Can cyber risks be quantified?
It can be more difficult for companies to quantify because we are talking about intangible assets (data, information and systems). Organisations are not always so confident in quantifying intangible assets, not being fully aware of the potential financial impact a cyber-event could have on their balance sheet. But, yes, these risks can be quantified. How do you quantify the risks?
Insurers do this through gaining an understanding of a business. We want to understand how it operates, what its business model is, the environment it's in, and probably most importantly - what its key data and system assets are.
Combining this with the information we get back from a business around how mature it is in terms of protecting itself from cyber risks and also with our prior knowledge of loss data in the market - we can build an understanding of how we view the company's risk profile.
How do you know if the pricing is right?
A client's exposure profile and risk management are the key factors in driving the price. Naturally, we work in a highly competitive market place, so there are external factors that have influence too. In London alone, there are around 30 insurers offering this class of insurance. With an emerging risk like Cyber, Insurers are naturally cautious in offering large sums of capacity because there is limited historic loss data. Cyber, as a result, has been a very reactive market, with Insurer's appetites changing with each large loss that is experienced.
We are often told by clients that they don't need cyber insurance, as they invest in IT.
Investment in IT security isn't enough on its own as it only helps protect against certain types of threat. A top of the range fire wall, for example, might stop attackers from the outside getting into your system but is it going to stop an employee using an already-infected USB stick? Is it going to stop them accidentally clicking a link in a genuine looking e-mail and downloading ransomware? Unfortunately not. A business' weakest link is often its people, which means that no amount of spending on IT security can make you 100% secure. This is backed up by the fact that some of the most technologically sophisticated organisations in the world that spend literally millions on security every year still get hit.
Surely when a company outsources its IT to a third party, they wouldn't be liable for repercussions of an event?
By and large, unfortunately this is just not true.
Most businesses will outsource at least some part of their technology be it storage of their data or hosting of their systems. The problem this creates is that it gives the false perception that someone else is responsible if something goes wrong.
That's sadly not the case. If you are the organisation that an individual has entrusted with their data, that makes you what's known as the data controller and you are responsible, regardless of whether or not you use a third party to look after that data for you. If the data is stolen or lost, either by you or any third party you pass it onto, then you will be responsible for notifying the regulator. You may be responsible for notifying the data subjects and you could be at the receiving end of a regulatory investigation and fine or penalty.
We're a traditional business, we don't collect any sensitive data so surely we don't need cyber insurance?
This tends to stem from the perception that's been built up around cyber risk which is that it's all about privacy and data breaches. That perception changed significantly when we saw the WannaCry and NotPetya malware outbreaks cripple many within the manufacturing and logistics industries. These attacks did not involve data being stolen, but rather the actual systems that companies used to operate being frozen or, in some cases, damaged beyond repair so that they couldn't function as a business.
NotPetya alone is estimated to have cost businesses over £1bn and nearly all of that was operational disruption leading to big reductions in turnover, or huge costs in rebuilding or replacing systems.
Cyber is already covered by other lines of insurance, and so why buy a separate policy?
While elements of cyber cover may exist within some traditional insurance policies, the cover tends to be narrow, sub-limited, and those offering it lack the experience required to handle the cyber events properly when they inevitably come in.
When insured's purchase a cyber policy they are buying the financial protection, of course, but they are also buying access to a claims and incident response service that ensures their claim will be handled effectively, efficiently and in a way that will minimise disruption to their business.
Increasingly, clients are telling us that they don't think that a cyber insurance policy will pay out.
Working for one of the major cyber insurers in the UK market, I can tell you that the claims are there, that they are increasing in frequency and severity - and that we are absolutely paying them.
At CFC, we handled over 730 cyber claims last year. We're currently handling over 4 claims a day and we expect that figure to double next year.
For more information about cyber insurance please get in touch with Sarah Hewitt on Tel: +44 (0)20 3425 3317
The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.