Brokers need to ensure they fully understand cyber policies if they are to help their clients – and capitalise on the market opportunity in front of them.
That’s the view of Geoff Kinsella, chief operating officer and partner at Safeonline, a City of London-based Lloyd’s broker specialising in cyber risk. Kinsella spoke to Insurance Business following the Government’s publication of its Cyber Security Breaches Survey, which found two thirds of large businesses experienced a cyber breach or attack in the past year, with 70% of incidents involving viruses, spyware or malware.
The most expensive breach recorded cost the company involved £3m, while the average cost of an attack on a large business was £36,500. The survey also found that 25% of large firms experiencing a breach did so at least once a month, but only half of all firms have taken any recommended actions to identify and address vulnerabilities.
Kinsella welcomed the Government’s message to businesses urging them to up their game on cyber security, but warned the fact that many data breaches currently go unreported could create complacency. “These reports are great, but fundamentally it’s all about waking people up to the idea they have to take cyber risk seriously,” he said. “We’re finding in general the UK is still lagging behind. As the report says, we know there are a lot of breaches but because in many instances they are not disclosed, the breaches that reach the media are always in the US where there is a requirement to disclose, particularly in certain industry sectors. This makes it appear it is only a US issue.”
Kinsella said insurers had risen to the cyber challenge with new products offering broader cover coming to market – and now it’s up to brokers to make sure they have the knowledge to capitalise on the opportunity they have to help their clients.
He said: “There’s such a variety of policy wordings out there with all sorts of different triggers, definitions and extensions so it’s very hard for the buyer to understand fully what he’s buying and which policy is best – that’s why commercial brokers need to get more savvy themselves so they can advise their clients better as to what is a good policy and what isn’t.
“Businesses might be surprised how inexpensive a cyber policy is for the limit you can buy and the kind of support and infrastructure you get with it – that’s the bit we’re not educating them about enough. That’s the message brokers should be pushing to their clients.”
The survey revealed surprising levels of inaction by businesses, with only one third having formal cyber security policies in place and just 10% having incident management plans in place to deal with a breach. That creates an opportunity for brokers, with policies now available which will help companies ensure their defences are in place and help them stay in business in the event of a successful attack.
“People think it’s about third-party liabilities,” said Kinsella. “They think the chance of getting hacked is slim, and the chance of being sued by someone for letting their data out is even more remote. What we can offer is first party cover – most of the policies we provide will give access to experts who will come in pre- and post-breach. They will help with risk management and setting up the right security framework within the organisation, but also if a loss occurs you get forensic accountants and IT experts to come in and help identify what happened, what was taken and what the potential outcome might be. You get legal assistance, PR and media counselling – obviously reputational damage can be huge so having expert assistance to deal with that is important.
“The other first party element is business interruption – there’s a misconception that cyber insurance only triggers if there’s a loss of data but if you’re relying on systems to do business, if they go down the policy will respond to that. Should systems be locked up due to ransomware and extortion, policies will cover that – crime has changed, where once it was someone breaking into your office to steal things, now it’s a guy sitting in another country, even on another continent, playing havoc with your systems.
Making sure clients understand the scale of the problem is key if brokers are to win their business, Kinsella believes. He said: “If you’re going to be a professional adviser to your client you have to have the ability to talk to your client with some authority on all different sorts of insurance classes, cyber being one of them.
“The problem is a lack of education – a lot of people still think it will never happen, but as we always say, it’s not a case of if a cyber-attack is going to happen, it probably already has and you don’t know about it – with some of the biggest cases, the malware had been on the system for months beforehand. A lot of SMEs in the UK think they will never be a target, because the targets will be the big boys, but we’re finding that a lot cyber-crime attacks smaller organisations because they are easier to get into. A lot of the larger companies use third-party vendors for everything – they outsource a lot of functions, so if the criminals can get to major corporates simply by going through the weakest link, they’ll do that.”