As the online threats to both commercial and personal clients grow, brokers have a vital role to play in educating their customers and evolving the way the cover is sold
Getting clients to engage with the ever-widening range of cyber threats they face – both as businesses and individuals – is a key challenge for brokers.
Many clients are simply not aware of the risks or the potential consequences. Others are put off by the policies on offer and what they see as confusing wording, a problem exacerbated by the lack of consistency across the market.
The combination of insurance and tech speak often makes for policies that leave clients baffled and unsure of what cover is on offer.
For brokers, the key is moving discussion of cyber risks and the need to protect against them to the front of the conversation with clients and talking in their language, comments Bob White, director at Petherwicks Insurance Brokers.
“We try to get them to focus on the impact that a cyber attack could have on their business. Many businesses think it is just about deleting a few infected files, re-starting their systems and getting back to work. It just isn’t like that. They could be offline for days and that can have a major impact on businesses.
“We also talk to them about the sort of expertise they will need to restore their systems and communicate with customers. They don’t realise what is required”.
Size doesn’t matter
Graham Wedgbury, commercial account executive at Lycetts, agrees that the days of cyber cover being an afterthought in conversations with clients are over.
“We’ve completely changed tack to talk about cyber first. It has got easier to engage clients because most people have experience of hacking even if it is on their bank account or credit card but we still find clients who say they don’t feel valuable enough or are too small to be picked on.
“The people who carry out these attacks aren’t bothered whether they are small or big.”
The scale and range of potential attacks is constantly evolving and getting the message across about how damaging they can be is a major challenge for brokers agrees, Graeme King, business group leader, cyber at Barbican Insurance Group.
“I find the best way to start the cyber conversation with an SME is to use an analogy from the physical world to help them grasp the threat,” he says. “For example, if you are speaking to a café owner then a good way to describe a denial of service [DDoS] attack is to imagine that a thousand customers suddenly appeared, all demanding service.
“You can easily visualise how overwhelming that would be and the detrimental effect it could have on your business.”
He goes on: “It is important to drive home that the risk to an SME from theft of funds is much higher now than ever before.”
King notes that businesses are at greater threat of suffering theft via something like a phishing email than they are of losing physical money. They need to invest in online security as well as bricks and mortar protection.
Different approach
Raising the awareness of the dangers for commercial clients is one challenge but finding the right insurance solution has also been a major hurdle. Initially, cyber was introduced as an add-on to other policies – property, business interruption, professional indemnity and liability covers – but this approach has led to confusion and a plethora of wordings, which has made the broker’s job harder, White details.
“The add-on approach hasn’t worked well. It leaves too many gaps in coverage and many policies just don’t respond to the type of claims businesses have. Our focus is on standalone policies that offer a good breadth of cover and support services.”
The days of the add-on cover are definitely numbered, according to Dr Mark Hawksworth, global technology specialist practice group leader at Sedgwick.
“The issue with bolt-on cyber cover is that the primary policy has to engage in order for the cyber component to come into play. Most traditional technology policies have a material damage trigger which does not lend itself well to cyber incidents.”
He continues: “It is better to purchase a dedicated standalone cyber policy which covers the non-tangible triggers and any associated business interruption claim that flows from a cyber event.”
Insurers have responded to these weaknesses, insists Stephen Ridley, lead cyber underwiter at Hiscox. “We don’t want to be reactive. We want to try to future-proof our wordings. Standalone policies work the best and evolve at the fastest pace.”
Evolving cover
This ability to develop the cover is essential, argues Ridley: “The criminals are constantly evolving. The biggest threat up to now has been through ransomware which has accounted for one third of claims but we are now seeing new threats such as crypto-hacking where criminals take over systems to conduct bitcoin transactions.”
According to cyber security expert Alastair Murray from The Bureau, the policies need to be about more than just the cover provided and brokers need to focus on more than just selling cover.
“Cyber awareness training is key to tackling cyber crime. It is the most undervalued cyber security tool in the world. If you can sort out staff behaviour you could cut out 90% of phishing attacks.”
This is a message that Hiscox has taken on board. The insurer has launched a training academy which offers free training for small businesses up to £10m turnover and ties that in with an offer to reduce or eliminate excesses (of up to £2,500) if 80% of staff complete the training.
There is also a growing enthusiasm for encouraging clients to engage with the government-sponsored Cyber Essentials scheme run by the National Cyber Security Centre: “We are advocating Cyber Essentials and Essential Plus and now sell this as a pre-loss service,” points out Hawksworth.
“Any form of pre-loss review is better than nothing, which is unfortunately the strategy being adopted by a proportion of UK businesses mistakenly believing that it won’t happen to them.”
The services on offer to support clients when they have a claim have also grown in importance as the industry recognises that few firms outside of the largest corporations will have access to the expertise they will need when dealing with an attack.
The right support
“We are there to support our clients when they have a problem and make sure that the right support is put in place,” states White. “Often they have outsourced a lot of their IT support and that isn’t accessible 24/7 so we look to their insurers to step in with the right help.”
Often clients just do not realise how much help they will need or the speed with which it must be deployed.
It is important that insurers are equipped to step in to help clients, explains Wedgbury: “They need access to support 24/7 and it is more than just the obvious technical support they need. For instance, they might need specialist PR to get the message out.
“They might think they can do it but when you are firefighting to get your systems up and running, records restored and data recovered there isn’t anyone left to talk to customers.”
This pressure to act fast, communicate with customers and repair the damage has been thrown into sharper relief
with the advent of GDPR, which insurers and brokers agree has helped raise awareness of the need to review and upgrade cyber security.
The challenge is to translate that enhanced awareness into an acknowledgement that insurance has a crucial role to play too.
Personal lines
Individuals are even further behind the curve when it comes to protecting themselves, yet the risks to which they are exposed are growing all the time in the home, on the road and through their online activities.
The rapid development of connectivity through smart devices, the Internet of Things and automated, connected vehicles opens up a whole new range of risks that criminals will be probing for vulnerabilities.
“Personal lines cyber policies are in the growth stage. However, I believe they will become mainstream products in the not too distant future,” Hawksworth predicts.
“With the potential for home systems to be affected by computer viruses and hackers, it is important that the public have access to cover that will assist them in rectification of any non-tangible cyber issues that may affect them.”
Waiting for takeoff
The coverage for this seems to many brokers to be in a similar place to where commercial cyber cover was until recently, with most included as add-ons to other policies, such as household and motor, and with huge inconsistencies in wordings.
“They are full of more terms and conditions than could ever be helpful. There needs to be a bit more intelligence applied to simplify the policies and develop some common standards for personal lines policies to take off,” argues Wedgbury.
He believes standalone policies may be the best way forward: “A standalone policy has benefits as, if there is a claim, it will not affect the claims experience of main policies in place. It will be written by an expert insurer and not as an add-on with perhaps limited cover.”
Underwriters are developing policies, with one of the recent launches coming from UK General and backed by Munich Re. This has taken a gradualist approach, initially introducing the cover as an extension on high net worth household policies before making it more widely available.
“We need to raise awareness of the cyber risks and achieve critical mass and the best way of doing that is through household policies,” says Neill McDermott, product manager, financial and specialist risks at UK General. “There has been a great deal of good work done by the banks on cyber fraud but that is only one aspect of an individual’s cyber risk. Bullying, defamation and data loss as a result of malware are all major problems. I think there is a lack of awareness of those wider risks.”
While he acknowledges that standalone policies for individuals may have a role in the future, he thinks, at present, pricing is a problem because of the lack of experience and claims data.
Cyber insurance is definitely a ‘work in progress’ as the market struggles to provide the consistency and clarity of wordings demanded by brokers and their clients. With the constant development and extension of cyber threats perhaps it will be a work in progress that is never finished?
Helping brokers help themselves
Brokers are part of their customers’ supply chains and so need to protect themselves at the same time as they are urging clients to raise their game.
“A major risk for brokers is not just business disruption, but total paralysis of their organisation as the industry now relies so heavily on technology to share information and for basic business functions,” says Adrian Scott, head of cyber, Pen Underwriting.
“The loss of client trust is another potential risk if expectations can’t be met due to a cyber breach. The two combined is not something any broker or business wishes to experience.”
Many brokers find themselves on a steep learning curve when encountering cyber issues. “Insurers can and do play a key role in this education process. Some hold seminars, go and visit their brokers in person to discuss cyber risks, and offer risk management products and services to mitigate risk and make clients safer”, Scott adds.
Keeping abreast of the developments in a field where the risks, the cover available and the remedies that can be applied are constantly evolving – and often highly technical – is essential if brokers are to maintain the confidence of clients, insists Matt Northedge, head of technology and cyber for AmTrust at Lloyd’s.
“Insurance brokers are rightly expected by their customers and clients to have a good understanding of cyber risk, as well as providing strategies to best protect a business.”
He adds: “As insurers we have a broader view of developing claims trends and methods of attack and this is always useful information that we can share with our brokers and coverholders.”