Cyber risk insurance is evolving quickly, with bigger limits, more buyers, and more BI covers being bought

Cyber risk insurance is evolving quickly, with bigger limits, more buyers, and more business interruption (BI) covers being bought, according to specialty insurer Beazley. All of that is happening in the context of loss events and the introduction of the EU’s General Data Protection Regulation (GDPR). 

Cyber security

Source: monuttanit

“There has been an evolution of coverage,” Lucien Mounier, Paris-based cyber underwriter at Beazley told StrategicRISK. “Regulatory change and events like WannaCry have accelerated things.”

The overall volume being insured has risen. The largest clients tend to already have cyber protection in place, he suggests. “What they’re doing is enhancing it and purchasing larger limits. A few years ago, that meant €25m of capacity, but now the larger firms are getting €100-200m, and the largest firms, €200m plus,” Mounier said.

Small- and medium-sized enterprises (SMEs) are increasingly among the buyers, he suggests, and BI has increased in focus. Mounier said: “They don’t need to be physically targeted to end up victims. The losses of 2017 have helped increase awareness at SMEs and among middle market CEOs. In France there are hundreds of thousands of SMEs; you can’t forget about those guys.”

BI covers for cyber are a focus of the evolution, Mounier suggested. “Coverage has evolved from being driven by an incident, typically a malicious event, but you can now see many more BI triggers, including human error and the failure of a supplier, such as an outsourced service provider,” he said.

At the other end of the scale, Beazley has partnered with reinsurer Munich Re to offer the biggest, tailored cyber insurance protection – dubbed “Vector” – to the largest clients. “It’s geared towards very large multinational companies, with higher limits up to $100m,” said Mounier.

International large firms – such as manufacturers and energy sector companies – are asking for more capacity and taking a holistic approach to cyber risk, he explains.

Their reliance on industrial control systems means they are becoming more interested in covers that pay out for claims for which there is physical damage to property, or for bodily injury if machinery controlled by computers malfunctions.

“They recognise that that if a cyber-attack causes their machines to malfunction or to overheat, that can cause bodily injury or property damage,” Mounier said.

Contractual penalties are another focus, he noted. “Some clients have longer production cycles, meaning that a potential claim event may not be a BI loss, but they can be six months late on delivering on a long-term contract,” said Mounier.

The crisis response services that typically form part of standalone cyber covers need to be easy to access, he stresses, in the local language of the client. “Nowadays we see many more breaches in France. Some clients have had bad responses with carriers’ crisis management systems, so we try to get that right when setting up a crisis response structure.”

It is important that clients have their own house in order, which can involve legal, IT and the chief security officer, he suggests. “In some cases, we do see a breakdown in communications between the insurance buyer and their IT department. It’s important that the crisis response structure is embedded into their risk management processes.”

GDPR is driving demand, he emphasises, due to increased costs associated with a data breach, and the requirements to notify customers and the regulator within 72 hours. “We do expect a strong rise in the frequency and severity of claims. If you lose data, you’ll have to do something about it. However, whether or not regulatory fines can be covered by insurance is still hard to say,” he added.