Cyber insurance: Developing knowledge

When it comes to cyber crime, no one is safe. In the past months, victims have included Qatar National Bank, Canadian gold producer Goldcorp and a community website for Portsmouth called the Star and Crescent. There is little rhyme or reason as to why sites are being targeted or who will be next. Cyber criminals are on the rampage and, as few are brought to justice, their activities are proliferating.

Although this is a volatile and uncertain class of business, insurers are pressing ‘play’. Many point out knowledge is developing sufficiently to allow for accurate underwriting and pricing.

Much is being learned from the US experience. Launched in 2009, Beazley Breach Response has handled more than 3300 breaches. In 2015, the insurer responded to 60% more of these than in 2014.

Beazley’s UK and international breach response manager Sandra Cole says “a remarkable increase” in cyber attacks is taking place and, consequently, many breach claims are being paid in the US. “We have learned a lot since launch and are able to provide those we insure with help at what can be a very worrying time.

“In the case of extortion, data is encrypted, with threats made to dump it online. The clients that can’t access their data often have to down tools and there can be a significant data interruption loss.”

She sees growing awareness in the UK, as the Talk Talk hack last year ended up costing the company some £60m.

Graeme King, regional head of cyber for Allianz, says the cover is poised to become mainstream in the UK and Europe, as it is now in the US.

The US has seen a swathe of claims, many sparked by the country’s tough data notification laws and the propensity for class actions. “Businesses should find that cover is broader in the UK as US insurers have scaled back,” he says.

He adds that fewer UK claims and plenty of capacity means cover is competitively priced. “Look back five years and cyber was a hard product to sell in the UK as companies did not see the need. There is not only growing awareness, but also the European Union General Data Protection Regulation coming into force in 2018.”

Regulators will soon be able to fine companies up to 4% of their global turnover or €20m (£16m), whichever is greater.

“Data breaches are now a fact of life,” notes Alan Owens, partner and head of technology at law firm DWF. In the US, 46 of the 50 states have made it mandatory for firms to report the data breaches they suffer. And this compulsory notification is now coming to the EU.

“Mandatory data breach notification regulations drive two things,” Owens says. “First, the uptake of cyber insurance, as the costs of notification of both regulators and affected users can be high. Second, an increasing acceptance, or perhaps apathy, on behalf of the public flooded with notifications.”
Yet for now in the UK, cyber is hot topic, with the British Insurance Brokers' Association in the process of setting up a new expert committee.

DWF partner Jacquetta Castle says "cyber is firmly on the agendas of industry bodies". She mentions the Association of British Insurers, the International Underwriting Association and the Lloyd's Market Association, which has a dedicated cyber business panel. "These organisations play a key role in educating the industry. Lloyd's has been incredibly active in this area, with its work on systemic risk and on core data requirements for cyber risks."

She adds: "Cyber underwriters are genuinely knowledgeable, often coming from a technology background, and always being keen to know more and keep abreast of all developments."

Hans Allnutt, partner with DAC Beachcroft, remarks: "With so many incidents, brokers now have a strong armoury of case studies to talk to clients about." He recalls around 18 months ago, Lloyd's was still explaining the aim of cyber protection, while now it is focusing on the next phase of development.

A data standard was recently launched to provide the insurance industry with a systematic and uniform way to capture cyber exposure data and manage cyber accumulation risk.

Evaluating risk
Brokers are also developing knowledge. Shaun Cooper, manager for cyber and technology at Euna Underwriting, explains he trains brokers on the value of risk registers.

These are used to evaluate risk by showing the client their threats and their assets, thus helping them decide if they need insurance. "There is still greater awareness in the US, but companies here are starting to understand the effect on the balance sheet," he comments.

"The Insurance Act is also going to make brokers more aware of their responsibilities and ensure data risks are discussed with clients - and the more knowledgeable the broker is, the better the client relationship."

Ransomware

Ransomware is a kind of malicious software that restricts access to the infected computer. Criminals install it remotely, usually via an email attachment, and demand a ransom to unlock the computer.

Kits are available on the dark web for around £3000, with support being offered and manuals on how to run the code. It appears little technical know-how is required.

Some arrangements allow the newbie criminal to keep 100% of any ransomware bitcoin payouts. Others offer to split the profits.

When a targeted user opens a malicious attachment, files on their computer are encrypted and a note is displayed on the screen as wallpaper, telling the victim how to pay the money and how much time they've got before the hacker destroys the encryption key.

Although more brokers are training their staff to be cyber specialists, for example through taking Systems Security Certified Practitioner examinations, Cooper would like the Chartered Insurance Institute to develop some specialist qualifications.

As demand grows, insurers that have traditionally focused on the US are now also targeting the UK and other European markets.

Ascent Underwriting underwrites around 90% of its cyber business in the US but its chief underwriting officer Gareth Tungatt predicts: "In the UK, as education and training increases among brokers and clients, we are going to see the market expand.

"My view is that in two to three years' time, it will be around five times bigger than it is now. Insurers will develop more balanced portfolios."

He says better knowledge will also mean brokers can advise clients on differences between policies. "Some wordings are out of date and not fit for purpose and are less relevant to the UK market."Last July, Ascent added social engineering fraud to its cyber policy to cover losses from phishing and other scams.

James Burns, cyber product leader at CFC Underwriting, says the drivers behind insureds purchasing cyber cover are different in the US and in the UK.

In the US, cyber is the fastest growing single product line and the focus is on insuring against data breaches. There, he says "the fines and penalties that occur are insurable; this is less the case in the UK".

Smaller companies targeted
As smaller companies are being targeted, CFC provides clients with the opportunity to gain Cyber Essentials certification, a government-backed scheme to help firms have basic cyber hygiene. It allows them to implement levels of protection against cyber attacks, to assess their security and obtain independent verification.

Burns says extortion is a growing concern for many UK firms and, if money is lost, there is no guarantee a bank will reimburse. He points out a number of UK law firms have been victims of social engineering fraud. A pretend banker calls to warn they have spotted fraud, asking for ‘challenge and response' codes used to authenticate payments and in some cases digital banking log-in and password credentials.

"Several [firms] have fallen for this hoax, typically those in conveyancing where large amounts of cash are transferred - it's thought around £2m has been handed over," he says.

But insurers have no plans to pay out willy-nilly if a company is lax. Burns says clients need to meet minimum standards of security. "Regular backups, using cloud storage and encryption along with two-factor authentication are the types of areas that need to be taken seriously."

However, small firms don't necessarily want to shell out on additional insurance. Anecdotally Castle reports she hears the SME market does need some convincing that standalone cyber cover should be part of their insurance portfolio.

Arguably though, it is the smaller firms which are more at risk. Kennedys' partner John Farrell points out: "Larger firms are using ‘white hats' who check out dark web activity - cyber criminals are prone to bragging - and they can report back to their clients what is happening and where they need to act."

He adds: "Many don't realise how easy it is to steal data. Firms need to be rigorous in how they back data up and where it is stored, along with strong passwords and even in things like where they use wi-fi remotely. Pineapple devices dupe people into thinking they can access free wi-fi but allow criminals to steal data."

Meanwhile, insurers say their policies are fit for purpose and appropriate for different markets.

Emergin Risk CEO Jamie Bouloux says the cyber insurance industry has moved on from umbrella-style insurance products and it is now more about customising propositions. "The market has not moved on as fast in the UK, but there is a lot of opportunity here. British companies are just as likely to be targeted by cyber criminals as those anywhere else."

However, some question the value of current cyber policies.

Ben Desjardins, director of security solutions at tech company Radware, says: “The insurance market needs to be more transparent in how policies are positioned. It does little to improve the state of security within an organisation. A policy doesn’t make the network and applications any more secure.

“If an attack happened, a policy might protect a firm from the cost implications of recovery, legal defence and settlements, but it would not repair the cost to the brand value and restore consumer confidence.”

Castle adds: “Many new entrants still seem to be using US policy wordings with little adaptation. This can produce some bizarre results, for example, providing cover for uniquely US concepts or issues. I suspect with the General Data Protection Regulation, policies in the UK and the US may come to have more in common.”

While cover may have shortcomings, more businesses will likely be picking up on cyber dangers, whether they derive from crime or human error.

The government is also increasingly committed to sharing information in order to tackle cyber fraud. Biba has joined the Cyber-security Information Sharing Partnership, a joint industry and government initiative to reduce the impact of cyber threat on UK business.

Brokers also have a key role to play. They must be aware of exclusions and ensure clients understand their side of the bargain, notably guarding against negligence and having adequate security.

Contentious claims and a feeling that cyber cover is all hype and no payouts will damage the sector as it enters this next, crucial stage.