What will pull the cyber insurance purchase trigger?
A nice to have or an essential purchase? That's a choice that many risk managers are currently juggling with when it comes to buying cyber insurance. For many, cyber insurance is still way down the list of priorities. According to The Hiscox Cyber Readiness Study 2017, while over a quarter of the 3000 firms surveyed (28%) are planning to take out cyber insurance in the next year, a similar proportion (26%) have no plans to purchase cyber cover. Of these firms, two in five (41%) say ‘a cyber insurance policy is not relevant for me’.
Despite this indifference amongst a significant minority, cyber insurance will at some point be as mainstream as any other core insurance purchase and it’s likely that three key developments will be key in driving take-up rates; data regulation, cyber extortion and cyber business interruption losses.
New data regulation is coming
First up regulation and the arrival of the EU's General Data Protection Regulation (GDPR) which will apply to all member states from the 25 May 2018. The UK will still be a member of the EU in 2018 so it will still apply to UK firms and might well apply beyond the UK leaving, particularly for those firms who still want to do business in the EU.
The GDPR will lead to increased regulatory fines – up to 4% of turnover or €20 million (whichever is the higher) for data breaches – coupled with new requirements such as the mandatory notification of customers following a breach. As we have seen in the US, greater regulation means data security and breach response will move higher up the agenda of risk managers and board members alike.
Your money or your ‘cyber’ life
Secondly and perhaps a more immediate driver of cyber insurance purchase, is the dramatic rise in cyber extortion events. Cyber security firm Malwarebytes recently reported that nearly 40% of the businesses it surveyed had suffered a ransomware attack over the previous year. This trend is both a challenge and an opportunity for the insurance industry. Whilst those insurers who provide traditional kidnap and ransom policies may be well versed in dealing with ransom payments, cyber extortion has its own unique issues that require specific skill sets.
Crucial steps include establishing, in a safe environment, if the malware is real or an empty threat; verifying the efficacy and hygiene of a decryption key; establishing if a data breach has already occurred and obtaining Bitcoin in rapid time.
All these issues add to the complexity of a cyber extortion loss scenario. They can also have a significant impact on the outcome of a future damages claim. It's obviously preferable to identify data breach malware on decryption keys before they are deployed but sadly it's not always the case. Insurers and their clients must select the right vendors for the right job and, for me, a proven track record with actual experience is more important than corporate brand.
Not all business interruption events are created equal
Lastly, whether through denial of service attacks, extortion threats or even data breaches, cyber business interruption (BI) events are increasingly common. Aon’s 2016 Captive Cyber Survey report found that the costs of business interruption due to a breach is the top cyber risk concern for businesses across all industries – and cyber BI has different challenges to more traditional BI losses.
Historically the purchase of business interruption insurance has been linked almost exclusively to physical risks such as fire or flood. As a consequence, there's a tendency to think of BI losses in a binary way - a building either burns or it doesn't. Cyber BI losses manifest themselves in ways that are often grey rather than black or white. Denial of service attacks can slow systems down rather than taking them out completely. In the midst of a data breach crisis, a company may decide to bring a system down as a way of preventing further bleeding. In this interconnected, digital age, the impact of cyber business interruption can be as significant as a physical loss.
How policies respond
The critical thing for companies when they do buy cover will be in how their cyber insurance policies respond. Many policies require compete outage before business interruption kicks in. Others contain a trigger that means the suspension has to be actual and necessary. These requirements seem to be a very analogue way of dealing with a digital problem. No company that suffers a slowdown in business because of a DDOS attack would want to be told that their cyber business interruption cover is worthless because they were never fully off line.
So it comes back to trust and clarity. If, as an industry, we want cyber insurance to be a mandatory purchase it is up to us to design the right cyber products that are both easy to understand and do the job that the customers need and expect.