There is a massive and sometimes mystifying range of cyber cover in the market creating, in turn, a lack of familiarity about what cover is appropriate or available. The cyber insurance market is an evolving space and so is cyber-crime. Businesses of all kinds could and probably should build cyber resilience into their organisations. There are many scenarios to guard against - phishing; hacking, ransomware, social engineering, they all require vigilance.
And, if the vigilance doesn’t work and systems are breached there is the matter of navigating the cover that is in place.
One industry commentator said in the press recently that cyber insurance is flawed and does not meet client needs, but in my view (and I know many others agree with me) this is simply an unfair and inaccurate sweeping generalisation. We might accept that in some areas the cyber insurance market is an immature one – but there are several really accomplished, specialist providers that do have expertise and do provide the cover to give businesses peace of mind.
However, statistics show that there is an urgent need to explain the benefits of cyber protection. Only 3-6% of SMEs were buying cyber insurance in 2018 according to the latest BITC (Business in the Community) poll. Up to 40% of SMEs (depending what stats you use) have no cyber aware strategy at all. In fact, one of the biggest objections to buying protection is that businesses, especially smaller ones, simply don’t believe they are at risk – and if they do accept that they are then they read in the press that their cyber cover won’t pay out.
But these are actually false perceptions, fake news some might say and BIBA’s cyber insurance scheme provider CFC (accessible to all BIBA members) is a case in point.
They settled more than 1,000 cyber claims in 2018. And specialist cyber insurers know their stuff. They are deploying heavyweight talent in their claims teams; from first response to dedicated cyber detectives. They talk forensics, global teams, and some of their claims handlers are recruited from M15, GCHQ or the NCSC.
So why can this essential class be such a hard sell?
Well, there is mis-information out there and certainly it’s well worth thinking about using a specialist provider - they know and understand the risks associated with cyber. And it is true, some add-ons to a general business insurance policy may not provide such extensive cover.
With this background brokers report being given a number of reasons why clients think cyber cover isn’t for them.
“Human error isn’t covered!” - Not true; current specialist policies will insure incidents arising from lost laptops and social engineering where an unwitting employee is scammed into providing information or access. Breaches caused by contractors or even outsourced hosting suppliers can also be included.
“It’s not worth it – only the costs I’m legally forced to pay are covered so I’d still be out of pocket.” – False!: Cover for data breaches is actually very mature and many cyber policies will pick up the costs of breach management such as contacting clients and crisis communications as well as legal costs and penalties.
“But,” they are told, “The cover for interruption will only last as long as my system is down.” Providers know and recognise the fact that a business’s ability to get back to normal trade can last well beyond the time their system is back up and running. In recent years this cover has evolved to include interruption periods of up to 12 months after an incident.
There’s no denying that cyber insurance is complex, but so are many other risks and that is why it’s important to get a policy that meets the needs of a client. Yes, it’s a newer type of risk – but after all you wouldn’t approach a motor underwriter to insure your horse and this is no different. What is really needed to get across the finish line is to signpost businesses to suitable brokers with access to specialist cyber insurers.