As someone who has reviewed 30 different cyber insurance policies for Cyber|Decider, (an on-line cyber policy wording comparison tool), I was surprised by the comments contained in a recent Insurance Age article.
Brokers and insurers were accused of ‘scaremongering’ to make companies buy cyber policies. Even more surprising was the suggestion that instead of buying a specific policy, businesses should look to extend their existing policies to cover their cyber risk, for example extending the professional indemnity policy to cover damages for third party data breaches.
Putting aside the fact that clients probably already have this cover under their public liability policy (in the Data Protection Act extension), and the PRA Supervisory Statement|SS4/17, this suggestion overlooks the fact that it is the first party costs accompanying a data breach that are the most common and significant part of a breach loss.
A recent survey (Cyber Breach Insights by Clyde & Co and Corax) shows that the cost of the liability settlement is only 7-8% of the total breach claim cost. If a client only covered the third-party claim element 92% of their costs would be uninsured!
Whist I agree that some cyber policies fail to give the protection required by a client, so do many other classes of insurance. For example, I have seen property policies sold containing conditions that the insured cannot comply with.
The issue is that some brokers (I suspect a minority) do not take the time to discuss with clients exactly what they need and too often sell only on price; they do this because many clients think all insurance is the same and therefore buy only on price.
Certainly, there are many issues with cyber insurance – the main ones being the lack of standardisation between policies and the very different approaches taken by insurers; hence the need for Cyber|Decider, but this also gives insurance brokers an opportunity to demonstrate the real value they can bring to clients.
Careful questioning can lead to an understanding of a clients needs and understanding the policy differences will help brokers sell the right cyber policy. Explaining to a client their cyber risk; for example the implications of their payment card industry contract, is hardly ‘scaremongering’.
A cyber policy covers numerous first and third-party costs and is often modular allowing clients to choose the elements of cover they want. Any new policy needs to be bought as part of a review of the client’s overall risk and their insurance portfolio. The existing policies bought need to be reviewed to avoid duplications in cover and therefore a gap analysis often needs to be undertaken. When the gaps have been identified (such as first party data breach costs), brokers can review the various cyber policies to ensure the right one is bought, checking, for example, if voluntary notification to data subjects is included.
I am often asked ‘which is the best cyber policy’ and the answer is always the same – the one that meets the demands and needs of the client most closely. For cyber risk that is never going to be only an extension on their existing policy.