Cyber risk – mind the gap!
Today, almost every organisation is reliant on technology – it dominates communication systems, transport, financial services and many other aspects of commerce – and as technology becomes ever more complex and sophisticated, so do the risks you face. Cyber risks are a real and significant threat to all types of organisations, causing potentially far reaching and devastating consequences for all aspects of business and trade.
- Are insureds and their brokers in blissful ignorance of their lack of any meaningful coverage for cyber related exposures?
- Are underwriters of standard property and/or liability classes aware of their potential exposure to cyber losses?
- How big and how wide is the aggregation risk for reinsurers?
- Are the exclusions and protections traditionally relied on by the market still fit for purpose?
These are just some of the questions thrown up by recent surveys which ask whether buyers and sellers of insurance are doing enough to ‘mend the cyber roof while the sun is still (just about) shining’.
Repeatedly, surveys reveal that cyber risk is now among the top 3 or 4 concerns for corporate boards and for insurers alike. The increase in the frequency and sophistication of cyber failures/attacks draws into sharp focus the importance of insurance. However, outside specialist circles, it is concerning that the insurance coverage for cyber risks is not better understood and managed – there are notable gaps. Moreover, there remains a widespread uncertainty as to whether, and if so how, non-specialist insurance policies will respond to a significant cyber event. Conventional insurance products may exclude or restrict damage caused by a cyber-event.
Belief v Reality
For example, surveys have shown that while 50% of corporate CEOs believe that they have adequate protection against a cyber-event, analysis of their insurance cover indicates that only 10% in fact have the protection they believed. This misunderstanding, however, is not confined to the insureds. A recent analysis by software provider Absensa released on 18 July 2016 is reported to show that a review of almost 400 reinsurance contracts underwritten at Lloyd’s revealed significant exposures to catastrophic cyber events. At least 40% of the policies did not contain standard cyber exclusions and some 68%, it is reported, had no reference to cyber terms at all.
In part, this perhaps represents an industry inertia but also the failure to adapt coverage terms in some sectors to the rapidly developing technologies and ever changing risk profiles. For example, a cyber-event can lead to catastrophic physical damage and personal injury losses as well as the more readily anticipated data theft and business interruption exposures. It is also the case that many of the regularly used exclusion clauses are limited in their effectiveness as they focus on hostile acts, often by outsiders, rather than the increasingly common inadvertent cyber event or insider action.
In the circumstances, both insureds and insurers (as well as their reinsurers) would be well advised to undertake a careful review of their policy wordings in order to understand precisely what is and is not covered, and to make any necessary changes.
No-one likes nasty surprises – make sure you are not at the receiving end of one!