Premium content: How to sell cyber insurance – with sparse data and multiple interpretations, it’s not easy

Cyber insurance is a complex product to sell. The data is sparse and difficult to interpret, which means that it is harder to present an argument that resonates with customers.

That’s in contrast to more established insurance products that cover perils in the physical world, such as property insurance.

This article is an excerpt from the Insurance Times Cyber Product Report 2017. A full version of the report is available free to subscribers here. 

Despite the difficulties of creating a compelling argument, Aon’s global cyber expert Kevin Kalinich says it is possible to bring the risks of not having cyber insurance to life, and the key to that is real-life data examples.

“Instead of using scare tactics, we want to educate our customers using actual data,” he says. “We are showing them that there are public companies disclosing these attacks as material events affecting their financial performance, and then we bring together material data that shows the increase of purchases of insurance in their particular industry and revenue band.

“Organisations want to understand how these cyber exposures and solutions impact them. They don’t care as much on a generic basis about how it is affecting all these other companies that aren’t like them. They want to see how it affects their specific circumstances.”

He adds: “They want it to be brought to life how cyber exposures impact their financial statements, not how it could impact a generic financial statement. That then brings to life the options available to them that can minimise that impact on their financial statement.”

The key to understanding what data to use, however, is first step in understanding the risks that face a particular business, and then which policies will meet their needs; and Safeonline head of technology and cyber David Dickson says this is particularly difficult in the young and diverse cyber insurance market.

“Cyber insurance is still a very basic market, and where cyber insurance is failing is in the transparency of what the policies cover,” he says. “If you look at a well-established market like the terrorism market, they have 10-15 wordings across the entire market and standard definitions.

The impact of suffering a cyber breach

“We have 20 wordings just ourselves, and definitions vary from wording-to-wording let alone across the marketplace, so there is still a lot of work to be done on clarifying what is actually covered.”

Speaking at the Insurance Times Cyber Insight conference last year, HSB Engineering product development manager Paul Cullum said: “A lot of cyber cover has been created using a top down approach; with many types of cover having a lot of technical language and policy documents having many pages.

“We need to create a much more SME-friendly approach to providing cyber risk, but I am not saying we should dumb down the type of cover we offer.”

Understanding the exclusions

Aon’s Kalinich says that understanding how exclusions can impact a client is vitally important for brokers, particularly in such a diverse and complicated market.

“Most of the base policies, unfortunately, do have material exclusions,” he says. “However, to the extent that organisations identify the most important elements for them, it is possible to negotiate a carve back to an exclusion for your particular situation.”

For exclusions based on terrorism, he asks: “How do you know who committed the attack? How do you know if their purpose was for terrorism or not? It’s a silly exclusion because the impact on the company is the same, regardless if it was a cyber terrorist, cyber criminals or a thirteen-year-old sitting down in his Mum’s basement – the impact of all three on the financial statement is the same.”

Cyber insight 2017

Despite these complexities, Dickson says the market is maturing and cover providers are constantly coming up with new policies to help the variety of customers that are looking for cover from the cyber insurance market.

The key for insurers, he says, is to listen to brokers, listen to clients, and provide policies that are needed to fill the gaps that still exist in the cyber insurance market.

“There is no doubt that the insurance market is responding to the requirements of its customers, and you are now seeing insurers and brokers producing manufacturing specialist policies that have property damage and bodily injury clauses in there,” he says. “That is not because the insurers want to give that coverage away, it is because the customers require it.”

Mind the gap

Gaps in cover can leave a client exposed and at risk of facing a claim that won’t receive a full payout from an insurer. Here are some of the biggest exclusions and limits, and what they mean for businesses.

Watch out for aggregate limits – with the average small and micro-business experiencing two cyber attacks every year (that figure rises to four for medium-sized companies and eight for larger businesses), having an aggregate limit on what can be claimed in a single policy period could put customers under pressure if they experience multiple attacks.

Beware of the supply chain – more than half (51.5%) of companies do not assess their suppliers or customers for cyber risks and just 17% of medium-sized require their suppliers to adhere to any cyber security standards or good practice guides.

But with a number of policies in our review not providing cover for a breach by a supplier, companies could be unnecessarily put at risk if the right policy is not put in place.

Terrorism or just another hack – even detecting a cyber hack is difficult, so locating where an attack comes from is even more difficult.

This means that exclusions for cyber terrorism or socially motivated hacking can be particularly dangerous for businesses.

It’s not all about the data

As well as providing cover for the direct costs of dealing with a cyber breach or attack, the broadest coverages also provide cover for the indirect and slow burn costs of a cyber event, namely reputational damage.

For Lloyd’s chief executive Inga Beale, this is one of the biggest factors to consider when considering the cyber risks facing a company.

“The reputational fallout from a cyber breach is what kills modern businesses,” she says.

“And in a world where the threat from cyber crime is when, not if: the idea of simply hoping it won’t happen to you isn’t tenable.

“By reacting swiftly to mitigate the impact of a cyber breach once it has occurred, companies will be able to minimise the immediate costs and their exposure to subsequent slow burn costs.”

And those swift reactions can be aided by the additional benefits that come with a cyber insurance policy, such as crisis management teams, IT forensics and legal advice.

Matthew Martindale, director in KPMG’s cyber security practice, says: “Cyber risk has moved up in the business agenda and businesses are taking measures to prepare themselves. However, they are failing to factor in the long-term damage that a breach can cause, and the cost implications of it.

“Dealing with things like reputational issues and litigation in the aftermath of a breach can add substantial costs to the overall loss. Businesses really need to start thinking about the cyber risk holistically rather than one that is currently very short sighted.”