David Price, Director of Specialty at SSL Endeavour on the need for insurers to respond to the latest methods used by cyber criminals
I recently wrote an extensive article for Insurance Day focusing on the new frontiers of cyber risk, and how the field is developing in 2019.
What many people don’t realise is that hackers now attempt to not only compromise data with malicious attacks, but – in an Internet of Things (IOT) enabled world of cohesive connectivity – such attacks also target physical disruption and damage to a facility or operation.
And from what we can see, levels of awareness and preparedness for such an event from both a client and industry point of view, are limited.
The crux of the issue for me is twofold:
- Firstly there is a natural tendency for organisations to focus more on the benefits of technology, without fully accounting for how the integration is adding complexity to their risk register.
- Secondly, something we’ve seen the industry tackle with for some time now is whether cyber should be a standalone product or continue to be included with other coverages, such as property and general liability.
Coverage gaps are emerging. Typical property policies exclude cyber risk as underwriters are reluctant to accept these wordings because the exposure is not understood, while at the same time typical cyber policies exclude property risk for the same reasons in reverse.
We are also seeing some carriers beginning to take clear positions regarding physical loss and how a cyber event could affect other policies. As such, clients need to be aware of the limits of their cyber wordings, the difference between all encompassing protection as opposed to just breach response, and know what cyber wordings and stand-alone policies will actually deliver as they would expect if the worst should happen.
We strongly feel that cyber must be treated as a separate, standalone product. There is a need for comprehensive coverage that is tailored to a businesses’ specific exposures and risks, that will deliver in instances of remote access to a client’s production line, for instance, or any property damage to a facility, system failure and business interruption following a malicious cyber-attack.
If managed carefully, cyber insurance has the potential to be both an enabler and an important source of risk management support, responding to the latest methods used by hackers as an effective line of defence for businesses looking to grow globally.
As an industry, we still have much work to do when it comes to cyber. Here are two calls to action:
- Education: We need to educate our clients about the emerging frontiers of cyber risk, particularly given the exponential of IOT devices in all aspects of our lives. Is breach response alone really effective coverage?
- Standardisation of terminology: The insurance industry must decide on standard definitions for cyber coverage that are not up for dispute.
As with all these things, the more we learn, the better we will be. But, as an industry, we are skilled in recognising gaps in protection and above all, our products must best serve the interest of our clients. We need to be at the cutting edge.