A flood is overdue

Never has cyber risk been more real—or the opportunities for insurers more tangible. Intelligent Insurer investigates the true nature of the risk and how insurers are responding.

The subject of cyber risk is now impossible to ignore. From the Heartbleed security bug to the hacking of eBay, it is clear that as threats become ever more sophisticated, no company can truly count itself safe.

"Insureds can access those services knowing that they’re still going to have a full tower of liability intact if somebody brings a claim against them." Dan Hopkinson, Beazley

Stephen Wares, head of Marsh’s cyber practice, says that as an increasing number of companies wake up to the realities of cyber risk there will be a flood of buyers keen to take up cyber insurance.

A survey by Marsh published in June showed that 51 percent of its clients had either bought or were going to seek quotations for cyber insurance over the coming 12 months.

“That will be a massive change for Marsh,” he says. “The number of clients coming into the cyber insurance market and applying for quotes has been a trickle, not a flood, so far. Now I’m anticipating a flood of cyber enquiries—it feels like this is a product that has finally come of age.”

Time to wake up

Wares says that clients’ increased interest in cyber risk is being driven by several key factors. First, boardrooms are beginning to wake up to the catastrophic impact of cyber risk. In Marsh’s recent survey, clients were asked where cyber risk appeared on their risk register.

Some 24 percent said it was in the top 5, and 32 percent said it was in the top 10—making a total of 56 percent saying it is in their top 10 risks.

Marsh also asked who had ownership of the risk. “Some 57 percent said the IT department—only 20 percent said the board had ownership. Based on that it seems we still have a way to go to ensure that the board really take responsibility for this as a risk,” he says.

Awareness of cyber risk is also being fuelled by recent news stories about hacking, and by the launch of the UK government’s Cyber Essentials scheme, which provides a clear statement of the basic controls all organisations should implement to mitigate the risk from common internet-based threats.

Never has the risk been more real. Dr Simon Moores, MD of Zentelligence, a vice chairman of the Conservative Technology Forum and programme director and chair of the International eCrime Congress, says that computers are riddled with security vulnerabilities and there is no easy way to patch them up.

Even more disturbingly, anti-virus companies are starting to admit that they cannot keep up with the deluge of computer-generated viruses now attacking computer systems on a daily basis.

“We’re in a very dark and unhappy place because every day you’ve got about 100,000 new variants of a virus coming out. Some of these are being created in an automated fashion, which is why we have so many appearing.”

Moores says the promise of the anti-virus industry was that it would provide protection because it would be able to detect a signature and deal with the threat before it got into the heart of your system and did something nasty to it.

“That was true maybe five years ago, but now the threats are coming so rapidly, so frequently, that the anti-virus companies are unable to tweak their software on a regular enough basis—ie, every 24 hours—to protect you, so if you’re using anti-virus software your machine may protect you from something that happened six months ago, but not something that happened last week.”

Coping with a deluge

Moores says there is an analogy to be drawn with flooding, which is happening with increased regularity and causing increasing damage. In the face of this deluge, says Dan Hopkinson, underwriter, technology, media and business specialty lines for Beazley, there is increasing demand for cyber insurance that provides a raft of extra services to help deal with the consequences of a breach.

Beazley was the first insurer to bring services in as part of the solution, and its product—Beazley Breach Response—is structured so that the service provision sits separately from the main tower of liability.

“This means insureds can access those services knowing that they’re still going to have a full tower of liability intact if somebody brings a claim against them,” he says.

“Some 80 percent of our activity on these policies involves the use of the services part of the cover. Our breach services team are privacy specialists who are there to be proactive and work with the client and help them through the process of handling an incident once it occurs, and to be almost an extension of their in-house team.”

Beazley’s offering includes the services of privacy lawyers, IT forensics and a host of other service providers to help organisations in the event of a breach, including notification companies, mailing houses, a call centre, and data and credit monitoring companies.

“We started writing this in the US in 2008,” Hopkinson said. “We found that for most companies it will be the first time they’ve handled a breach and the speed you have to work at is phenomenal—if the data’s gone, it’s gone.”

Such is the appeal of Beazley’s approach that technology companies seeking guidance on how to handle breaches have approached them for insights.

“Even they acknowledge you can’t be 100 percent secure,” he said. “It’s about having a plan in place, which is what we work on with our insureds to help them go through the process of handling that breach once it’s happened.”

As more insurers move into the cyber arena, he said that their success will depend on their ability to keep pace with changes.

“Innovation will continue and will drive who has the success and who doesn’t, as it does with any line of insurance,” he said. “The market is going to be big enough for there to be a few main players.”