Is cyber misunderstood?
Cyber risk has attracted plenty of media attention as businesses increasingly single it out as their biggest potential threat. So too has cyber insurance, but the headlines have not all been positive. A string of recent articles in both the insurance and mainstream financial media have highlighted its supposed shortcomings when faced with tricky and expensive claims.
But the failings exposed have been where companies have tried to claim for cyber-related losses on non-cyber insurance policies. The “Cyber misunderstood” seminar held at Hiscox’s London offices on February 13 involving members of Hiscox’s cyber insurance team, Seaton Gordon, a cyber law expert at law firm Pinsent Masons, and around 60 leading London Market cyber insurance brokers looked at the truth behind the headlines in these cases.
While more companies are looking for specialised cover against a hacker attack, data breach or major system outage that could halt their operations, others are making claims on their existing non-cyber policies, such as property, general liability or even financial institution crime cover.
Disputes for cyber-related claims on non-cyber policies can’t be touted as proof that cyber insurance isn’t effective, says Matt Webb, Hiscox’s Cyber Line Underwriter.
The threat of ‘silent cyber risks’ to insurers has been widely reported in the media. The media have speculated that insurers could be forced to pay huge sums for cyber attacks under general policies, potentially threatening the insurance industry with ruinous claims that companies had not foreseen.
High-profile legal cases between companies and their insurers over losses resulting from cyber attacks have been regarded as tests of insurers’ exposure to “silent cyber” as well as important measures of the effectiveness of the newer, much touted but less tested cyber insurance market.
But it’s misguided to conflate these two very separate issues, says Tony Kriesel, Cyber Claims Underwriter at Hiscox and it seems to reflect a general confusion about cyber coverage.
“In some of the real-life cases we explored, it seems the insurers involved didn’t mean to cover cyber exposures, while in others the insurers’ intentions were more ambiguous,” Kriesel says. “But whatever the underwriters’ intentions, the upshot is the same: clients aren’t assured of having cyber-related losses paid unless they buy a proper cyber insurance policy, which clearly spells out those events to which it will respond.”
The negative coverage should concern the cyber insurance market, says Kriesel. “Although these headlines are misleading, we all know that mud tends to stick. Companies might be put off buying cyber cover, even though they would benefit from having it, because they erroneously believe it won’t respond when they need it.”
So it’s important that everyone who works in the cyber insurance market is aware of the perception problem, says Kriesel. “We need to dispel the myths and to explain the truth to potential clients: that cyber insurance is effective, it has been tested and has been proven to pay out in plenty of situations in ways clients expect.”