Triggering the (Cyber Liability) Change in Europe by Carl Moore
The cyber liability insurance market has gone through a rapid evolution in recent years. Today, there is a range of first-and third-party products on offer designed to meet a variety of clients’’ needs, and a buoyant and competitive market keen to write this business. The US is leading the world in terms of product use and acceptance. While European clients are interested in cyber cover and we are seeing inquiries from non-US businesses, particularly from the retail sector, the take-up of cover in Europe is not happening as quickly as predicted.
Looking at the way the US market for cyber liability cover has developed, the main driver of sales of cyber products has been data privacy legislation, which forces companies to inform customers of any break of their data- No matter how big or small. This notification element, combined with fines, seems to be the main trigger for an increase in policy sales.
In the EU, the data privacy legislation is due to be ratified. However, there is still no confirmed date for this. When it becomes law, any firm found to be not taking adequate steps to protect a customer’s data will risk significant fines and be forced to notify customers of any breach. The general consensus is this law should be the catalyst that brings cyber policies into mainstream insurance programmes in Europe.
Many clients are confused as to the right cover for them and what cover they have under existing traditional policies.
Some clients just want specific coverage: these clients tend to be from a cross-section of industries and want a “roadside assistance” approach, which provides a hands-on service to help in the event of a cyber incident or data breach. These clients need access to experts who can provide the crisis services required to minimize the impact of the event on their customers, their business operations and brand reputation. Others want third-party cover to protect their business from knock-on liability claims that can result from a cyber incident and some want a combination of the two and are looking to buy both aspects under one policy.
Many clients think they have some coverage under existing property or professional liability policies, but most are unclear as to what this cover is and what the triggers are. Clients need to understand their risk and be explicit about the cover they want. Once of the problems with the cyber market at present is the language used is often a barrier, as there are a range of names for this cover – for example, cyber liability, data breach and technology insurance – which adds to the confusion.
Lack of Data
As a relatively new form of insurance there is minimal loss data available to model risks. If a category five hurricane hits between Miami and Fort Lauderdale, insurers will be able to estimate aggregate losses within hours. However, if a cyber attack caused an infrastructure breakdown in a city or industry sector, it would be virtually impossible to estimate losses. Lloyd’s is focusing on this issue and new risk codes have been introduced to help make aggregation mapping easier, and this lack of loss data will improve over times.
There is also a limited number of people with the requisite experience in the market for this complex area of insurance, so it is not for the uninitiated. There is a need to educate markets and brokers on this form of insurance, who in turn can help to inform clients and build their understanding of the risks and the mitigation options open to them. There are a number of markets interested in entering the sector, but I urge them to only enter with their eyes open and really understand their reasons for doing so, and also to consider carefully the cover they are going to offer.
There is no doubt European market acceptance for this form of insurance is set to grow and it is the one of the most exciting emerging risk sectors today. However, the market has a big role to play in helping clients to understand their risks and in guiding them to the right cover if this area of insurance is to get the credibility and acceptance that it warrants.
This piece was originally published in the Feb. 9, 2015 issue of Insurance Day.