The role of the broker has changed when it comes to cyber insurance. Ten-years-ago, when awareness and understanding of cyber risk was very slim, the broker’s primary focus was to convince clients that the risk existed. In the past decade, that task has become easier and easier following an unfortunate series of high-profile cyber events. The year 2017 was pivotal in terms of awareness about cyber risk, thanks to the WannaCry and NotPetya ransomware, and the infamous Equifax breach. All of a sudden, cyber shot on to risk manager’s radars and brokers were put under pressure to find cyber risk solutions.
In 2020, most businesses in Canada know that cyber risk exists. Now the challenge for insurance brokers is determining how to appropriately quantify a business’s cyber exposure, and how to provide a holistic solution through insurance risk transfer and further risk management. According to Ruby Rai, cyber practice leader at Marsh Canada, brokers have to start playing the role of risk advisors if they aren’t doing so already.
“It’s no longer enough to provide an insurance solution and leave it there,” said Rai at the NetDiligence Cyber Risk Summit in Toronto. “A huge responsibility has landed on brokers’ desks in terms of [progressing] the discussion beyond insurance placement. We need to walk clients through a framework approach of assessing risk [so they can] understand how their risk is going to change and evolve, and what they need to consider in year two, year three, and year four of a renewal cycle.
“And of course, the insurance market has shifted. If you’re looking at different types of risks - retail, financial institutions, public sector, healthcare – they all need some sort of a customized approach. Clients might not realize that going into a renewal cycle, but the broker would have a better handle of how the landscape is changing.”
While awareness and understanding of cyber risk in Canada has grown exponentially, the purchase of cyber insurance still tends to be a discretionary spend, according to Rai. It can be challenging for brokers and risk managers to convince business owners and/or boards to spend money on cyber insurance when other areas of insurance, for example property and D&O, are experiencing some significant premium hikes.
“We’re up against a changing property market and a hardening D&O market, so how do we still continue to show value? That’s important because there absolutely is value in helping clients understand and transfer cyber risk. Management of expectations is vital, as well as finding those key opportunities – whether you’re working with a client’s risk management team, IT department, or InfoSec team - to continue to show that value through different means and method. That’s where the broker’s role has changed from insurance placement to risk advisory.”
One of the biggest challenges in cyber insurance is navigating what Rai describes as “the minefield of [cyber] exclusions” that are creeping into various different policies. Due to issues surrounding silent cyber (also referred to as non-affirmative cyber coverage), clients are at high risk of having coverage gaps unless they can piece together a holistic cyber solution with the help of a broker.
“How do we address those coverage gaps? Are we able to take one piece of the puzzle and insert it elsewhere, or do we need to completely revise the policy form?” said Rai. “Innovation needs to happen on both sides. I think brokers play a key role in making markets aware, in terms of: ‘Let’s find solutions together. If we’re going to create a holistic cyber insurance solution, it might not come through a cyber insurance policy, it might show up in different variation through other policies.’”