Cyber insurance is more than just risk transfer

Companies are facing a constant barrage of new risks as cyber threats continue to develop. Emerging technologies like cloud computing, internet of things devices and artificial intelligence introduce novel attack vectors, while sophisticated threat actors and organised crime syndicates continually refine their tactics, techniques and procedures.

Compounding the challenge, new data privacy laws and statutes, and reviews of existing regulations continue to expand corporate liability, while the plaintiffs’ bar has become more creative in driving up the damages baseline for civil litigation involving data breaches and privacy violations.

Keeping up with this rapidly shifting terrain is an immense task for even the most well-resourced security and risk management teams, making the Lloyd’s Market Association’s (LMA) cyber claims group an effective platform for collaboration and insight sharing within the London market.

Collaboration

From this point of view, we have noticed the most effective way to mitigate cyber exposures requires collaboration not just among cyber professionals, but across the full enterprise risk management chain. This includes the chief information security officer, data protection officer, risk manager, legal counsel, insurance broker, underwriters from cyber insurance markets and third-party incident response vendors.

The convergence of diverse stakeholders represents a vast knowledge pool that can be used to reduce cyber and regulatory risk.

Cyber risk mitigation, furthermore, is about much more than just cyber security defensive controls; it is also about attention to critical data management issues from a regulatory and statutory compliance standpoint.

Companies looking to fully protect themselves must understand their data protection responsibilities and liabilities. It is as crucial to keep up to date with developing data protection requirements as it is looking for ways to protect against cyber attacks.

By proactively discussing detailed, anonymised claims examples and root cause analyses in meetings with both prospective and potential clients, insurers can help companies to enhance effective cyber security policies

Organisations that ignore their legal obligations risk reputational damage, potential prosecution and heavy penalties, meaning they may be exposed to cyber threats even without experiencing a data breach. It is likely governance criteria will tighten further as comprehensive data privacy regulations expand globally and related non-compliance claims costs continue to rise.

Cyber insurance is just one important link in the chain of collaborative cyber risk management. When other preventative defences are breached, cyber insurance can play a pivotal role by providing protection against catastrophic losses and shoring up balance sheet resilience.

In addition to this, cyber insurance provides value-added services such as security control guidance and shared claims intelligence, while also setting a minimum standard for security (for example, multi-factor authentication) just for a company to be eligible to obtain cyber insurance from some insurers.

Claims experience

A key component of the cyber insurance value proposition lies in the claims experience and data insurers can provide. Most critically, these insights help insurers to raise the standards within the cyber industry.

Through analysing claims from across their books, insurers gain firsthand visibility into the results of security and governance failures that lead to cyber incidents. They can share real-world claims examples highlighting common vulnerabilities exploited, impacts suffered and where costs concentrate after an event. By reviewing this claims intelligence, companies can learn from others’ mistakes rather than being doomed to repeat them.

This constant engagement from insurers has demonstrated common issues leading to claims include unpatched vulnerabilities, especially in legacy systems or low revenue-generating parts of an organisation’s IT ecosystem, and insecure system configurations, leading to exploitable weaknesses. Other common issues are lack of comprehensive security awareness and training for employees, poor corporate data governance practices and data management hygiene and insufficient cyber security and privacy due diligence during periods of rapid growth via mergers and acquisitions.

By proactively discussing detailed, anonymised claims examples and root cause analyses in meetings with both prospective and potential clients, insurers can help companies to enhance effective cyber security policies. Many cyber underwriters make experienced claims professionals available during the marketing and renewal process specifically to share this frontline perspective on crippling incident scenarios.

Holistic approach

The value proposition of cyber insurance extends well beyond risk transfer and indemnification from a catastrophic cyber event. In past years, Lloyd’s syndicates have paid out more than $3bn on cyber-related incidents. While all claims are subject to negotiation and evaluated against specific policy terms, conditions, retentions and limitations, reputable cyber insurance markets demonstrate a strong track record of paying out policyholders in full when covered events occur, per their contractual commitments.

The most effective cyber insurance policies are those that include a holistic approach to cyber threats and come bundled with cyber security tools and services, such as security risk assessments, external incident response plan reviews and penetration testing. Some go as far as to include free consultations with third-party vendor specialists on emerging threats and security best practices, ensuring a full spectrum of prevention and protection for their clients.

Underwriting requirements have also become increasingly stringent over time, driving improved security standards across the marketplace as insurers learn from claims experience and refine their minimum control expectations accordingly.

Cyber insurance policies can also facilitate access to pre-approved panels of third-party incident response vendors, spanning critical needs, including legal counsel, computer forensics, crisis communications and more. These vendors are well-versed in policy terms and have experience engaging with insurers, so they understand what types of services underwriters deem reasonable and necessary for coverage. Perhaps more importantly, their incentives are aligned with both the client’s and insurer’s, leading to more rapid issue resolution at a fair market cost without protracted negotiation over scope.

Increasingly, the true value of a cyber insurance programme is derived not just from the policy itself and the indemnification it provides, but from the broader risk advisory expertise, value-added services and claims intelligence it provides across the entire risk life cycle, from prevention to response and recovery.

Companies looking to best protect themselves against developing threats are encouraged to engage with insurance carriers proactively as strategic partners in developing more cyber-resilient operating models and risk management frameworks – before an incident strikes.

Duncan Pease is head of international cyber claims at Axis and chair of the Lloyd’s Market Association’s cyber claims group. Tony Kriesel is head of professional lines and specialty claims at IQUW and deputy chair of the Lloyd’s Market Association’s cyber claims group