As cyber security grows in importance so too does cyber insurance. But business leaders should look before they leap, says JC Gaillard of specialists Corix Partners
There has been a vast amount of hype around cyber insurance in recent years, and many industry players are jumping on the bandwagon because they perceive it to be a lucrative niche.
In reality, the market is still maturing. It presents significant blockages that are confusing brokers, underwriters and regulators, and may limit the value many clients can get from products.
- Lack of actuarial and modelling data, due to the constant evolution of cyber threats, as well as structural data sharing and data reliability issues
- Fundamental lack of specialised cyber-security field expertise at key points in the market
- Conflicting regulatory concerns over mis-selling and systemic risks
- Too few significant court cases to predict how litigation could go
As nobody can predict future cyber-attack vectors, businesses cannot realistically expect to be insured indefinitely against unknown threats. So it is advisable for SMEs to resist the urge to buy any cyber-insurance product before looking first at their own cyber-security practice and the real threats they face.
Specifically, SMEs should focus on these four key areas to determine what’s best for them:
Cyber-security reality check
Cyber insurance will never be a silver bullet, and having appropriate security controls in place will always be a pre-requisite for any claim to be successful. This goes well beyond self-certification through schemes such as Cyber Essentials. It requires a proper assessment of the controls in place across the firm.
Existing insurance policies
It is key to check the level of coverage you may already have through existing policies such as Commercial General Liability policies, and decide whether this is sufficient.
Real content of cyber insurance policies
If you decide to consider cyber insurance it is essential you read the small print in detail. Make sure you fully understand all exclusions and how they might apply – as the market is still maturing and underwriters are likely to cover themselves carefully in ways that might prevent you claiming.
You should also accept that differences of interpretation and the enforceability of exclusions may have to be tested in court in the absence of precedents.
Many brokers have also flavoured their products with value-added services, such as data-breach or crisis management assistance. But SMEs should consider carefully whether they really understand and need those services. If so, they may be available at a better price, either from the underlying provider or from a similar firm with whom they already have a relationship.
Finally, it is advisable to only buy cyber insurance from reputable brokers or agents with whom you have a strong relationship. It will give you more leverage in the event your claim is difficult, and could help put more pressure on underwriters.
JC Gaillard is a member of IoD London