As a trainer in cyber insurance, I spend a lot of time speaking to brokers around the country about the many complexities of cyber insurance policies. Often the conclusion from those brokers is that cyber insurance policies seem to have been written with the intent of making cyber insurance as hard as possible for brokers, and their clients.
How do SME level brokers, who cannot afford the resources or time to invest solely in selling cyber insurance, navigate the difficult world of cyber insurance where policies often provide very different levels of cover, where each insurer tells them their policy is the best and prices differ from £100 to £10,000? What does ‘good’ look like for a cyber insurance policy?
I am often asked which is the best policy, and although my answer may not seem helpful it is true – the best policy is the one that meets the demands and needs of the client most closely! The key to understanding the right policy is to understand what the client needs.
Many clients are concerned about the growing threat from ransomware and see extortion as their main threat. They may seek a cyber policy mainly to cover this risk. Many policies provide such cover (some within main policy, some as an added extension) but the cover provided differs considerably. For example, the broker needs to understand if the policy covers non-targeted virus attacks (such as the WannaCry virus) or only targeted attacks e.g. via a phishing email; the extent of forensic costs included within the extortion section; if the ransom is covered; do the police need to be notified – all issues that will affect the buying decision of the client (if they are told about them).
The policy triggers vary, even within a single policy. Some Data Breach sections are triggered by claims made against the insured with a retroactive date (often inception of the cover with that insurer), some are triggered by discovery of the breach within the policy period and some are discovery of the breach within the policy period with a retroactive date. The retroactive date may refer to the date of the cause of the claim. As a virus may sit undiscovered in a system for months or even years (outdoor equipment retailer Bailey's Inc. suffered a data breach in December 2011 that they discovered in December 2015), the application of a retroactive date may seriously reduce the cover the client thinks it has.
For a small business the extent of claims support that comes with the policy is crucial. Does the insurer provide a 24/7 support helpline, is there immediate access to expert support services and does the client have to pay up-front and then get recovery?
Whilst a single market approach may seem to be the answer, that means that many clients may not be sold the most appropriate policy. One broker I spoke to was selling a single policy that did not include cover for Payment Card Industry liabilities, even though a large proportion of their clients were retailers offering payment card facilities.
There is no easy solution and as the publicity around the GDPR grows enquiries from clients will grow, so this is not an issue that brokers can ignore. Brokers can:
- Identify a cyber insurance champion within their staff who understands the risks and has thoroughly reviewed the main policy options
- Invest in an outside policy comparison tool
- Educate their staff on cyber insurance basics (many insurance training organisations including the CII Broker Academy offer cyber insurance training)
Meanwhile, insurers need to improve the policy information they provide to brokers – perhaps provide some SME level claim scenario examples to demonstrate how their policy will operate (and what will not be covered).
If you would like to get in touch with Diane, Click Here and leave a message and youTalk-insurance will put you in touch