Cyber insurance – the “emergency service” for victims of cyber incidents

This article was produced in partnership with CFC

Mia Wallace, of Insurance Business, sat down with James Burns, head of cyber strategy at CFC, to discuss the need for more education on the implications of cyber risk.

Despite the rapid evolution of the cyber insurance market, it still faces a demand side problem, according to James Burns (pictured), head of cyber strategy at CFC. The relatively low level of cyber awareness among UK SMEs – which account for 99% of UK businesses – offers a taste of the cyber protection gap that exists today, he said, and highlighted the role that insurance businesses should play in bridging the gap.

“And that’s part of the new developments in the insurance market,” he said. “For the past 10 years, cyber insurers have been laser-focused on market growth. We’ve spent most of our time, energy and resources marketing the hell out of this product. There are bucketloads of training and education for brokers, and insurance conferences where the focus is selling the product. As an industry, we feel like we’re on a mission to make people see the value of this product and realize they need it, which they absolutely do. “

Burns noted that in 2020, that situation began to change as the threat environment worsened with loss ratios going through the roof and insurers focused all their attention on rate correction. Brokers with cyber clients are faced with explaining why the price has risen so much while those who have not yet started selling the product are prevented from doing so due to the perceived volatility of the product line.

“It will undoubtedly have an impact on product awareness,” he said. “The irony is that organizations need this product more now than ever and its value has been proven time and time again in the billions of dollars worth of losses paid out by insurers over the past few years.

“I think we need, as an industry, to put our focus back on helping our brokers sell this product to SMEs. There are still a lot of broking houses out there where less than 10% of their commercial client base is buying a standalone cyber policy which doesn’t make sense because we know it’s one of the biggest threats facing organizations today. So, I think there’s a lot of work left.”

Cyber ​​as an intangible risk

The problem many insurance brokers face is that until you’re on the sharp end of a cyber claim, Burns said, it’s an inherently intangible risk. Once a broker supports a client through a cyber incident, it becomes easier to contextualize what cyber insurance is and what it does but until that point, it’s difficult to understand – and what you don’t understand, you can’t explain to your clients.

“It’s not tangible until something happens and then you see how an attack affects a business and exactly how the insurance policy and incident response services work,” he said. “Obviously, not every broker has a client that has had a cyber incident – but many do, and it’s a safe bet that most will at some stage soon.”

Burns’ call to action for brokers is to tell insurance providers that they have what they need from them to do what they do best – support and protect their clients. They should feel empowered to ask for case studies of the claim, he said, and for support in interpreting the examples. Taking CFC for example, he said, the provider manages 1,000s of cyber claims and has a wealth of publicly available case studies for essentially every industrial sector imaginable.

“So, if you’re a broker with a commercial customer that fits a specific industry segment, there are real-life examples that can affect your customers in the same way they affect the subjects of our case studies,” he said. “I think brokers should look to their underwriters, who should also be happy to run things over with them and discuss common objections and why those objections might be wrong.”

Burns also emphasized that the pressure is not just on brokers reaching out to providers, and he called on underwriters to step up to the mark by being more proactive about disseminating relevant and timely insights to their broker partners. Insurers should make their educational assets and materials as accessible as possible, he said, and to ensure they are constantly updated.

“I think insurers have been a bit consumed by discussions elsewhere lately and the eye has probably been taken off the ball in relation to the fact that we need to start the market organically again,” he said. “We’ve seen a lot of growth in the last couple of years but a large amount of it has come from rate increases and we need to make sure that we also increase the number of policy in the market.”

Cyber ​​insurance education

It is important for insurers to actively engage with their brokers, and to take a proactive stance when it comes to educating the broader insurance market about the “great value” of cyber insurance.

“We need to start instilling confidence that this is a solid product and one that will be there for brokers to sell for a long time to come,” he said. “The ‘difficult market’ has seen thousands of claims worth billions of dollars, which shows that cyber insurance works – and it works almost perfectly from the insurer’s point of view, due to some of the loss ratios encountered.

“So, it is important to note that cyber insurance is not there to replace investment in security controls, on the contrary, it can only exist sustainably with them. We should not compete with security companies and brokers should not see themselves competing with them. We should work together to ensure that clients have adequate protection.”

This broader area of ​​education takes some effort, Burns said, but that effort is rewarded by the increased confidence brokers have when having conversations about cyber and in turn educating insureds about their own cyber risk profile.

“Underwriters and insurers need to support that trust by talking about the product,” he said. “Cyber ​​attacks are actually a form of crime where there is no emergency service and therefore a cyber insurance policy is that emergency service. If you think about it in simplified terms, you know that this is a product that is very necessary and an incredibly broad product that no organization is without. So, we have to confidently talk to customers again about this.”