“Basic housekeeping” should come before buying cyber insurance

Cyber attacks like the ransomware dubbed ‘WannaCry’, which has hit hundreds of thousands of businesses around the world in recent months, have highlighted that businesses must first properly understand and assess the risk before they purchase the necessary insurance, according to Julia Graham, deputy-CEO and technical director at Airmic, the UK’s risk management association.

Speaking ahead of Airmic Conference 2017 in Birmingham, UK, Graham suggested that basic preventative measures such as backing up files or relaying information to a managerial level often work well as risk management techniques and should be considered a priority.

“Cyber is an insurance business that has come of age,” Graham said. “But don't forget that you should assess the risk first and buy insurance second. I think one of the problems with cyber is that it has worked the other way around for a while.”

Rather than an attack on specific business, the ‘WannaCry’ ransomware was an attack on any machine in any business that the virus found vulnerable, Graham noted.

The UK’s National Health Service was badly affected but the virus also found vulnerabilities in the likes of commercial organisations such as FedEx in the US and German railway operators.
“I think it’s partly a cultural issue – they think that it’s never going to happen to them, or they don't need to do this because it’s not going to affect them, or that they’ll do it next week and they don't get round to it. Some basic housekeeping could have saved them a lot of grief,” Graham said.

Over 50 percent of Airmic members still don’t buy cyber insurance, the main reason quoted being that decision makers are often persuaded by their technology and information colleagues to spend the money on controls instead.

Graham suggested that the market has not had meaningful capacity in previous times, and what was available was expensive.

But she believes this is changing.

“We're issuing a new paper at our conference on cyber where we are saying - well actually, the world has moved on,” Graham said. “And if you look at capacity levels, some broker programmes they do $600 million. Some individual insurers will take up to £50 million.”

She suggested that people have got more sophisticating in assessing cyber risk, assessing what cover they’ve already got, and therefore only buying where they’ve got a gap.

“And I think insurers are very canny in the way that they are developing value-added benefits to their policies, things like media support, or data breach response, legal support,” she continued.

Proposal forms are also getting shorter, as she suggested that insurers are resisting the temptation to ask you everything, and only asking what you need.

As it continues to mature, Graham expects the market to expand significantly.

“I can't blame the insurance industry,” she said. “They saw an opportunity and they went for it. It's like with anything in life, if you go in for an opportunity and you're not ready to convert it, it might not be the best idea.

“I think the lessons that people can take away from this is that do the basics, which are educate your people, tell them how important it is, reward good behaviour, don't reward bad behaviour, make sure the board have good metrics and know how things are going. Then, you're half way to dealing with the issues. They're not all rocket science.”

Today’s stories

Many board-level risks are still not insurable: Airmic CEO

Open-loss modelling “significant as first cat models” says pioneer

Liberty reveals next boss of aviation reinsurance

Lloyd’s Syndicate 1110 placed into run-off

Heerasing leaves XL Catlin to join ACR Capital as deputy CEO

Compre to buy Irish captive insurer Equinox CA Europe

XL Catlin taps senior casualty underwriter from Zurich Australia

Did you enjoy reading this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.