As an underwriter for Cyber Risk, how often has your client asked, ‘do you have Cyber Essentials?’, ‘how are you safeguarding my information?’. As clients are becoming more clued up about Cyber, the Insurance Sector is finding that they are being held to account, not only by regulators, but also by those purchasing the insurance cover. In such a competitive market, there is a demand upon insurers to raise their own level of Cyber maturity, and be seen to be actively encouraging clients to adopt better defensive measures; after all, preventing a data breach is beneficial to both the insurer and the insured. This was the key topic discussed at the ‘London 100’ VIP Cyber Security Event recently sponsored by Templar Executives at The City of London Club in collaboration with The Insurance Insider and Norton Rose.
Last year, Chris Moulder, Director of General Insurance at the Prudential Regulation Authority (PRA) wrote to the Boards of insurance companies on the Cyber Security agenda. The accompanying questionnaire on Cyber resilience sought to explicitly monitor the robustness of governance at Board-level, as well as transparency around the ability to manage and monitor aggregate exposure. The expectation was that this would be especially relevant for those (re)insurers providing cover in new areas such as Cyber. As Mark Geoghegan, Editor-in-Chief of The Insurance Insider stated, insurers truly are “on the frontline”.
The mood amongst many insurers at the event was summed up perfectly by one attendee who stated, “We will not look very competent providing cyber insurance policies or inspire customer confidence if we get hacked as a result of not taking our own precautions”. Maintaining reputation in a competitive industry is vital for all insurers to ensure survival in the marketplace. Although Board-level awareness is still viewed as nascent in the area of Cyber Security, from Templar’s experience Board capabilities and skills are gradually improving. This shift has been helped by the fact that more often, clients are asking insurers how they personally protect the customer’s information.
Keynote speaker at the event, Andrew Fitzmaurice, CEO of cyber security firm Templar Executives, said “Organisations that have obtained a credible and business enabling level of Cyber Security maturity have done so by approaching this agenda from two key aspects. Firstly, by regarding this holistically, and by that I mean encompassing people, processes, culture and ICT; and secondly, by addressing it as a business proposition led by the Board and not just referred on as an ‘IT issue’. Indeed, experience has shown that more often than not breaches occur through human actions and not a failure of IT.”
Insurance companies are put at additional risk of attack, when we consider that they store not only client information, but a library of information detailing a company’s risk profile (and also their vulnerabilities), as well as the insurers own account risk. Managing this is about finding the balance between protection and exploitation, and applying proportionate control.
It is estimated that the Cyber Insurance market will be worth $20 billion by 2025 – a testament to the evolving severity of the Threat landscape. However, currently, only 17% of Board members understand what ‘the Threat’ entails. Whilst demonstrating compliance to industry standards is a necessary step, standards do not equal Cyber Security and Information Assurance maturity. Insurers need to be ahead of the curve, in order to predict evolving trends in the Threat landscape, and accurately underwrite risk and provide bespoke solutions to clients.
These were just some of the major challenges that were discussed at the event that the Insurance Industry must look to address. We know from experience that it takes a high profile and significant loss to spur people into action. What is vital both for the survival of the Cyber Insurance Industry and consumers alike, is transforming the current reactive culture to a proactive one, which understands the importance of a holistic approach to Cyber Security. Embracing such a culture will ensure insurers meet the demands and expectations of their clients, and satisfy regulators.
Adrian Leppard QPM, former commissioner of the City of London Police, and one of the panel speakers, summarised with a warning that, notwithstanding the significant investment that has been made, companies could not rely on the UK government to shield them from Cyber-attacks. “The reality is the government is struggling to protect individuals and businesses in this space,” he said. “Organisations need to take charge of this issue and mitigate the risks appropriately. Failure to do so could have severe immediate impacts as well as longer term consequences for the business.”