Cyber insurance: A comprehensive guide to cyber liability insurance

With the cyber insurance space continuing to evolve, and demand growing amidst rising cyber attacks, we present our comprehensive guide to cyber insurance.

The concept of insurance dates back to the ancient world when merchants wanted to deal with the risks of shipping cargo over treacherous waters. Since that time, whenever a new risk has emerged a new insurance market has typically followed. Today, practically anything can be insured, be it a car, a home, or a footballer’s legs. Due to the propensity of cyber attacks — costing the global economy billions annually — cyber insurance has emerged as the latest solution in this succession.

Initially adopted by financial institutes, retailers and healthcare organisations, today an increasing number of sectors are onboard, including manufacturers and utilities. It’s estimated by international credit rating agency Fitch Ratings that annual premiums for cyber insurance currently total between $8bn and $10bn, and are expected to surge up to $22.5bn by 2025, with many experts warning that it’s not a question of if, but when organisations will be attacked.

>See also: What sectors are investing the most and least in cyber security?

The rise of cyber insurance

Cyber insurance is used to reduce the impact of cyber attacks and data breaches. It first emerged because traditional insurance policies tended not to cover these sorts of risks.

Typically, cyber insurance policies provide first-party coverage against losses such as data destruction, denial of service attacks, theft, hacking and liability coverage guaranteeing compensation for damages from errors such as the failure to safeguard data.

Other policies include offerings such as: security audits, post-incident public relations, and investigation expenses.

>See also: Cyber-insurance can reshape the way organisations do security for …

According to figures from NetDiligence, ransomware is the most common type of cyber attack being claimed for. Its research revealed that over a quarter (29 per cent) of over 7,000 claims regarded ransomware.

Speaking to the BBC, Graeme Newman, CEO of CFC Underwriting, said: “Claims on CFC policies were up 78% on 2015. About 90 per cent of our claims by volume are from businesses with less than £50m in revenue,” he said, adding that a “disproportionate” number of claims were being made by British firms.”

He explained: “This is largely down to the fact that on the whole, UK businesses have a lower level of security maturity than their US counterparts.”

Early days

Right now, the cyber insurance sector is in its adolescence — rapidly changing, but also awkward, and not yet reaching its full potential. While many policies are currently available, many offer a lot less coverage than buyers would like. What’s more, research from Blackberry shows that only 19 per cent of organisations have coverage for cyber events beyond $600,000.

A common problem with the current cyber insurance market is the lack of standard policies.  While the differing terminology between vendors leads to confusion in comprehending the protections a policy can offer.

Another issue facing insurers and organisations today is the lack of visibility in understanding cyber health, making it a challenge to quantify and understand premiums. Furthermore, according to a report by the insurer Hiscox, over half (51 per cent) of global firms are “cyber-novices” regarding the quality of their security strategy.

>See also: The era of cyber attacks: AI’s role in cyber insurance

Cyber insurance broker

Due to this complexity, many companies look to cyber insurance brokers for help. A cyber insurance broker acts as an intermediate between the client and the insurer. Their job is get the best terms and conditions for their client. The broker can also determine the coverage option best suited to a specific industry and vertical.

According to a study by Fox Rothschild, the US law firm, more than half of survey respondents worked with a broker to obtain their policy. Advisers assisted in a number of ways, such as ensuring that employee error isn’t excluded from coverage, that sublimits will cover potential fines and that companies know which costs related to business interruption will be covered.

Mark G. McCreary, partner at the firm, said: “An executive may think, ‘We’re secure; we have a cyber insurance policy.’ But if they don’t have the right coverage, they may find themselves in a world of trouble when a breach or other incident occurs.

>See also: A CTO guide: Standout technology predictions in cyber security

“By working with a broker or with legal counsel who can advise on insurance coverage, companies will have a true sense of security because they will have a more effective policy in place that is suited to their needs.”

He added: “Working with a broker or with legal counsel ensures that you have a much more effective policy in place – one that will offer broader and better coverage for your company’s needs.”

The claims process

Beyond being able to help navigate through the nuances and difficult terminology, brokers also aid in the claims process.

According to Fox Rothschild’s research, only 21 per cent of companies with coverage had filed a claim over the last five years. Speaking to Insurance Business UK, McCreary said: “If I’m a broker and I have a customer that has a claim under a policy, I may not really appreciate exactly how you get to those points, and what the steps and costs are, until I go through it several times. Until you do that, even the broker doesn’t understand how the system works. It’s something that you have to really understand how the policies are different and understand how the claims made are different.”

Cyber insurance providers themselves have a responsibility to help their clients understand the claims process. As the cyber insurance market develops, a cyber claims process could make or break an insurer. Firms, however, can earn a low ranking from brokers even when they had invested substantial resources into developing a cyber proposition. This is because insurers with lower rankings can face criticism for both the customer claims process brokers experienced when supporting a claim for a client and their approach to risk management.

>See also: Fico release free cyber security rating service to companies worldwide

On the other side, the higher-ranking insurers use a claims process where policyholders are directed to incident response experts who are on hand to guide them through the process in its entirety.

According to Tom Spier, former director of international business development at Cyberscout, now head of commercial at reinsurance platform Supercede: “This provides a better customer experience because policyholders have a single point of contact across all aspects of a claim, the interests of the project management experts are directly aligned with those of policyholders, and policyholders are connected to an expert with intimate knowledge of cyber events.”

Cyber insurance market growth

Research suggests that this current period of profitable growth in the cyber insurance market is bringing the benefits of competition and stability for buyers. According to Statista, the global cyber insurance market will double in size by 2025, to reach a total market size of around $22.1bn.

As cyber threats continue to develop, the cyber insurance market is predicted to become more dynamic. This agility, according to risk modelling firm RMS, will stem from the inevitable increase in competition. While established insurers have been dominating the market for cyber insurance premiums, new firms have been dipping their toes in the space. RMS says that this increased competition will impact rates, and furthermore, the market has been witnessing a gradual loosening of coverage terms.

There is likely to be a growth in more industry-specific coverage options. At the moment, it often feels as if cyber insurance is a one-size-fits-all product. Hopefully, firms will be able to get more in tune with what individual firms are facing.

>See also: Could understanding the technical debt hold the key to improving …

Response to prevention

Cyber insurance, like most other forms of insurance, has tended to be categorised as an instant response product. Initially, coverage may have included a form of forensic services, however, as pre-emptive services evolve in the cyber security market, it is likely insurers will follow suit.

The market is already beginning to see more pre-breach services being included in their coverage, where firms are able to provide some kind of consultancy services to clients as they’re assessing their cyber risk.

As for shaping the future of cyber insurance coverage, executives can vote with their wallets. When considering cyber insurance policies, business leaders and brokers need to push for packages which include pre-event prevention services, such as proactive threat monitoring and mitigation.


The importance of plugging insurance cyber response gapsWith the Bank of England recently warning of cyber response gaps in the insurance sector, we explore the risks that need to be considered.

Top UK cyber insurance providersCyber insurance is an emerging market that’s starting to thrive in the UK. However, it’s important to note that before you start choosing from cyber insurance providers, you should read the policies offered carefully, and consider speaking to an independent broker for advice.

Avatar photo

Andrew Ross

As a reporter with Information Age, Andrew Ross writes articles for technology leaders; helping them manage business critical issues both for today and in the future