Cyber Security: What Insurance Brokers Need to Know
For insurance brokers looking to stand out in the marketplace cyber security is a great opportunity.
The global annual spend on Cyber Liability Insurance has tripled over the last three years, from £550m to an estimated £1.6bn this year. And with 90% of this spend based in the US, there is space for huge growth in the EU markets.
What’s more; the demand in Europe is likely to skyrocket when the new EU General Data Protection (GDPR) law comes into force. This will bring with it a stricter set of regulations and responsibilities for businesses.
This article gives an insight into what brokers can do today in order to better serve their clients in the cyber security space, as well as consider how they might further develop their services for the future.
Help stop most cyber attacks with good basics
A client’s best bet against cyber threats is of course good working practice.
Nearly all successful cyber-attacks known by the Government would have failed if the victim-businesses had adhered to guidelines laid out by the Government’s Cyber Essentials Certification.
For the broker looking to differentiate themselves by offering cyber risk advice and insurance cover, understanding these guidelines or becoming certified and helping their clients to do the same is a good place to start.
There’s more information on Cyber Essentials Certification here.
Failure to spot an attack could be costly
For most small to medium businesses, good working practice should be enough to prevent the vast majority of likely cyber threats. However, it is still worth asking the questions; what is the worst that can happen? How would this affect the business? Would we spot the attack with enough time to limit the damage?
It takes on average 256 days to realise that a malicious breach has occurred, and 158 days to identify a breach caused by human error. By then it is often too late, and the resulting fallout costs each company on average £2m per attack (Ponemon Institute’s Global Cost of Data Breach Study).
Depending on the risk profile of the business, they may need to go beyond the basics.
At r
isk businesses need to be ready to ‘bounce back’
Once the basics are in place, businesses need to be focussing on building a ‘mind-set of resilience’ to cyber threats. This is according to a recent report (September 2015) from Zurich and the Atlantic Council.
What does ‘resilience’ mean?
Bryan Salvatore, President, Specialty Products, Zurich North America, describes resilience as a “means [of] identifying the risks, establishing protective barriers, segmenting the data, creating rapid detection mechanisms and responding effectively—all with the goal of achieving a successful recovery.”
Salvatore recommends that “It should be assumed that some attacks are going to get through” and that “it is critical to be able to identify and stop these successful attacks quickly in order to mitigate their impact.”
Creating this mind-set of cyber resilience is going to require a mind change for many organisations. Cyber security has often been seen as just something to be dealt with by the IT department. For real change it is going to take all departments, led by the board of directors, to instigate change and identify cyber threats across the organisation.
“Humans are the weakest link in the chain,” says Salvatore, “and a security awareness and training program is the lowest-cost security measure with arguably the highest return on investment. So it’s important to make sure all employees engage in ongoing training on the importance of cyber issues.”
It’s also important to remember that cyber disruptions are not always caused by the hands of a hacker. Contractors and customers who mean no harm, also play a part in the risk profile, as well as company employees. A culture of resilience is needed.
The message to businesses is that they need to take cyber security seriously, starting at director level, and ultimately involving the entire organisation.
Cyber risk is interconnected with the real world
The Cyber Security threat is ever evolving, and according to Salvatore “Data security breaches, cyber crime, espionage, hacktivism and the failure of emerging technologies are only the most obvious risks.”
As we become more and more interconnected with emerging technologies, we are likely to face incidents that cut across what we might feel are unrelated risks – with real world consequences.
Salvatore warns that “Even critical infrastructures such as electric grids, power plants and water distribution systems depend on the internet, so the potential real-life consequences of a cyber incident are increasing.”
One incident could cause a ripple effect across the vendor-supply web, seriously debilitating businesses.
How Brokers Can Help
In the Ernst & Young 2014 Global Information Security Survey, 53% indicated that their cyber security is under-resourced or carried out by unskilled people.
One way brokers can help is by educating their clients about good practice. They can also assist in a risk analysis of cyber threats.
If the broker doesn’t currently have the skills in-house to do this then this could be achieved by one (or a combination) of the following:
- Receiving specialist training
- Making use of a white-label cyber risk consultancy firm
- Recommending a third party such as a specialist cyber liability broker
With the risk analysis complete there is then a discussion to be had about how to handle each risk scenario, and which, if any, should be transferred to an insurer. For example; under the new EU data protection regulations which are expected to come into force in 2017, data breaches will have to be declared 72 or 24 hours (to be decided) after they have been discovered. The cost of notifying any customers that have been put at risk can be considerable. This is the type of cost that it might make sense to transfer to an insurance policy.
The cyber liability insurance market
The cyber insurance market is in its infancy, and although there have been providers of Cyber Liability Insurance Cover for more than 10 years now, in some cases they have not even sold a single product. The market has been awash with high premiums and a lack of underwriting data. Covers that do exist have not necessarily been appropriate for the real risks that businesses face.
With an increasing pressure from regulation, policies are likely to become simpler over time and more acceptable options will be bought to the table. As it stands, there are a number of basic policies available for SMEs – although the exclusions and definitions are not always clear.
The good news is that, as the market is in infancy, there is substantial leeway and innovation that can be applied when purchasing Cyber Liability Cover for your client. And so the best thing to do is to start with the actual risks in mind, and ensure that these are covered – by helping the client carry out a risk analysis.
Supporting a client with their claim
Before recommending a policy it is of course essential to review the post-claims support, and in some cases an appointed contact will take care of everything.
Where this is not the case there is an opportunity to work with third party suppliers to provide a better all-round service. Especially if your client does not have the experience to manage a data-breach incident.
A backwards solution?
The report by Zurich and the Atlantic Council shows that in the developed world, the annual cost of cyber disruptions currently outweighs the annual benefits of being connected.
So is the solution simply to disconnect from the internet?
Whilst this might appeal to some, there are cumulative benefits to being connected, which according to the report’s base case, far exceed the costs by 2030. This is based on the costs of protecting against cyber threats being largely one off expenses.
The world is not about to go offline, the demand for cyber protection will continue to grow and the buzz around cyber is only going to get louder.
Insurance brokers are the logical partner for businesses looking to cater for current and emerging risks. And the broker who gets and stays connected to cyber risks will be of great value to their clients, and is likely to uncover business growth opportunities as a result.
For more takeaways from the Zurich and Atlantic Council report, visit https://knowledge.zurich.com/cyber-risk/