Cyber insurance concerns spark sluggish uptake

Cyber insurance finds itself teetering on a vital adoption tipping point for risk managers.

At the 2016 Strategic Risk Forum in Singapore, attended by more than 200 risk managers, only 23% of delegates had a standalone cyber liability policy. More than one-third were considering a purchase, however.

So is something causing a disparity between cyber insurance demand and risk manager adoption?

Mitigating cyber exposures

Andrew Mahony, regional director, Financial Services & Professions Group, Aon, says that cyber losses, whether caused by malicious attack, user error, or both, are not preventable.

“Companies with good governance and security measures can reduce the likelihood or limit the impact of these losses but the threat cannot be eliminated.

“For that reason, cyber risk transfer needs to be considered in conjunction with risk prevention.

“Cyber insurance enables companies that prioritise cyber security to implement a holistic response to their cyber exposure,” he says.

Mahony says that Aon’s clients are first seeking to understand their cyber risk profile and how their existing insurance programme addresses cyber exposure.

“When gaps emerge in that analysis, companies look to cyber insurance to cover their exposure,” Mahony says.

“The primary concern for most companies is the large amount of sensitive data for which they are responsible – for customers and employees – although the potential for operations to be shut down by a cyber-attack is also a significant risk.

“Companies are also looking to insurers to provide direction and expertise with the engagement of external consultants to assist in cyber remediation actions,” he says.

Weighing the pros and cons

As cyber insurance matures as an offering, it is boosted by its benefits and restricted by its issues.

On the positive side, Mahony says that cyber insurance offers well-rounded cover for both the direct loss suffered by a company and its liability to third parties.

“Good cyber insurance policies provide cover for business interruption, regulatory fines and penalties, and cyber extortion events.

“Pricing in the Asian market, while not yet consistent, is far more competitive than in other markets,” he says.

Geetha Kanagasingam, vice president for UK, Europe & APAC, Group Insurance and Group Risk, Barclays Bank, says that cyber insurance also provides the scope that covers data breach notification expenses, something which has become a mandatory requirement imposed by regulators in many jurisdictions.

“[Cyber insurance also] fills up the gaps of cover as only some aspects of the cyber coverage elements may be found in existing policies such as crime policy and/or professional indemnity.”

Kanagasingam says cyber insurance also offers a possible competitive edge as more clients are enquiring on whether firms have in place a cyber insurance policy.

On the negative side of current cyber insurance offerings, Mahony says one general deficiency is the absence of cover for bodily injury and property damage arising from cyber events, under both traditional insurance products and cyber policies.

Kanagasingam adds that there is still insufficient capacity in the cyber insurance market.

“[The] limit purchased may range from single digit in millions to triple digits in millions globally, notwithstanding the fact that the demand for higher limits is increasing,” she says.

“[There is also] additional cost which is naturally an issue as insurance premiums charged for cyber insurance policy are volatile since this is a fairly new insurance product with relatively young history of data.”

Kanagasingam says further issues emanate from extensive disclosure as insurers tend to request for too much internal information that is sensitive and confidential.

“So are firms confident to reveal this information to insurers who after all are also potential targets to cyber risk events?” she says.

Risk manager concerns

Cyber exposures have kept risk managers keen for cyber insurance products, but several concerns have dampened their adoption rates.

“We have made some initial [cyber insurance] inquiries,” says Richard Cassidy, risk financing lead, EnergyAustralia, “and obtained premium indications for an ‘off the shelf ‘ product, but did not proceed to a purchase.”

Cassidy says that while cyber insurance offerings address many of the potential cyber exposures, gaps remain.

“Insurers and brokers need to get better at communicating to IT security professionals, as well as insurance buyers and risk managers, in relation to how cyber insurance products can complement a firm’s existing risk management regime and mitigation framework,” he says.

Another risk manager told StrategicRISK Asia that despite shopping around, they have not currently purchased cyber insurance, “due to low limits and very narrow wording.”

The risk manager believes this is due to the “immaturity of the product offering to date.”

“Cyber insurance has not been, and I doubt ever will, get to the real pain points which companies face in this space, such as cover for ‘loss of opportunity’ if, for example, there is a known cyber intrusion which accesses confidential bid information, which then subsequently means the bid is lost,” he says.

Barclay’s Kanagasingam adds that as such gaps persist in cyber insurance, it remains the case that such cover is simply no replacement for a robust cyber prevention and security programme.