Despite a continuing increase in cyber breach events, a changing regulatory landscape (post GDPR) and a further increase in use of (and reliance on) technology, cyber insurance is still often regarded as a difficult product to sell.
Despite a continuing increase in cyber breach events, a changing regulatory landscape (post GDPR) and a further increase in use of (and reliance on) technology, cyber insurance is still often regarded as a difficult product to sell. Notwithstanding this, there is certainly an increase in policy uptake and the market continues to grow. One of the difficulties for brokers that remains is the lack of standardisation and some wild inconsistencies, with every insurer laying claim to have the best policy language. This can leave brokers, and their clients, on the ropes, with fundamentally different approaches to underwriting, pricing and content.
In the red corner are the insurers that offer a streamlined underwriting approach with limited questions. This is great for quick decisions and a simple purchase process, but possibly not so good when it comes to the detail in the policy wording or the way the incident response services (if they exist) are triggered and engaged. It is a generally accepted position that, if an insurer doesn’t do the underwriting up front then there could be ‘protections’ built into the policy. This can create problems at the cyber event stage, when exclusions bite or assumed states aren’t accurate or are non-compliant. Or, the cyber event is covered but the client needs to manage, pay and coordinate the incident response service (and associated vendors) themselves, as opposed to having it coordinated, and paid for, on their behalf.
In the blue corner are the insurers that conduct more initial analysis, and who may require a proposal form and dig a little deeper to understand the risk further. This is sometimes perceived as unnecessary or difficult, but it is crucial to get to a solution without the same level of restrictions. So, if a question is raised in relation to legacy systems (i.e. servers that may no longer be supported), that’s probably because their policy doesn’t have language removing cover if the insured fails to update, upgrade or test software (or operates any unsupported/legacy systems), as some of those in the red corner may do. After all, there is no real need to ask a question on something if you’re not covering it.
We recognise that it’s a difficult market to navigate and there needs to be a balance between an efficient process and adequate underwriting. However, the growth in cyber insurance has coincided with a rise in online systems and the drive for transactional efficiency. Brokers need to keep their guard up, especially when completing statement of fact responses on behalf of their clients. Much of the emphasis switches from the underwriter asking the questions, to the broker/client confirming something does/doesn’t exist or is true and warranting that to the cover.
Ultimately, we’re all in the business of risk mitigation/transfer so it’s important to understand the cyber risk and how it’s addressed, and then ensure the risks are matched to a policy that is suited to their needs, all at a competitive price. Working with an insurer who understands this will mean you’re more likely to have them in your corner when you need them, otherwise you could find yourself reeling from a blow below the belt.