Global broking and risk management company Aon has been placing dedicated cyber insurance policies since about 2005. While very few policies were purchased that year, Fergus Brooks, Australian National Practice Cyber Leader, Cyber Risk, says demand grew significantly from 2010, as businesses started to understand the damage a cyber incident could have on an organisation.
“Since 2015 we have seen growth by policy count ranging between 30–50 per cent year on year,” Fergus says.
From a coverage perspective, Aon Cyber Insurance Practice Leader Michael Parrant says markets are responding to the developing demand, and policy coverage is continually being enhanced and amended.
“Many markets have migrated away from the traditional ‘reimbursement’ model and are focusing more on a ‘services’ model,” Michael says. “Insurers are offering more pre- and post-incident services to help immediately address the issues. They are fully acknowledging that this type of insurance needs to be embedded as an additional risk management tool for insureds.”
INSUREDS RESIST CYBER INSURANCE
However, many insureds are yet to vote with their feet to take up this option.
“Many organisations are unprepared for a cyber incident,” Fergus says. “They may have focused on one scenario, such as a data breach, but failed to take a supply chain interruption event into account.
“In addition, there are few connections between organisational crisis management plans and cyber incident response plans. There is a lack of senior leadership involvement in preparation and actual response.
“As we have seen in Australia and globally, the only way to reduce the brand and reputational damage from a cyber incident is to handle it well through preparation and testing.”
In New Zealand, Frank Risk Management co-founder and Director Rene Swindley says in the last 12 months, sales of cyber insurance have jumped 400 per cent, with clients proactively seeking help with cyber risk management and cyber insurance.
“Previously we would go through a reasonably significant education process about cyber risk before convincing the client to try an insurance solution. I feel this has changed. Business owners are now more actively aware of this risk,” he says.
Demand for cyber insurance also continues to increase in Indonesia, where Marsh Indonesia CEO and Director Alistair Fraser-Hawkins sees more clients seeking quotes and purchasing standalone coverage. However, in New Zealand and Indonesia, the market for cyber is still in the early stages of development.
“There are still only a small number of insurers [in Indonesia] who have cyber products available and who have the expertise to underwrite these sorts of risks,” Alistair says.
“I also think that the loss adjusting community is on a sharp learning curve as to how to adjust these types of losses when they occur, especially when considering the business interruption and reputational elements.
“Clients in Indonesia are becoming more and more aware of the risks associated with cyber. As organisations travel on their digitisation journey, there is still a gap in terms of how they can protect their businesses against these risks. Cyber insurance is just one part of any company’s cyber protection strategy.”
Like Indonesia, the New Zealand market is ‘maturing’ in terms of access to good quality cyber insurance products.
“It has only been in the last two years that a suitable number of cyber risk options have become available to business owners,” Rene says. “Traditional insurers are now providing cyber insurance products, and existing cyber specialists [such as Delta Insurance] are refining their offering.
“Unfortunately, the good majority of business owners still do not see value in having cyber insurance – with the rationale being ‘it won’t happen to me’.”
Rene adds that brokers face roadblocks when it comes to the client’s IT professional, who is normally a contracted tech company.
“The client will often revert to their IT professional, which I encourage,” he says. “However, I frequently find that the IT professional feels like cyber insurance or risk management will undermine their technical ability – which ultimately results in the IT professional advising the client against cyber insurance.
“This trend became so apparent that we dedicated a web page to it on our specialist cyber and management liability website.”
UNDERSTANDING THE PRODUCT
In Indonesia, the most common challenge for brokers placing cyber insurance is around knowledge.
“Sometimes, the key decision-makers are still educating themselves on the technical aspects of their cyber protection and how vulnerable they might be to attack,” Alistair says. “In addition, clients often struggle to quantify the coverage that they should buy. Marsh has worked hard to develop cyber risk consulting expertise that can overcome these challenges by helping clients to understand and quantify their cyber exposure.”
For Fergus and Michael in Australia, the challenge for brokers comes down to knowing their clients’ main concerns and circumstances, as well as understanding the product.
“All companies have a need for cyber insurance; however, historically brokers have focused on data breaches as the reason for purchasing coverage,” Fergus says.
“A cyber incident will be significantly broader than a data breach; however, articulating the coverage to clients can be daunting. A specialist broker should be able to identify the exposures and explain how they can be transferred under a policy.”
While new insurance products are being released every quarter, there is little consistency between different insurer wordings.
“This makes understanding cyber policies quite challenging; however, a best practice approach to adopt is putting yourself in your insured’s shoes,” Michael says.
“That way, you can see the exposures from their end and effectively map those exposures against the selected cyber policy. Most insurers will be willing to adapt their policy to provide more relevant coverage when all parties can see and understand the specific exposures.”
BEST PRACTICE CYBER POLICY
Rene says the key to best practice cyber insurance is business interruption. “There are a number of policies in the market which do not handle this well,” he says.
“Brokers also need to understand the claim response process. Ask yourself: Who will respond? Are they capable? How long will it take? Cyber losses are time and expert critical, and the broker needs to make sure the client is in good hands.”
While Alistair is reluctant to give away secrets about how Marsh approaches the sale of cyber insurance, his advice to fellow broking professionals is to understand the coverage available comprehensively and how it will react for the client in the event of a claim.
“Also work to understand clients’ cyber security strategies,” he says.
“From our experience locally and globally, we know that it’s not a case of if a client will have a cyber incident, but when. As digital transformation continues to happen in all industries, this is a risk, so insurance should be front and centre in the minds of both brokers and their clients.”
KNOW THE CLIENT
Fergus and Michael agree.
“Most importantly it comes down to knowing your client, understanding the exposures they face and what specific exposures can be transferred,” Fergus says.
“In our experience, insureds aren’t aware of what coverage is available and what it would mean to them. Bridging that gap will help identify for the insured the value of the policy.
“Despite the need for coverage, purchasing a new line of insurance can be challenging for insureds, especially in the current environment. Perseverance is an important credential for a broker.”
According to Rene, clients want real-life examples of how a cyber event leads to financial loss and disruption.
“If a broker hasn’t had first-hand experience with a claim, they should take the time to talk with underwriters and claims managers so that they can share these loss stories with business owners,” he says.
“My parting comment is that selling cyber insurance is a two-step process. Firstly, it’s about having the ability and the technical knowledge to educate the client on cyber risk. Secondly, the broker must be able to expound the virtues of the cyber insurance policy with clear explanations of how it works at claim time.”