Cyber Insurance is perceived as a growth market by both insurance brokers and insurers and over the last twelve months take up has gathered momentum. This has been due to increased awareness and the impact of high profile data breaches around the world.
Cyber Insurance is now a very competitive space with in excess of 30 insurers in the UK claiming to write this class. This has increased three fold , with differing levels of expertise which is due to the lack of underwriting experience in this sector .
The policy coverage offered is also variable in terms of scope of covered offered and consistency of terminology.
Mandatory notification laws exist in the US on reporting data breaches and these will soon be relevant to the UK next year as a result of the General Data Protection Regulation come into force which is anticipated to further drive the demand for cyber insurance.
Cyber insurance is still a relatively new category of insurance in the UK which means an absence of claims history, in the UK which hampers the assessment of cyber risks, bringing issues of accumulation with a changing threat landscape that is difficult to foresee.
5th July 2017
The Prudential Regulation Authority (PRA) has today issued a regulatory statement on cyber risk management which focuses on insurers exposure to the accumulation of cyber risk under all insurance policies.
The expectations of the PRA is that they require visibility that insurers have a firm grip on their understanding of their cyber risk exposures. The fact that cyber risk is changing and emerging risk and difficult to understand is no longer a valid excuse and the PRA have therefore set out some steps that insurers will need to implement. Irrespective as to whether an insurance writes cyber insurance or not a cyber risk exposure may well exist and insurers therefore need to provide clarity if this is an exposure that they are willing to accept under their insurance policy.
A recent survey revealed that only 14% of insurers advised that they were able to provide evidence their exposure to non-affirmative cyber. The other 86% relay on manual or proxy methods. Furthermore comments were made that a major cyber loss could be compared to a catastrophic event such as an earthquake or hurricane.
The expectations of the PRA fall into three categories :-
- Non-Affimative Cyber Risk
- Cyber Risk Strategy and Risk Appetite
- Cyber Expertise
18th January 2016
The British Insurance Brokers Association ( BIBA) has agreed to work with the government to to help members reduce the on-going exposure created by cyber crime.
BIBA have recognized that more and more businesses are subject to cyber attacks which result in a data breach or a cyber crime being committed . The professional body for insurance brokers has membership of the Government CERT UK’s* Cyber-Security Information Sharing Partnership (CiSP) and is to sponsor its members to join the initiative which will produce up to date and evolving cyber threat information.
19th January 2016
Lloyd’s Core Data Requirements for Cyber Insurance
Lloyd’s has been working with with modelling firms AIR Worldwide and RMS with the Cambridge Centre of Risk Studies to pull together a set of common core data requirements for cyber risks.
Both AIR and the RMS/Cambridge team have agreed to highlight common elements when they publish their data schemas later this month, with each agreeing to use similar terminology and precise definitions.
Lloyd’s director of performance management, Tom Bolt, said: “Cyber insurance is an important new area of coverage and it is essential that we have good quality standardized data to track exposures.
Insurance brokers have also been encouraged to participate in this initiative as this will also assist in their assessment of a client’s risk exposure.
This also improves data aggregation for Lloyd’s to help build more reliable models that enable underwriters to calculate cyber insurance premiums.
9th November 2015
Lloyd’s Oversight Framework for Cyber Exposure Monitoring
Lloyd’s have launched a process whereby all Lloyd’s syndicates can assess cyber attack exposures and that they are fully understood and recorded so that Lloyd’s can monitor their accumulation of risk exposure.
Lloyd’s now require syndicates to have a specific risk appetite for cyber attack across all classes of business , signed off by their respective boards for all policies commencing 31st December 2015.