With home working raising the threat of cyber risk even higher, Nicholas Pratt asks if the funds and investment industry should consider cyber insurance.
For many years, the adoption of cyber-insurance policies has remained low despite the increasing risk. Take-up has been especially low among smaller businesses without dedicated risk managers charged with responsibility for buying the company’s insurance.
The low adoption has to some degree been a reflection on the credibility of the insurance industry. Just like fund managers, insurers have been accused of failing to adapt to a digital age. The traditional insurance products are based on physical assets and decades of loss history. And insuring the damage to non-tangible assets like reputation with hardly any loss data has proved trickier.
But there are of course at least two sides to every story, and there has also been a failure of the industry to properly understand how insurance works or to even consider it as an option in their cyber-resilience programmes.
What is clear, though, is that at a time when every market participant is wholly reliant on data and on each other, it is surely now or never for the cyber-insurance market.
In 2020, Allianz’s Risk Barometer – the insurer’s annual survey of business risks – put cyber in pole position for the first time. It was ranked as the foremost peril by 39% of the 2,600 respondents, surpassing business interruption. Seven years ago, it ranked 15th, with just 6% of responses.
Furthermore, the financial services industry is a particularly exposed sector, as it processes a vast amount of privileged personal data and conducts complex financial transactions on digital platforms, says David Van den Berghe, global head, financial institutions in the Allianz Global Corporate & Specialty financial lines team. Fortunately, there is strong cyber-risk awareness in the financial services sector, including funds and asset management, he says. “We also see growing demand for cyber-insurance solutions as many companies are establishing a comprehensive cyber-resilience programme.”
It is not just the insurers saying this, though. “Cyber-insurance adoption is increasing across investment management,” comments Pauline Hawkes-Bunyan, director for Business: Risk, Culture and Resilience at the Investment Association (IA), the UK’s trade body.
“Most policies provide immediate access to a panel of incident management teams who can help firms as soon as an issue is identified, including help on ransomware attacks, which have increased significantly recently,” says Hawkes-Bunyan.
She adds, however, that insurance is “not the complete solution to this growing problem” and that the IA encourages firms to develop their own incident response plans and think ahead of time about the steps they would take in various cyber-incident scenarios. “If they only allocate resources to cyber security reactively to a live incident, it is already too late.”
Hawkes-Bunyan also advises firms to examine the terms of any policy carefully as incidents at third-party suppliers may not be included, and reputational damage may not be adequately covered; both of which are particularly important for investment firms.
The insurance industry has tried to address both of these issues. It has sought to close coverage gaps by focusing on standalone cyber insurance rather than extensions to existing policies where coverage can be a grey area. This has been referred to as ‘silent’ or ‘non-affirmative’ cyber coverage and various industry bodies have long called for greater clarity on exclusions.
Insurers have also looked to extend policies to include third parties, for example expanding coverage to include business interruptions triggered by third parties such as a cloud.
Both have served to improve adoption within the investment industry, say insurance brokers. “We have seen the largest take-up from asset managers and pension funds,” says Alistair Clarke, executive director, Cyber & Commercial Errors & Omissions, at insurance broker Aon. “They were some of the early adopters. But among the larger institutions, it is hard to find one that has not got some form of cyber insurance, whether that be standalone cyber programmes, writing it into their captive or through an extension to their existing insurance coverage such as professional indemnity, crime or bond.”
For the larger firms looking to cover a potentially catastrophic cyber event, a critical development has been an increase in the amounts that policies will pay out. “In years gone by, there probably was not the availability of requisite capacity. Now we are able to offer £500-600 million limits at a sensible rate,” says Clarke.
One catalyst for greater adoption has been the improvement in the availability and efficacy of non-damage business interruption, says Clarke. “Another point is that material damage as a result of a cyber event was previously unavailable, but it is now among the most important coverages we offer our clients.”
There have also been some major claims in the financial services sector in recent years, especially since 2017, when the emergence of the Wannacry virus highlighted the dangers of ransomware. “It is an old myth that there aren’t any claims or that the market isn’t paying them,” says Clarke.
But while adoption has remained high at the largest firms, it has not always been evident among the smaller hedge funds and boutiques, says Clarke. Insurers have had more success with cyber packages designed to provide a range of services (crisis management, cyber forensics, etc) to deal with an event rather than the large limit policies adopted by the larger firms.
“For these types of firms, insurance takes on a different importance. They cannot be expected to have the capability to deal with a large data breach. These products enable them to call on an external breach response team rather than just looking at it as just a traditional insurance policy,” says Clarke.
Nevertheless, a number of smaller hedge funds still see insurance as a cost and not an investment as they see their organisations as less exposed and are willing to absorb the risk, says Brian Warszona, cyber growth leader in the UK financial and professional practice of insurance broker Marsh JLT Specialty.
Another area that has yet to develop among Europe’s investment industry is the mandating of some form of cyber insurance by either suppliers or clients. Whereas in the US, cyber insurance has in many cases become a contractual obligation imposed by insureds on the third parties within their supply chain, this has not yet happened on a widespread scale in Europe and in the investment management world, says Warszona.
“They should be requesting this of their third-party vendors, of which we’ve seen improvement in the last year. Previously, there was some misunderstanding around coverage within cyber policies and the insurance industry has done a better job of explaining how the coverage works in relation to the interconnectivity of third-party systems.”
And then there is the issue of cost. Competition and abundant capacity has kept cyber-insurance premiums competitive. But there has been a gradual hardening since 2019 as some insurers have felt they have underpriced certain risks. And this is only likely to increase as a result of Covid-19, says Clarke. “There has been a gradual awareness among some insurers that they have underpriced certain risks and there has been an increase in rates particularly higher up the programmes.’’
Although the cost of premiums has risen in recent years, Warszona says that cyber insurance is still very affordable, given that most policies offer more than just financial cover. “You get more with a cyber policy than you do with many other insurance policies. Kidnap and ransom is the only other insurance that draws comparison in regards to responding immediately to an event.”
Covid-19 has raised awareness of cyber risk and of cyber insurance, but it may also create some issues over the coverage of existing policies and some wrangling over legal terms, says Warszona. “We have seen some insurers try to put Covid exclusions on cyber policies, but these have been widely rejected by the broking community.”
Nevertheless, firms would be well advised to check their policies in these extraordinary times. “Remote working conditions are dramatically different to office spaces, so there may be a need for clarification of terms within policies,” says Warszona.
“In most cases, it comes down to the definition of a ‘computer system’ in the policy and a clarification of what systems are owned by the insured. No one wants to see a claim for a major organisation denied due to home working and the access point is a personal WiFi.”
© 2020 funds europe