Buyers and brokers are attracted to bolt-on cyber covers, but these can be narrow and lacking in response services

Peter hawley

Buying standalone cyber covers can seem unnecessary because brokers are offering bolt-on covers that seem to do the trick. But such add-ons might be misleading risk managers, according to Peter Hawley (pictured), a cyber risk underwriter at HDI Global.

US data privacy laws have driven cyber buying towards a third party cover focus, Hawley suggested, which may be replicated in Europe once General Data Protection Regulation (GDPR) goes live in May. “From conversations I’ve had with numerous risk managers, perception of the risk is undoubtedly a key influencer,” said Hawley.

Many non-US clients have looked at cyber risk from a first party business interruption angle, he explains. “A split therefore occurs, and bolt-on policies afford perceived peace of mind reflective of the buyers’ outlook,” Hawley said.

“However, careful consideration must be given to the wording of these bolt-ons as cover isn’t necessarily as broad as can be found in standalone policies. There is also the question of specialised incident response, with bolt-ons tending not to make any provision in this regard,” he continued.

Brokers, like buyers, are under pressure to deliver for an affordable cost, and without adding on entirely new products. “The broker market is competitive, and pushing for extra cover in traditional insurance classes is something we see. The biggest problem is a lack of understanding what the bolt-on being considered actually does,” said Hawley.

He continued: “I’ve been in meetings where a buyer is looking to purchase cyber cover in reaction to the upcoming GDPR, but there has been the push to get the cyber bolted onto the property programme under the mistaken belief it was any more than Business Interruption extension. What starts out as well-meaning added value has the potential of becoming an E&O headache for the unwary broker.”

There is recent evidence of a change in perception through greater understanding of the risks, he noted. “This in some cases is due to media coverage of major incidents, but unfortunately for some it comes through bitter experience of suffering a breach themselves,” said Hawley.

Bolt-on buyers may discover too late that their covers are inadequate, Hawley warned. “The time for discovering the limitation of a 2-paragraph bolt-on compared to a fully-formed cyber policy is not when an incident occurs,” he said.

“With businesses and individuals relying so heavily on IT and data in the modern world, and exposures first and /or third party in nature, bolt-ons have the potential for being false economies for buyers,” Hawley added.