Cyber insurance should be a partnership

Cyber risk coverage ought to be considered as a partnership between insurer, broker and insured, according to one of Airmic’s board members, who also serves as insurance director at BT Group.

Airmic board member Tracey Skinner said the underwriter, broker and buyer all need a full understanding of what the risk is, and from this, establishing the most effective coverage.

While insurance companies have been quick to provide cyber-risk packages in the past few years, she suggested the success of these policies remained to be fully tested, and that all parties need to work together to pick out particular areas of risk within each organisation.

“Quite early on you do realise that it’s not quite as easy as saying there you go insurance market there’s my risk off I go I’m protected now,” Skinner told StrategicRISK.

“I do think cyber risk is a risk that a lot of buyers are still not that comfortable with yet in terms of understanding the impact on their organisation. But without doubt organisations have really got to understand the threat and how it is unique to them,” she said.

A good IT security partner is “absolutely essential” in helping to navigate through the jungle of cyber threats, Skinner stressed.

“This issue is not solely the IT team’s problem it is an issue for the whole business and the entire board and senior levels of management need to understand the risk, the implications, where the threat could be coming from and how best to either avoid it or should it hit how best to respond,” she said.

“But the threat is changing all the time, so that response has to be refreshed to understand where the potential issues are coming from,” Skinner added.

Skinner’s day job is as the director of insurance and risk financing at telecoms giant BT Group, and she noted that the IT and telecoms sectors have been quicker than most to adapt to the challenges of cyber risk.

Other industries could learn from the responses of organisations to cyber breaches, she said, including telecoms firms – both those that have been successfully handled and those that have not. And she added that having a prepared plan in place was essential.

“Speed is very crucial in terms of communicating with your audience your customers, your suppliers and anyone that can touch your organisation,” Skinner said.

“It’s not something you can be silent on in terms of impact and then it’s all about communication and updates. If the organisations have gone through the right training and everyone knows the role they have to play and what the plan is then it should be fine,” she said.

“Problems can arise when a chief executive may feel he wants to be front and centre in terms of communication but may not always have the tools to be able to do that effectively for something that is a technical issue,” Skinner continued.

“It’s about agreeing a plan in advance about how communication will be issued and who is going to do what, as well as how it fits together towards business continuity,” Skinner said.

Insurers have got better in recent years at offering more joined-up cyber coverage, she highlighted, allowing for a more holistic solution to an organisation’s risks.

The focus of cyber covers has shifted from its origins, Skinner said, and continues to evolve.

“One of the most surprising things that has appeared because of the cyber risk is that primarily it started up within an IT offering as a third-party risk and then it moved, as people realised it could impact not only customers, but also impact their own business,” she said.

“So therefore there needs to be a first party risk, and that risk seems to be underwritten in the same space,” said Skinner.

“For the first time you have what you would traditionally call a casualty underwriter overlooking your first party business interruption, which is part of your cyber risk, which is quite an interesting dynamic and one that I will be fascinated to watch to see how it develops,” she added.