Brokers Often Choosing Inadequate Cyber Insurance Protection

New research from Cyber|Decider (www.cyberdecider.com), the cyber insurance comparator, shows that broker’s own cyber insurance fails to cover many of the common threats – leaving them with costly bills should they fall victim to hackers: phishing, malware and other common cybersecurity problems.

Typically, brokers get their cyber insurance from their major insurance partners, meaning most smaller and regional brokers are covered by just a handful of standard policies – which in many cases will not be the policy most suitable for their needs.

Cyber|Decider has revealed that many of these policies and the cover they provide against the most common threats, will leave most brokers out of pocket, potentially by £10,000s, should they experience a breach of their IT systems.

Neil Hare-Brown, the CEO of STORM|Guidance, creators of Cyber|Decider, says: “It is an FCA requirement that all insurance brokers can demonstrate cyber resilience: cyber insurance plays an important part in ensuring cyber resilience – especially as most policies include immediate access to incident response services. This is vital because brokers need to be able to provide a service to their clients at all times and investigate data breaches effectively when they occur.

“Brokers use data (personal and other third-party data) in their service, and whilst their professional indemnity policies may provide some liability cover, it is the first-party losses which tend to be much more serious – and these are not covered by a PI policy. Additionally, the broker may not be the primary target but a conduit to a bigger prize – a large insurer.

“Also, brokers, like other businesses, are outsourcing more and more, but only half of policies cover losses caused by incidents at the premises of such essential providers as payroll and trading platforms.

“A significant example of the potential costs from cyber incidents at vital service providers was the SSP system outage that lasted for 11 days in August /September 2016. The problems were especially bad for the many brokers who were completely reliant on SSP {it provides email and productivity services as well}, so they were unable to service their clients for the period. Many lost clients and incurred additional costs because of the outage.”

Using Cyber|Decider to examine the 18 policies commonly used by brokers, worrying issues were uncovered including:

  • Only 22 % provide BI cover on a “revenue basis” – some are even limited to net profit only.  This means that 80% of brokers’ policies may not cover income lost by failing to acquire new business, and some would not cover costs like overtime.  One broker estimated their losses at £100,000 for the SSP disruption.
  • 88% include cover for the loss of earnings resulting from damage to their reputation, BUT many have cover that ends when the computer incident is resolved and do not provide any cover for continuing client loss (some have cover for only 90 days). The problem with this is that the income lost outside this time period would not be covered, even if it is lost as a direct result of a cyber event. On some, the reputational cover is an optional additional cover that must be requested, and we strongly advise brokers to make sure they have chosen this option.
  • 72% include cover for payment card costs (incurred in accordance with the PCI contract terms), although in several this is optional cover that must be specifically requested.  After a breach involving payment card (PCI) data, a company will face PCI Data Security Standard fines and assessments. The latter allows issuing banks to recover losses they sustain as a result of a PCI data breach.

The amount that is assessed will depend on the number of accounts that were compromised; however, PCI DSS assessments in excess of £10 million have been reported. Brokers must ensure both fines and assessments are covered by their policy.

  • Only 55% include liability cover for breach of a confidentially agreement in your contract or terms of business agreement (TOBA), despite the broker-insurer TOBA template from the British Insurance Broker’s Association (BIBA) issued in July 2018 including confidentiality conditions for non-personal data.  We strongly recommend this cover for all brokers because failure to keep client or insurer data confidential could lead to breach of contract claims and liability for consequential losses suffered by the client/insurer.

About InsuranceEdgeEditor (791 Articles)
20 years experience as a journalist and magazine editor. I'm your contact for press releases, events, news and commercial opportunities at Insurance-Edge.Net

Leave a Reply

%d bloggers like this: