Cyber Insurance is becoming a more challenging product to place. Frequent and severe losses, combined with a previous ‘soft’ market landscape have created profitability issues for insurers. Good cover and favourable terms can still be found, but it is important to keep in mind the following points:
1. Risk Transfer
Cyber follows the same principal as any other insurance product – the buyer has risk that needs transferring and an insurer can provide the solution.
In ‘softer’ market conditions it was easier to buy that cyber product without fully articulating the existing risk mitigation in place.
‘Harder’ market conditions bring a greater scrutiny on exposures and organisations need to demonstrate a higher level of cyber security posture in order to access the best cover.
Those with weaker risk mitigation may struggle to access quality insurance.
2. Proposal Form
The problem with gathering risk- mitigation information is that most insurers require a proposal form (or questionnaire), and the questions tend to be binary (yes/no) with little scope for an answer that might not fit neatly.
This can lead to too many negative responses and may create an unfair representation of the risk controls.
If the answer is ‘No’, then it is important to take the time to articulate any alternative mitigation that the question might not cater for. It is likely insurers will only ask the question anyway (or simply decline the risk without further explanation).
The soft market facilitated broadening policy cover with most sub-limits (for sections of cover that were deemed to be higher risk) given at full limit value and ‘extensions’ (broader cover requests) becoming the norm.
The hard market is now reversing that trend with sub-limits now common on many sections of cover and extensions removed or restricted.
It is important to appreciate how these sub-limits work and understand the relevant importance to the insured.
Choosing a product with flexibility of cover allows the insured to focus on key areas of cover, potentially saving premium by removing unnecessary sections and reducing insurer hesitancy to provide terms.
4. Excess Layers
In a harder market insurers look to manage their book and reduce exposure to higher limits. This creates a greater need for excess layers, particularly if the limit is required for contractual reasons.
It is important to understand what the contractual request is for (cyber is a broad term) and therefore how to approach an excess market. It might be only 3rd party coverage that is required, making the excess layer insurer more comfortable and helping manage the costs.
Some higher limits will be exposure driven, but it is possible to manage expectations on the availability of cyber capacity in a harder market and understand the complexities of building a program (especially with sub-limits on some of the 1st party coverage).
In difficult trading conditions it is important to be wary of ‘low-touch’ underwriting that places an emphasis on qualifying statements and effective self certification.
It is not unusual to find some language built into the product that reduces cover or requires a certain standard of risk management.
The soft cyber market was partly driven by this historic low-touch underwriting (assuming risk without true knowledge of the exposures) designed to simplify the buying process.
Cyber Insurance is not complicated and can be simpler still if time is taken to be clear on the risk in question.