Cyber Insurance in its current format can be likened to a “moody teenager” – it is going through some growing pains , searching for an identity and not yet attractive to the opposite sex ! In insurance terms , cyber insurance is still evolving, the policy coverage is still developing and it is still not recognized as an essential insurance policy that a business should purchase. So why is this…. ?
The cyber insurance market has seen it’s profile increased significantly over the last few months. A number of factors have contributed to this such as the TalkTalk breach, together with a number of other high profile data breaches and the increase in social engineering cyber crime. The Information Security Breaches carried out by pwc last year indicated that security breaches were on the increase. 90% ( 80% 2014) of large organisations and 74% ( 60% 2014) of small businesses suffered a security breach.
This “moody teenager ” however does not seem to be ready for the big wide world and is being held back by a number of factors :-
1.Knowledge
Businesses do still not possess the knowledge to have the confidence to purchase this form of policy due to a lack of education by the insurance industry and associated professions. Some businesses are under the impression that they already have adequate cyber coverage within their professional indemnity or property insurance policies.This is also not helped by the lack of consistence terminology and of coverage within the policy wordings provided by insurers and makes assessment of the purchase difficult , even with the guidance of an insurance broker.
2. Policy Coverage
The cyber insurance policy in the UK is still very much at an embryonic stage , the policy coverage offered is still developing and not yet fully responding to certain areas such as reputational damage , property and bodily injury cyber related incidents. There is however the availability of “gap policies” provided by certain insurers , but no “one stop” solution.
3. Cost Prohibitive
The cost of cyber insurance in many quarters is still considered expensive to a business and if a business does not consider it “fit for purpose ” then they will be reluctant to take out this form of insurance. Insurers are however attempting to reduce premiums to attract policyholders but this tends to be where perceived exposures are much lower.
4. IT Reluctance
The IT team within a business is a stakeholder in the purchase of cyber insurance and it can be seen on many occasions that they are a reluctant purchaser of this form of insurance, as they feel that the business has the required technology and security to combat a cyber attack. This is borne out by the Wallix.com survey carried out last year with IT professionals whereby 47% of the profession thought that there was ‘insufficient need’ to invest in cyber insurance.
5. Data & Privacy Laws
There is no compulsory data notification laws in the UK and therefore businesses do not feel that there is a need to purchase cyber insurance . This is a common misconception as cyber is a modular policy and offers a number of other areas of coverage such as business interruption , cyber extortion and website damage.
6.Maturity of Market
The UK cyber insurance market is behind the US equivalent by a number of years which is due to the fact that compulsory data notification laws has been in existence in many states for some time and also the US has a much more mature claims experience in a highly litigious climate. The UK cyber insurance will therefore always be at a different stage of development that its US counterpart, this could however in the long term could be to their advantage with advanced analysis and technological advancements available to insurers to develop this specialized insurance product.
Increased collaboration between insurers, insurance brokers and the cyber security sector is a way forward and there are definitive signs that this is happening which will improve the current dynamics of cyber insurance , after all cyber insurance is only part of risk management armory that a business should have in place to combat cyber security threats.