For cybercrime insurers, it’s clear that there’s an identified demand for their coverage, and that business is booming. But in an industry where technological change shifts faster than in any other, the rate of policy-change required to stay relevant is a pressing matter for insurers to address.
Despite the first cyber insurance arriving during the late 1990s, as a product it remains in relative infancy.
Policies have changed significantly over the years. Early providers were extremely limited as to what was covered – such as only including online media, while others protected against errors in data processing.
As times have moved on, businesses have become ever more reliant upon data, in ever increasing formats. Policies have reflected this change, and today cover:
Third-Party Liability Coverages
- Network Security Liability
- Network Privacy Liability
- Electronic Media Liability
- Errors and Omissions Liability
First Party Coverages
- Loss or Damage to Electronic Data
- Loss of Income or Extra Expenses
- Cyber Extortion Losses
- Notification Costs
- Damage to Your Reputation
While cyber insurance continues to develop, insurers are still grappling with how they can weigh up risk and shape their products, when lacking significant data to be confident in their underwriting.
In 2015, 63 percent of global companies were insured against loss of income due to data breach, while more than half of the companies without cyber liability insurance considered purchasing it.
Large companies are only too willing and able to get cover for potential attacks – with a staggering 85% of the world’s cyber insurance being sold to protect US-headquartered entities.
But the typical SME represents a curious client for insurers, as the damage caused by data breaches and other cyber-attacks is disproportionally high amongst smaller organisations.
And when we say damage, we don’t only refer to set pounds and pence. SMEs must also account for the damage to their reputation, the lost confidence of customers where personal data is involved and the loss of intellectual property. As for the cost of cybercrime on the average SME, the latest FSB survey reported that fraud and cyber-crime costs Britain’s SMEs £800 a year each (54% have reported becoming a victim in the past twelve months).
It’s logical to think that SMEs would be the businesses to jump up and down for cyber protection. And yet just 14% of SMEs has cyber insurance. The question is why?
After all, cybercrime is on the rise (four in ten businesses have suffered an attack in the past 12 months), and public awareness has never been stronger.
Despite the lowly take up rate, SMEs do appreciate the threat of cybercrime (and the average £3,000 bill faced when becoming a victim).
The reasons that may lie behind this 14% may be three-fold:
First, many presume that their standard business insurance covers them in the event of a breach (and when we say many, we mean more than half – 52%).
Second, what they don’t yet see is that insurers are offering sufficient coverage to counter the full impact of a cyber-attack.
“The drop in take-up of cyber insurance shows that this is still maturing as a product. Companies do not see the cover currently on offer as targeted to their individual risks and therefore not value for money”.
– Domenico del Re, insurance director at PwC
Third, if and when companies do seek a quote, they are posed a series of what seem intimate questions about their security systems (which are critical to calculate premiums, but which are also closely guarded by cautious business owners).
And these issues are just the tip of the iceberg for insurers that are trying to convince SMEs that their products are worthy of investment…
These 12 months also saw a shift in behaviour, as criminals moved away from using mass mailing and malware as their weapons of choice, to harnessing increasingly targeted extortion efforts. This rapid shift in strategy is a standard characteristic of cyber criminals, as is the rapidly advancing tools that they have at their disposal.
In contrast to this speedy landscape, is the pain-staking practice of insurance. Underwriting has always been a notoriously time-consuming task, while risk analysis and modelling remains complex.
Encouraging SMEs to sign on the dotted line of a solid cyber insurance policy begins with education, and pushing home the fact that these businesses are often seen as soft targets by hackers.
Education also extends to reassuring businesses of all sizes that their security secrets are safe with them (a steep mountain to climb, given the distrust in even the largest of banking giants to sufficiently protect customer data).
Education and encouragement of SMEs to purchase policies is relatively easy when compared to the tall task of ensuring they feel safe entrusting their trade secrets to insurers. This is only compounded by insurers that remain cautious when placing limits on the amount of coverage they offer under their policies.
The only way to resolve these issues is to fully understand the threats that SMEs face, and for insurers to see everything from their point-of-view (including the perceived threat of sharing information with the insurers themselves).