HARROGATE, England — Cyber threats pose the biggest worries for members of U.K. risk management association Airmic Ltd., but less than half actually buy the coverage.
Forty-six percent of the 150 risk managers surveyed cited cyber-related business interruption, and 44% said cyber risks resulting in the loss or theft of personal data were their top two concerns, but only 43% said they purchase such coverage.
“There is clearly a lot of concern” among Airmic members about cyber risks, Airmic CEO John Hurrell said during the group's conference this month.
“Inadequate coverage” and “relevant insurance being unavailable and high cost,” were the two main reasons the U.K. buyers said they do not purchase cyber cover.
According to U.K. government statistics, 90% of large businesses — those that employ more than 500 people — suffered a cyber security breach in 2015; in addition, 74% of small and medium-size companies suffered a breach, said Nick Beecroft, manager of emerging risks at Lloyd's of London.
The average cost of those attacks was £1.46 million ($2.08 million) to £3.14 million ($4.48 million) for large companies, and £75,000 ($107,000) to £311,000 ($443,000) for smaller companies, he said.
While overall cyber insurance takeup is limited, Mr. Beecroft said it is Lloyd's fastest growing class of business. With 65 syndicates providing cyber capacity and limits of up to £300 million ($427.7 million) for a single risk, he said Lloyd's writes about 20% of cyber insurance globally.
“Cyber doesn't obey any of the usual rules of risk that we usually look for” in calculating exposure because it is a multifaceted risk that emanates from human action and can be systemic, he said.
“It is very much about understanding how cyber risks affect your company and, once you do understand that, then we can go to the insurance market and find insurers willing to go out of the box” to provide relevant coverage, said Erica Constance, senior vice president of cyber at Paragon Insurance Brokers Ltd. in London.
“It is not one-size-fits-all; it depends on your industry, and it depends on your geography,” said Laila Khudairi, underwriter of enterprise risk at Tokio Marine Kiln in London.
“For me, as a buyer, I need a policy to say if it has happened and you have suffered business interruption, then you are covered,” whether the attack is a cyber breach, disruptions caused by outsiders or insiders, or whatever the cause, said Mike Jacobs, business continuity manager at Dyson Ltd.
Several insurers now will offer coverage that is an all-risk policy, rather than relying on a cyber trigger, said Graeme Newman, cyber technology and media practice leader at CFC Underwriting Ltd. in London.
While data loss is a big concern for some companies, others are more worried about physical damage, business interruption, inability to trade or reputational damage, said Mark Weil, CEO of Marsh L.L.C.'s U.K. and Ireland operations.
“This all points to a bespoke (insurance) product,” he said.
Buyers, along with their brokers, need to examine what could go wrong and find risk mitigation and insurance coverage to fit that, he said.