In a word, yes! However, one word would not make for an interesting article and you could be excused for branding me as yet another insurance market commentator, espousing the importance of this ‘emerging coverage.’
I do believe, however, that theamount of attention that cyberrisk is attracting in the mediais justified and that we are fastapproaching the ‘perfect storm’for cyber insurance. Not onlyare attackers becoming smarter,increasingly agile and morecommercial with their dark-trade,but global regulatory frameworksand increased public perceptionabout the importance and integrityof privacy mean businesseswill need to proactively respond.Cyber security protocols andprotections will need to be prioritised,and businesses will need to alsoplan for their own version of the perfectstorm; which can leave companiesvulnerable to irreversible financial andreputational damage.Luckily for our clients, the insurancemarket continues to analyse, assess andrespond. Despite that, there remains afew growing pains for everyone involved.Here are a few key things for to look outfor in 2019 and beyond.
The (continued)rise of Ransomware
Over the last few years, we have witnesseda meteoric rise in ransomware incidentsand the propensity of these attacksto spread globally in a matter of minutes.That said, there have not been anyincidents that have caused worldwidecatastrophic losses – yet! Recent workby the Cyber Risk Management Project(‘CyRim’ 2019) estimates that globalinfection by a contagious malware couldcost more than $193bn (almost twicethe economic damage of HurricaneKatrina in 2005) and affect more than600,000 businesses, both large and small;86% of whom would be completelyuninsured. Ransomware disseminatesvia infected emails, quickly spreadingthrough connected networks anddevices, encrypting data along the way,often bringing companies of allsizes to a standstill. Gone are the daysof when this perpetrator was a human;these attacks are almost entirely doneby bots these days. However, the humanside of the hacker remains with manyof the perpetrators setting up callcentres to "help” companies re-gainaccess to their data via the paymentof a ransom; usually via an untraceablecryptocurrency exchange. The costsfor a company do not stop here though;the reduced productivity during thisdown time, the IT-costs involvedwith repatriation of data and systemintegrity, along with the supply-chaindisruption and reputational damageall weighs heavy on the mind and balancesheet of the victim’s business.The adage of "it’s not a question of ‘if’you get hacked, but when” remains true.Businesses need to ensure they are betterprepared for ransomware attacks.From preventing the likelihood in thefirst place, through intensive employeeawareness schemes, to ensuring any‘downtime’ is minimalised througheffective and regularly tested back-upsand by putting the right type of cyberinsurance in place to respond efficientlyto an attack.
Cyber insurance policies have evolvedto include ‘pre,’ ‘during’ and ‘post’ eventservices. Some policies provide businesseswith measures to help quantify thefrequency and severity of a company’scyber risk. Other policies come with freeor discounted access to other riskmanagement tools, such as military-gradeencrypted back-up providers and/ornetwork monitoring tools. It is fair to saythat cyber insurance is moving awayfrom just being a response and remediationpolicy, towards being a more tangible riskmanagement-tool. I expect this evolutionto continue in 2019 and beyond.
2018 — a hugeyear for privacyregulation
The General Data Protection Regulation(GDPR) took effect in May 2018 and hasalready been instrumental in changingthe way people, companies andgovernments appreciate data privacy.Google (January 2019) has been therecipient of the first major fine underthe GDPR (c. €50m) and we can expectfurther fines and penalties in the nearfuture. It is not just the EU who arechanging the dynamics of data privacythough; within the last twelve months,at least ten other countries have movedto implement similar laws, including:Brazil (‘GDPL’); Australia (‘NDB scheme’)and Canada (‘PIPEDA’). In the US,California, who are often seen as thepioneers of data privacy regulation, willalso implement GDPR-like stringentmeasures in their Consumer PrivacyAct of 2018, when it takes effect in 2020.Cyber insurance often affirmativelyoffers coverage for regulatory fines,penalties and investigations, whereinsurable by law. Whilst the insurabilityof these fines and penalties will likelybe established in the courts, cyberinsurance is still active in helpingcompanies prepare and evaluate theirbusiness practice in light of the newregulatory climate. Mandatory breachnotification is likely to affect mostcompanies worldwide, regardless ofwhere they are based or operate, howevermost businesses are still woefullyunaware of what they would and shoulddo, in the event of a data breach: Who to notify? How to notify? Who should wecall? Lawyers? An insurer? An IT securitycompany? Whether businesses like itor not, these are the questions that theywill have to answer should they have anissue. Prudent businesses will look toinsurance providers to help them toanswer these questions and for riskawareness, management and transfer.
More players,more capacity,more coverage
When our CEO, Chris Cotterell, startedSafeonline in 1999, he was one of onlya handful of insurance brokers in theworld selling cyber insurance; and therewere fewer than five insurers offeringcyber products. As we have becomeincreasingly reliant on technology, bothat home and at work, the opportunityfor crime and the vulnerabilities we facehave proliferated. The insurance markethas responded as the risk emerged andgrew. As such, today there are close to200 capacity providers across the globe,including insurance companies, Lloyd’ssyndicates and MGAs; most of whomclaim to have a ‘market leading cyberproduct.’ There are also more brokers(from those who admittedly "dabble” in thecoverage, to full on specialists) than Ican count. In the last five years or so, theincreased competition across the globehas caused the market to dramaticallysoften, causing prices to drop andcoverage to broaden. The average cyberpolicy of today is incredibly differentto the first iteration in the late 1990s;focussing primarily on ‘internet liability.’Today, cyber policies continue to evolveat almost the same speed as the threatsand crimes against which they areaiming to protect. That said, the industrystill seems somewhat undecided onwhether ‘cyber’ should be treated as aproduct or a peril. What this now meansis that some insurers are starting toprovide coverage such as contingentproperty damage and bodily injury incyber policies, whereby this would usuallybe considered part of general liabilitycoverage. The same can be said of socialengineering and other types of ‘digitalcrime’ which can also be found in somebroad property and crime policies.To further confuse policyholders, sometraditional business package policiesare now extending to provide cyberextensions. This can cause conflict withstand-alone cyber policies; causing issueswith sub-limited coverages, the possibilityof two sets of breach-response and claimsteams being involved in a loss, andpotentially triggering ‘the other insurance’policy condition. The message to cyberprospects and policyholders in 2019 and beyond needs to be clear. Do not betoo prompt in disregarding stand-alonecyber policies in the wake of obtainingcyber extensions elsewhere. Many of thesepackaged policy providers will beinexperienced in handling cyber claimsand might not have in place the rapid andstreamlined response services needed.For prudent companies, cyberinsurance should be seen as a ‘must have,’especially in light of the increasing andevolving risks, greater privacy legislationand growing number of coverage options.However, our role as client advocatesand advisors is crucial and the messageis clear; seek specialist coverage fromspecialist providers, via a broker whounderstands the client’s needs and whatthe insurance providers can offer. Therole of the broker for cyber insurance hasnever been more important and neitherhas the message we are communicating.If a business has a presence online, collectsor processes data, and/or relies ona system or network to derive an income,then cyber insurance is absolutelyrelevant. With the tightening of privacylegislation across the globe, the continuedevolution of cyber risks posing a threatto all, and premiums being at an all-timelow, this is the perfect time for businessesto purchase cyber insurance.
David Dickson
Heads up the technology, cyber andmedia insurance team at Safeonline;a specialist Lloyd’s broker and Brokerslinkmember based in London, UK. Safeonlineremains one of Lloyd’s largest independentcyber brokers in terms of GWP into themarket and have been product innovatorsand risk management specialists in thisspace since 1999. The team that Davidmanages works with brokers and clientsfrom around the world to assist with theircyber insurance placements; from theUS and Canada, to Latam, the MiddleEast and South East Asia. Prior to joiningSafeonline in 2015, David managedthe international technology and cyberinsurance practice at Howden InsuranceBrokers in London.As well as his commitments to Safeonline,David has served as an innovation advisorat Lloyd’s Labs since its inception, and isan active committee member on the BritishInsurance Brokers Association’s (BIBA)Cyber Focus Group.
The (continued)rise of Ransomware
Over the last few years, we have witnesseda meteoric rise in ransomware incidentsand the propensity of these attacksto spread globally in a matter of minutes.That said, there have not been anyincidents that have caused worldwidecatastrophic losses – yet! Recent workby the Cyber Risk Management Project(‘CyRim’ 2019) estimates that globalinfection by a contagious malware couldcost more than $193bn (almost twicethe economic damage of HurricaneKatrina in 2005) and affect more than600,000 businesses, both large and small;86% of whom would be completelyuninsured. Ransomware disseminatesvia infected emails, quickly spreadingthrough connected networks anddevices, encrypting data along the way,often bringing companies of allsizes to a standstill. Gone are the daysof when this perpetrator was a human;these attacks are almost entirely doneby bots these days. However, the humanside of the hacker remains with manyof the perpetrators setting up callcentres to "help” companies re-gainaccess to their data via the paymentof a ransom; usually via an untraceablecryptocurrency exchange. The costsfor a company do not stop here though;the reduced productivity during thisdown time, the IT-costs involvedwith repatriation of data and systemintegrity, along with the supply-chaindisruption and reputational damageall weighs heavy on the mind and balancesheet of the victim’s business.The adage of "it’s not a question of ‘if’you get hacked, but when” remains true.Businesses need to ensure they are betterprepared for ransomware attacks.From preventing the likelihood in thefirst place, through intensive employeeawareness schemes, to ensuring any‘downtime’ is minimalised througheffective and regularly tested back-upsand by putting the right type of cyberinsurance in place to respond efficientlyto an attack.
Cyber insurance policies have evolvedto include ‘pre,’ ‘during’ and ‘post’ eventservices. Some policies provide businesseswith measures to help quantify thefrequency and severity of a company’scyber risk. Other policies come with freeor discounted access to other riskmanagement tools, such as military-gradeencrypted back-up providers and/ornetwork monitoring tools. It is fair to saythat cyber insurance is moving awayfrom just being a response and remediationpolicy, towards being a more tangible riskmanagement-tool. I expect this evolutionto continue in 2019 and beyond.
2018 — a hugeyear for privacyregulation
The General Data Protection Regulation(GDPR) took effect in May 2018 and hasalready been instrumental in changingthe way people, companies andgovernments appreciate data privacy.Google (January 2019) has been therecipient of the first major fine underthe GDPR (c. €50m) and we can expectfurther fines and penalties in the nearfuture. It is not just the EU who arechanging the dynamics of data privacythough; within the last twelve months,at least ten other countries have movedto implement similar laws, including:Brazil (‘GDPL’); Australia (‘NDB scheme’)and Canada (‘PIPEDA’). In the US,California, who are often seen as thepioneers of data privacy regulation, willalso implement GDPR-like stringentmeasures in their Consumer PrivacyAct of 2018, when it takes effect in 2020.Cyber insurance often affirmativelyoffers coverage for regulatory fines,penalties and investigations, whereinsurable by law. Whilst the insurabilityof these fines and penalties will likelybe established in the courts, cyberinsurance is still active in helpingcompanies prepare and evaluate theirbusiness practice in light of the newregulatory climate. Mandatory breachnotification is likely to affect mostcompanies worldwide, regardless ofwhere they are based or operate, howevermost businesses are still woefullyunaware of what they would and shoulddo, in the event of a data breach: Who to notify? How to notify? Who should wecall? Lawyers? An insurer? An IT securitycompany? Whether businesses like itor not, these are the questions that theywill have to answer should they have anissue. Prudent businesses will look toinsurance providers to help them toanswer these questions and for riskawareness, management and transfer.
More players,more capacity,more coverage
When our CEO, Chris Cotterell, startedSafeonline in 1999, he was one of onlya handful of insurance brokers in theworld selling cyber insurance; and therewere fewer than five insurers offeringcyber products. As we have becomeincreasingly reliant on technology, bothat home and at work, the opportunityfor crime and the vulnerabilities we facehave proliferated. The insurance markethas responded as the risk emerged andgrew. As such, today there are close to200 capacity providers across the globe,including insurance companies, Lloyd’ssyndicates and MGAs; most of whomclaim to have a ‘market leading cyberproduct.’ There are also more brokers(from those who admittedly "dabble” in thecoverage, to full on specialists) than Ican count. In the last five years or so, theincreased competition across the globehas caused the market to dramaticallysoften, causing prices to drop andcoverage to broaden. The average cyberpolicy of today is incredibly differentto the first iteration in the late 1990s;focussing primarily on ‘internet liability.’Today, cyber policies continue to evolveat almost the same speed as the threatsand crimes against which they areaiming to protect. That said, the industrystill seems somewhat undecided onwhether ‘cyber’ should be treated as aproduct or a peril. What this now meansis that some insurers are starting toprovide coverage such as contingentproperty damage and bodily injury incyber policies, whereby this would usuallybe considered part of general liabilitycoverage. The same can be said of socialengineering and other types of ‘digitalcrime’ which can also be found in somebroad property and crime policies.To further confuse policyholders, sometraditional business package policiesare now extending to provide cyberextensions. This can cause conflict withstand-alone cyber policies; causing issueswith sub-limited coverages, the possibilityof two sets of breach-response and claimsteams being involved in a loss, andpotentially triggering ‘the other insurance’policy condition. The message to cyberprospects and policyholders in 2019 and beyond needs to be clear. Do not betoo prompt in disregarding stand-alonecyber policies in the wake of obtainingcyber extensions elsewhere. Many of thesepackaged policy providers will beinexperienced in handling cyber claimsand might not have in place the rapid andstreamlined response services needed.For prudent companies, cyberinsurance should be seen as a ‘must have,’especially in light of the increasing andevolving risks, greater privacy legislationand growing number of coverage options.However, our role as client advocatesand advisors is crucial and the messageis clear; seek specialist coverage fromspecialist providers, via a broker whounderstands the client’s needs and whatthe insurance providers can offer. Therole of the broker for cyber insurance hasnever been more important and neitherhas the message we are communicating.If a business has a presence online, collectsor processes data, and/or relies ona system or network to derive an income,then cyber insurance is absolutelyrelevant. With the tightening of privacylegislation across the globe, the continuedevolution of cyber risks posing a threatto all, and premiums being at an all-timelow, this is the perfect time for businessesto purchase cyber insurance.
David Dickson
Heads up the technology, cyber andmedia insurance team at Safeonline;a specialist Lloyd’s broker and Brokerslinkmember based in London, UK. Safeonlineremains one of Lloyd’s largest independentcyber brokers in terms of GWP into themarket and have been product innovatorsand risk management specialists in thisspace since 1999. The team that Davidmanages works with brokers and clientsfrom around the world to assist with theircyber insurance placements; from theUS and Canada, to Latam, the MiddleEast and South East Asia. Prior to joiningSafeonline in 2015, David managedthe international technology and cyberinsurance practice at Howden InsuranceBrokers in London.As well as his commitments to Safeonline,David has served as an innovation advisorat Lloyd’s Labs since its inception, and isan active committee member on the BritishInsurance Brokers Association’s (BIBA)Cyber Focus Group.
