In this latest column, Chris Andrew from BAE Systems looks at how insurers and brokers can help UK businesses can make sure they’re getting the best cover against growing cyber risks.
Many businesses look at the cyber issue purely from the extra costs angle, but there are also things that many companies have to do for compliance purposes – and of course, good security and data management also saves time and money.
One thing that insurance companies, MGAs and brokers can all do to help is to make companies aware that they could be left exposed, as redrafted property policies are increasingly excluding IT-related losses. This issue has arisen following requests from the Bank of England’s Prudential Regulation Authority (PRA), and Lloyd’s of London, that insurers give more detail about cyber-related losses covered by their normal policies.
The aim is to improve transparency in the industry, and it also presents insurers the opportunity to clarify, in layman’s terms, exactly what is and isn’t covered.
Insurance compliance firm Mactavish has already welcomed attempts to bring greater transparency to the insurance market on the issue, but said that the redrafting of many commercial property policies is leaving clients under-insured and exposed to a range of broadly “tech-related” risks which they had believed, or expected, would be covered.
Rob Smart, technical director at Mactavish, has commented that the various exclusion clauses in a standard cyber policy could be interpreted as being too broad. The problem for many insurers and underwriters is that commercial policies cannot be truly separate, standalone products – the cyber risk is an inherent part of doing business in the 2020s.
Graeme Newman, chief innovation officer at CFC Underwriting, has told the media that the push for greater clarification on which risks are covered in commercial and cyber insurance will be a good thing for the industry in the long run.
”I don’t think it’s about removing any features from a particular policy. It is about clarifying and defining risks carefully; insurers must be clear on what they are intending to cover and what they are not intending to cover,” he said.
“Many commercial building property forms were drafted decades ago, and the drafting hasn’t moved on much. There is no rule that prevents a property insurer from covering a cyber event, the rule is simply saying if you are going to do that, make it clear.”
Your Brand Reputation Has a Real Value – Protect It
Cyber is an asset-based policy like property insurance, not peril-based. This means that it covers ’intangible assets’ such as the reputation of the brand, or data. So the customer needs to know that their commercial insurance covers far more than the cost of replacing the physical building shell, specialised equipment, paper records, stock and so on.
This is the message that BAE Systems can truly identify with, because one of the big risks to many companies today is the denial of service, followed closely by reputational damage.
There’s no doubt that a flood or fire is a serious event. Losing thousands of customer records to hackers or ransomware criminals may leave buildings untouched, but it can produce expensive knock-on effects such as GDPR fines, negative comments in the media and untold reputational damage. In some cases businesses may not be able to transact with insurance customers in the form of processing card or on line payments.
So everyone in the insurance industry can help their clients, large and small, understand these risks better, and explain that IT system security coverage is a necessary part of commercial insurance. From data storage servers to email login passwords, USB downloads within the company IT network, to third party online payments services – it is all commercial risk.
The long term benefit to the broker, insurer, or specialist underwriter is that being pro-active really pays dividends, as they become sources of trusted advice and support, rather than just insurers that simply take a premium every year. By offering insights on the latest cyber threats, identifying new risks and so on, they become much more than insurers.
New Rules on Clarification Are a Good Opportunity
One example of a reworded commercial property insurance policy sums up the problem: ‘all losses “indirectly contributed to by” IT or data failure, even “regardless of any other cause or event contributing” to a loss, are excluded.’ That blanket get-out clause needs to change into something much more specific.
Since 1 January this year, Lloyd’s underwriters have been required to clarify whether first-party property damage policies affirm or exclude cyber cover. This is a great moment for insurers and brokers alike to redefine their commercial and cyber products, so that customers really understand what type of cover they’re buying to include the limits or exclusions etc.
The other opportunity here is to build in cyber updates and support into new commercial policies, so that SMEs, public sector bodies or large corporations know they have expert advice, especially when it comes to preventing cyber-attacks.
When everyone involved in the chain understands that cyber risks are NOT a separate issue, but an integral part of managing a modern commercial enterprise, then clients will be happier, and insurers will face fewer problems regarding claims.