers… when the claims picture has matured.” Capitalising on the market So, if brokers are to truly capitalise on this burgeoning market it’s vital that they get a clear understanding of what the product is and where it’s heading. That’s why Insurance Business has put together a panel of experts to address five key questions that our research suggests brokers are lacking clarity on. The questions are: • What are the key market trends that brokers must be aware of in the cyber space in 2019? • Which client groups should be the target markets for cyber insurance this year? • How can brokers overcome the “it won’t
happen to me mentality” held by many smaller businesses in reference to cyber issues? • What are the key differences between cyber as a stand-alone product and as an add-on? In which situations should brokers consider one option the better choice for their clients than the other? • What are the vital elements of any ‘good’ cyber insurance policy and which elements would you highlight as being particularly important for different groups of clients? It is hoped that, armed with this insight from industry experts, brokers can finally turn cyber insurance from the product everyone is talking about, to the product everyone is buying.
A FRESH PERSPECTIVE
360° THINKING
Our clear and simple approach to cyber insurance makes even the most complex coverage accessible.
Find out more at aspen-insurance.com
SPECIAL REPORT
CYBER
WHO’S ON OUR PANEL? MAURO SIGNORELLI Senior underwriter, technology liability & cyber risk insurance Aspen Insurance MAURO SIGNORELLI joined Aspen Insurance in February 2017 and is a senior underwriter in the Aspen Insurance global tech E&O and cyber team. Based in London, he focuses on the growth of the international cyber portfolio by writing large and complex risks. He has extensive experience as an underwriter in international technology and cyber having insured some of the largest European corporations. Before joining Aspen Insurance, Mauro spent five years at XL Catlin leading the development of its European strategy in the space. Prior to that, he worked for AIG and trained at Simmons & Simmons as a lawyer.
STEPHEN RIDLEY Lead underwriter, cyber and data risks Hiscox UK STEPHEN is the lead underwriter for cyber and data risks at Hiscox UK. With more than eight years of experience specialising in cyber and data risks insurance, he is widely regarded as a thought leader in the field, and regularly speaks at industry events as well as frequently being featured in both trade and national press. Outside of work, Stephen is a keen triathlete, and represented Great Britain at the European Championships in June 2017.
ERICA CONSTANCE Cyber portfolio manager QBE European Operations ERICA leads the development and delivery of QBE’s strategy for cyber across its European Operations, showcasing QBE’s solutions orientated approach. Erica’s remit includes ensuring that QBE’s proposition keeps pace with the rapidly evolving cyber risk environment and that QBE remains relevant to customers and brokers.
DAVID ARNOLD UK cyber, media and technology team leader in the financial and professional practice Marsh DAVID began his career in insurance in 1990, working for Minet International Professional Indemnity (MIPI), servicing the “Big Six” accounting firms. In 2000, he moved into UK professions, where he focused on magic circle law firms and other professional indemnity business. During this time, he assumed the role of team leader responsible for international technology E&O business. David joined Marsh in 2012 to lead the firm’s communications, media and technology (CMT) team, within the UK financial and professional practice. Leading a team of 18, David specialises in cyber, technology, and E&O risk advisory; as well as product development and the placement of complex programmes for Marsh’s global client base.
4
www.insurancebusinessmag.com/uk
QUESTION 1
What are the key market trends that brokers must be aware of in the cyber space in 2019? DAVID ARNOLD The interoperability and increasing complexity of new technology, including AI and robotics, means society is on the cusp of dramatic change. For clients, understanding these cyber risks, the liabilities they create, and how they can then be insured across different policy lines, for example, dedicated cyber insurance products, errors & omissions, or property, is becoming an increasingly important area of consideration. The rise of cyber warfare among nation states and organised crime groups means that older policy conditions, such as traditional war exclusions, need to be changed. Clients need to be certain that their insurance will respond, in the event of a loss. For brokers, our role is to assist clients in having a truly holistic view of the spectrum of risks they face, and ensure their insurance programmes are robust enough to respond whenever they need them most. ERICA CONSTANCE The methods used by cyber attackers are constantly evolving and therefore brokers and the industry as a whole needs to constantly keep up with and respond to emerging threats. We are consistently working with our service providers to stay on top of emerging trends in cyber exposure to make sure we are ready to support our customers with the risks they face. There has been a trend over the past couple of years for coverage to continually be broadened and constantly evolving and I think it is really important that everyone involved with the cyber insurance policy purchasing, from the insurer to the broker to the customer, are aware of the intent of the
coverage they are buying and what would happen in the event of the claim and that we have enough information from the customer to provide the best possible cover. STEPHEN RIDLEY I think it’s less about specific insurance market trends and more about the cyber security trends we’re seeing which will, in turn, shape the insurance we provide. A key trend is the growing ease with which cyber criminals can deploy ever-more sophisticated techniques. Take ransomware as an example; as soon as a decryption key becomes publicly available for a type of ransomware, criminals are almost instantly able to release a new variant, leaving the security industry to constantly play catch-up. Criminals are also exploiting new techniques. Over the last 18 months we’ve seen a shift from ransomware to the use of other methods such as cryptojacking – the hijacking of a company’s systems to mine bitcoin. Cryptojacking can be much harder to detect as criminals look to keep it hidden so they can maximise the benefit. While cryptojacking might not cause any damage in itself – beyond slowing a computer’s performance – there is malicious software sitting on a company’s systems that could easily be changed to disrupt or steal data.
Something else we’ll also see is the use of artificial intelligence (AI) in future cyberattacks which could be a huge threat for businesses. It is why it is so important that when buying a cyber insurance policy, a company has confidence that the cover will perform not just based on the existing threats identified, but also on any future threats which might be developed during the policy period.
23% Ransomware 20% Hacker 16% Data loss or misuse 13% Other 12% Payment diversion and phishing 7% Lost device or documents 6% Malware 3% Software or hardware failure Source: Hiscox 2018 Cyber Claims Report
www.insurancebusinessmag.com/uk
5
SPECIAL REPORT
CYBER
QUESTION 2
Which client groups should be the target markets for cyber insurance this year? ERICA CONSTANCE The number of opportunities in the cyber insurance market is growing as businesses become increasingly aware of the potential impact of a cyber incident. Any company that holds any data, including that of their employees, has a cyber exposure and most industries have a business interruption risk as a result of a cyber incident impacting IT systems, although the immediate impact will vary by industry. A key focus would be sectors in which cyber insurance had not previously been purchased on a widespread basis but that are becoming increasingly exposed to cyber risks as a result of evolving reliance on new technology. For example, there is an increasing reliance on technology in the construction and manufacturing sectors in terms of automation and interconnected systems, and the potential business interruption loss as a result of
6
www.insurancebusinessmag.com/uk
a cyberattack affecting the IT network is becoming a greater risk. There is a significant opportunity to add value to small-to-medium-sized businesses that have yet to purchase cyber insurance, particularly as the impact of a cyberattack could have major consequences for smaller firms that are less likely to have spare resources or funds to handle an incident alone and may not be able to recover at all. Perhaps one barrier for the SME market has been perceived complexity and time around purchasing cyber, however the insurance industry is evolving to make solutions for smaller companies more accessible than ever. For example, QBE offers a quick quote cyber option and an e-traded solution for smaller businesses to make it easier than ever to find the right cyber cover DAVID ARNOLD With its origins in the “dotcom” era, cyber insurance originally focused heavily on “privacy exposed” businesses and those with online operations. Historically, the early adopters of cyber insurance included retailers, healthcare, hospitality and financial institutions. Since its inception, cyber insurance has
evolved to include industry specific forms, business interruption cover and system failure triggers, and wider supply chain failure. Privacy is no longer the core reason to buy cover; conversations are now focused on wider business technology risks and how cover can be adapted to fit each business segment more holistically. This is particularly the case with the manufacturing, energy, travel, and logistics industries, which are incredibly reliant on technology throughout their operations. Both corporate technology and operational technology failures could give rise to significant financial losses. MAURO SIGNORELLI The traditional buyers of cyber insurance – corporations holding large amounts of customer and sensitive data such as financial institutions, healthcare organisations and retailers – continue to dominate the overall cyber market, but we have seen a strong uptick in manufacturing and industrial corporations looking to insure their non-physical business interruption exposure. However, with the focus on large organisations, limited attention has been given to covering the cyber risks that
individuals face. Individuals are the primary target for identity theft – one of the fastest-growing crimes of the digital age – and are the most susceptible victims of phishing attacks, with teenagers and older family members more likely to click on unsafe links, share personal data via an unprotected wireless network or non-encrypted website, and disclose financial credentials to unauthorised parties. Social engineering has also become very sophisticated and increasingly common, as seen in the recent extortion campaign in which criminals sent blackmail emails claiming to have compromising information about the recipient and threatening to expose a range of illicit activities if a payment was not made. This eventually forced the victim to click on a link that downloaded malware or spyware on to their computers. This is increasingly relevant as every home is becoming “smarter” with multiple electronic devices connected to the internet, most of which have very limited privacy and security controls as demonstrated by an increase of 600% in IoT attacks in 2017, according to Symantec. Attacks that target individuals can have prolonged and distressing consequences. The disclosure of bank details and personal details can lead not only to unlawful withdrawal or transfer of funds, but also to identity theft with fraudsters opening up new bank accounts and applying for credit cards and loans, thereby damaging the credit report of the victim. It takes a very long time to deal with the consequences of identity theft and restoring someone’s identity can be expensive. Aspen Insurance, in partnership with Digital Risk Resources (a company partially owned by Aspen Insurance), has developed the Cyber Home Advantage Privacy (CHAP) product to provide first and third-party cyber insurance to personal lines policyholders. With this product, we provide 24/7 IT technical and legal assistance and give access to an identity theft fraud specialist to guide the insured through challenging times and help them to restore their identity. We also provide
ransomware and cyber extortion support to help policyholders free up their computers and personal devices, and clean them of malware and restore any compromised data. The cover also extends to loss of funds arising from a social engineering event. STEPHEN RIDLEY Everyone! Can you think of any business that wouldn’t have an exposure? It is very difficult to think of a company that doesn’t use a computer – even if it’s just for bookkeeping – or a mobile device that simply stores contacts. What if that device was compromised and they couldn’t access those contacts? While every business is a target market
for cyber insurance, there will obviously be different degrees to which companies are exposed which should be reflected in the type and level of insurance cover that they buy. The businesses more likely to buy cover are those that would feel the impact of a cyber incident more acutely and are dependent on the operations of their IT systems to generate revenue. Business interruption costs related to a cyberattack are becoming an increasing concern for companies. The General Data Protection Regulation (GDPR) has also focused the minds of businesses who hold and process large amounts of personal data. The introduction of GDPR in 2018 was a big trigger for an increase in Hiscox’s cyber policy volumes.
AVERAGE ESTIMATED COST OF ALL OF AN ORGANISATION’S CYBER INCIDENTS IN THE PAST 12 MONTHS
$33,787 UK organisations with 249 or fewer employees $462,633 UK organisations with 250 or more employees $554,596 UK organisations with 1,000 or more employees $1,000 – $20 million The overall range Source: Hiscox Cyber Readiness Report 2018
www.insurancebusinessmag.com/uk
7
SPECIAL REPORT
CYBER
QUESTION 3
How can brokers overcome the “it won’t happen to me mentality” held by many smaller businesses in reference to cyber issues? STEPHEN RIDLEY Most attacks are indiscriminate; criminals using automated tools to search the internet for businesses that have vulnerabilities. Hiscox’s 2018 Cyber Live campaign, which involved setting up ‘honeypot’ servers, showed the extent of the problem. The servers were hit thousands of times a day by criminals simply scouring the internet looking for systems with inadequate defences. Businesses will be dealing with the same volume of attacks on a day-to-day basis. Their anti-virus or firewall will block most of it but when the attacks are so frequent, it only needs a small number to get through for it to be a significant issue. Most claims we handle – around 75% over the last three years – are from smaller businesses, revealing how this group needs to be mindful of cyber-crime. Often the small business isn’t the end goal either. It might be that the criminal is looking for a way into a bigger company and rather than target a well defended and well IT resourced business, an easier route in can be through that organisation’s smaller suppliers. WHERE ORGANISATIONS RANK ON THE CYBER READINESS TEST
Cyber Novices
11
%
Cyber Experts Cyber Intermediaries
16% 73%
Source: Hiscox Cyber Readiness Report 2018
8
ERICA CONSTANCE Virtually all businesses have some type of cyber exposure and factors such as regulation and evolving methods by attackers mean they should be thinking about these risks more than ever. Brokers should be communicating with small businesses about the effect an attack could have on their operations, as many small businesses will not have the financial security of larger organisations to absorb an attack. Anonymised case studies can be a great way of illustrating that it is not just larger businesses that can be the target of an attack. They should be asking questions like “what would be the impact on your company if your network was down for a period of time?” In addition, rather than thinking of it as just an insurance policy, think of it as a service-led proposition that can provide access to expert advice and support in the event of an incident as part of the cover such as IT forensics and legal advice.
www.insurancebusinessmag.com/uk
DAVID ARNOLD The “it won’t happen to me” mentality is not restricted to small businesses. In fact, many small businesses do buy cover, for the peace of mind through robust cyber and crime
coverage and the access it provides to crisis response services. For micro businesses or sole traders, electronic devices such as PCs, tablets and phones can be protected with local firewalls and anti-virus software, with additional support being available from software and hardware vendors. Many small businesses are influenced by budget; pricing and product awareness are key factors in the take-up rate, rather than it simply being a, “it won’t happen to me” attitude. As businesses get larger, attitudes change. These organisations typically have sophisticated IT departments and greater investment in risk mitigation. In the past, some larger businesses have perhaps thought that their systems are “too good” to fail, or that what they do as a business wouldn’t put them on a hacker’s radar. This mindset has changed; the proliferation of nation-state hacking tools means that indiscriminate attacks are now as likely to take a network down as a targeted attack or technology failure. Many CISOs now believe that it’s not a case of if their organisation is targeted, but when. Legislation, such as the GDPR and NIS Directive, are also key drivers in determining how businesses now respond to a cyber event.
ONLINE BATTLES ALSO NEED
CAVALRY If your client falls victim to cybercrime, Hiscox will get them back up and running fast Experts in cyber insurance Click here to find out more
Hiscox Underwriting Ltd is authorised and regulated by the Financial Conduct Authority.
SPECIAL REPORT
CYBER
itself to be easily added-on to pretty much any personal line insurance product such as handset device warranty, health insurance or even through bancassurance, credit card added-value services, or any high net worth individual membership services.
QUESTION 4
What are the key differences between cyber as a standalone product and as an add-on? In which situations should brokers consider one option the better choice for their clients than the other? MAURO SIGNORELLI Corporate cyber is a complex product with various coverage grants available and, as such, really needs to be tailor-made to fit the specific needs of the organisation and their business model. Therefore, we wouldn’t encourage the one-size-fits-all approach that would be adopted with an add-on offering. Transferring cyber risk to the insurance market can be complex and it is important to acknowledge that there is often an overlap between standalone cyber policies and other insurance lines. This is particularly true for property and casualty if there is no specific cyber exclusion. This leads to a debate over whether cyber cover is provided – known as ‘silent’ or non-affirmative cyber – and how
10
www.insurancebusinessmag.com/uk
different policies will respond. We would always advise brokers to analyse the overlap of coverage and discuss this with clients and underwriters when at the placement stage to prevent unintended gaps. When it comes to personal lines, the needs of policyholders are very similar and a standardised add-on distribution model is the most effective way to ensure successful access to the product. The beauty of this product is that it is versatile and can be easily sold as an add-on to complement the scope of cover in more traditional lines of insurance such as home and contents as well as motor insurance, and look towards protecting individuals against the risks associated with the ever-growing digital age. It is this versatility that lends
DAVID ARNOLD Standalone cyber cover is typically underwritten by dedicated cyber insurers who have aligned their underwriting rationale to their risk appetite; they know what they are prepared to cover and what they cannot cover. These dedicated insurers typically have wider policy triggers, and may also provide access to emergency hotlines that support clients through crises. A bolt-on policy is unlikely to offer the same level of breadth: it may be deficient in areas such as business interruption, have limitations in terms of the policy trigger (often limited to a security event), and may not provide access to crisis support, which, for many businesses is a critical reason to buy cover. Therefore, there could be potential gaps in cover, or a higher bill after an incident occurs. A number of bolt-on cyber extensions have been written without input from cyber insurers and may be vague; so-called ‘silent cyber’ cover means policies may actually insure unforeseen events. Pressure from the PRA and Lloyd’s, among others, means insurers are now addressing the issue of silent cyber, with the intention to adequately underwrite it and adjust premiums accordingly. A bolt-on was historically seen as a good starting point, but as stand-alone cover has improved - particularly relating to business interruption cover - it has become more compelling to buy separate and more specific cover which also then helps to preserve other policies for their original intended purpose. If a business wishes to have a truly appropriate bolt-on, great care needs to be taken to ensure it fits with their full needs and closely matches the coverage offered within a stand-alone solution.
STEPHEN RIDLEY Cyber add-ons will become fewer and further between. They are often limited in cover e.g. if you’re adding cover on to a professional indemnity policy the add-on might be just for the notification costs following a data breach, but none of the other associated expenses such as IT forensics, legal and reputational advice, business interruption; or even for negotiation or ransom expenses after a ransomware attack. If you’re only buying one element of cover, it potentially leaves a big area of uninsured exposure. At Hiscox, we have stopped providing any add-ons and taken the approach that if we are going to provide cyber cover it will be a comprehensive policy that is fit for purpose for the customer. Over the next couple of years, we will see insurers stripping back on where they have previously been giving some element of cover in other insurance policies – what’s known as ‘silent cyber’. Insurers will take a much harder line in terms of excluding cyber losses from their other classes of business which, in turn, will drive a greater take-up of standalone
cyber cover. It’s also becoming evident to most companies that they are more likely to suffer a cyber incident than they are a burglary or a fire – risks that are nearly always insured. Cyber insurance may end up being a higher priority cover than some of the more traditional lines. ERICA CONSTANCE Stand-alone products tend to be broader in coverage and can more easily be tailored to the individual needs of the business. They often cover a wider number of incidents and are generally written by an underwriter who has spent time understanding the company’s unique exposures. Add-on policies tend to be lighter in scope in terms of what they cover, and it is less likely the cover will include access to services such as expert advice in the event of a claim. We also try to meet as many of the businesses we work with as possible, so there can be the benefit of having the support of a team that is familiar with your cyber risk exposures as part of a standalone policy.
EIGHT REASONS TO BUY A STANDALONE CYBER INSURANCE PRODUCT
Mitigation costs Rapid restoration of systems C overing the cost of notifying affected parties Preserve your business critical data Cover for the unprofessional accident Payment of fines Inner limits on PI policies Cyber extortion Source: Howden Group
www.insurancebusinessmag.com/uk
11
SPECIAL REPORT
CYBER
QUESTION 5
What are the vital elements of any ‘good’ cyber insurance policy and which elements would you highlight as being particularly important for different groups of clients? ERICA CONSTANCE It is crucial to make sure the client, broker, and underwriter are all clear on the intent of the cover and what is the process if a claim happens, so that everyone knows the next steps. Speed of response is one of the most important things as the longer the duration of a cyber incident the greater the potential
12
www.insurancebusinessmag.com/uk
for damage. Part of this is making sure the insurer has a panel of experts that can respond regardless of the time of day or day of the week that the incident happens. Clear insuring clauses, definitions and exclusions are also important. This is where specialist cyber brokers really add value, ensuring that the coverage provided is not only relevant but the best achievable in the market for that particular company. Every insurer provides different cover and therefore the broker’s guidance of what is a vital element of a policy to a certain company is invaluable. STEPHEN RIDLEY The single most important aspect of a good cyber policy is the response following an incident. In few other lines of insurance is the immediate response as vitally important as it is with a cyber claim. At Hiscox, it’s a
philosophy that is central to our cyber cover. Getting boots on the ground to deal with an incident from the first minute is key both in terms of managing potential GDPR exposure – where there are 72 hours to report an incident once discovered to the Information Commissioner’s Office – but also from a business impact perspective; the quicker the incident is dealt with, then the quicker the business can be back up and running. A good policy will start by providing a specialist IT security team to conduct a forensic investigation of an insured’s network; legal experts must then be available to determine the next steps; the insured’s network should be secured; forensic investigation completed; and regulators notified (within 72 hours of the breach discovery). Reputation is everything and the policy should provide for ongoing access to a PR
CYBER INSURANCE FROM PEN UNDERWRITING Our Cyber Insurance cover offers one of the broadest wordings on the market. We can provide comprehensive cover against cyber attacks and cyber crime to almost any business with up to £600M turnover Why Pen? • Online quote system, Pen Central • No long applications • Most quotes generated in minutes • Bind online with instant document availability • Range of limits available Whether you’re talking to the Head of IT at your client’s firm, or a sole-trader, they should be able to answer our simple question-set and get a quote from Pen Central in a matter of minutes.
www.penunderwriting.co.uk
Pen Underwriting Limited is authorised and regulated by the Financial Conduct Authority (FCA number 314493). Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 5172311. www.penunderwriting.co.uk
SPECIAL REPORT
CYBER
agency (global if necessary), who have the expertise to deal with crisis containment and reputational damage. Managing customer relations is critical and establishing a call centre will help deal with customer enquiries and limit potential loss of business. Ongoing monitoring of fraudulent activity using customer data is also vital; and the policy should provide cover for business interruption costs, quickly paying out to limit long-term damage to a company’s financial health. Every element of this cyber response is vital to any business regardless of the sector it operates in, but there may be differing priorities for customers. A manufacturer or retailer, for example, may have a greater focus on business interruption, while a medical company may be more focused on its data breach response, but clients will often need access to every aspect of the cover provided by the policy when the worst happens. DAVID ARNOLD Simply, a “good” cyber policy is one that responds to the client’s
needs and pays a valid claim. For example, there may be little point in a military defence contractor with 100 staff buying £10 million privacy cover when business interruption is likely to be their core risk; likewise, given the industry, the war exclusion may require further exploration. Also, a retailer that stores credit card details or has a large database of customers in a non-encrypted format may require a significant privacy focused policy, including protection from liabilities arising from the GDPR or PCI under a merchant services agreement. All basic forms should cover areas such as: • Liabilities arising from a privacy breach and breaches of GDPR (fines where insurable) • PCI agreements • Media content liability • N etwork liability (including virus transmission to others) • Business interruption • Data restoration • Crisis response services
COMMON EXCLUSIONS IN CYBER INSURANCE POLICIES:
× War × Political risks × Nuclear × (Cyber) Terrorist attacks × Property & material damages × Bodily injury × Unauthorised collection of data by the insured × Strike × Infrastructure failure × Theft of telecommunications services × Online gambling × Large online consumer auctions × Payday loan companies × Non-malicious cyber × Natural perils × Contingent business interruption (CBI) × Directors and officer (D&O) warranties × Claims from internet service providers × Regulatory fines × Economic value of data × Extortion payments × Adult entertainment × Online and offline dating agents × Online sales of firearms × Virtual currencies Source: European Insurance and Occupational Pensions Authority
www.insurancebusinessmag.com/uk
14