Insurance Business: Cyber insurance – the "emergency service" for victims of cyberattacks

Mia Wallace, of Insurance Business, sat down with James Burns, head of cyber strategy at CFC, to discuss the need for greater education on the implications of cyber risk.

Cyber Article 9 min Wed, Aug 2, 2023

By Mia Wallace, originally published in partnership with Insurance Business UK on 24th July 2023.

Despite the rapid evolution of the cyber insurance market, it’s still facing a demand-side problem, according to James Burns, head of cyber strategy at CFC. The relatively low level of cyber awareness among UK SMEs – which account for 99% of businesses in the UK – offers a flavour of the cyber protection gap that exists today, he said, and underlines the role insurance businesses have to play in bridging that gap.

“And that’s partly down to recent developments in the insurance market,” he said. “Over the past 10 years, cyber insurers were laser-focused on growing the market. We spent the majority of our time, energy and resources on marketing the hell out of this product. There is bucketloads of training and education for brokers, and insurance conferences where the focus was on selling the product. As an industry, it felt like we were on a mission to make people see the value of this product and realise that they need it, which they absolutely do.”

Burns noted that in 2020, that state of affairs started to change as the threat environment deteriorated drastically with loss ratios going through the roof and insurers turning all their attention to rate correction. Brokers with cyber clients were faced with having to explain why the price had increased so substantially while those that hadn’t started selling the product were deterred from doing so by the perceived volatility of the product line.

The irony is that organisations need this product more now than ever before and its value has been proven time and time again in the billions of dollars worth of losses that insurers have paid out in the past few years.

“That’s undoubtedly had an impact on awareness of the product,” he said. “The irony is that organisations need this product more now than ever before and its value has been proven time and time again in the billions of dollars worth of losses that insurers have paid out in the past few years.

“I think we need, as an industry, to switch our focus back to helping our brokers sell this product to SMEs. There are still huge broking houses out there where less than 10% of their commercial client base is buying a standalone cyber policy which is absurd given that we know this is one of the biggest threats facing organisations today. So, I think there’s a lot of work left to do.”

Cyber as an intangible risk

The problem a lot of insurance brokers face is that until you’ve been at the sharp end of a cyber claim, Burns said, it is an inherently intangible risk. Once a broker has supported a client through a cyber incident, it becomes a lot easier to contextualise what cyber insurance is and what it does but until that point, it’s difficult to understand – and what you can’t understand, you can’t explain to your clients.

“It’s only intangible until something happens and then you see exactly how an attack could impact a business and exactly how the insurance policy and incident response service actually works,” he said. “Obviously, not every broker will have a client that’s had a cyber incident - but a lot do, and it’s a safe bet that most will at some stage soon.”

Burns’ call to action for brokers is to tell the insurance providers they’re with what they need from them in order to do what they do best – supporting and protecting their clients. They should feel empowered to ask for claims case studies, he said, and for support in interpreting those examples. Taking CFC for example, he said, the provider has handled 1,000s of cyber claims and has a wealth of publicly available case studies for essentially every industry sector imaginable.

I think brokers should look to their underwriters, who should also be happy to run through things with them and discuss common objections and why those objections might be misguided.

“So, if you’re a broker that has a commercial customer that fits within a certain industry segment, there are real-life examples that could impact your customers in the same way that they’ve impacted the subjects of our case studies,” he said. “I think brokers should look to their underwriters, who should also be happy to run through things with them and discuss common objections and why those objections might be misguided.”

Burns also emphasised that the pressure shouldn’t just be on brokers reaching out to providers, and he called for underwriters to step up to the mark by being more proactive about disseminating relevant and timely insights to their broker partners. Insurers need to make their education assets and materials as accessible as possible, he said, and to ensure that these are kept up to date.

“I think insurers have been a bit consumed with discussions elsewhere lately and the eye has perhaps been taken off the ball in relation to the fact that we need to start growing the market organically again,” he said. “We’ve seen tremendous growth in the past couple of years but a huge amount of that has come from rate rises and we need to make sure we’re growing the policy count of the market as well.”

Cyber insurance education

It’s critical for insurers to actively engage with their brokers, and to take a proactive stance when it comes to educating the wider insurance market about the “tremendous value” of cyber insurance.

“We need to start instilling confidence that this is a product that is stable and one that’s going to be there for brokers to sell for a long time to come,” he said. “The ‘hard market’ saw tens of thousands of claims costing billions of dollars, which really demonstrated that cyber insurance works – and it’s worked almost too well from an insurer perspective, given some of the loss ratios encountered.

“So, it’s important to note that cyber insurance is not there to replace investment in security controls, it’s quite the opposite, it can only exist sustainably alongside them. We shouldn’t be competing with security companies and brokers shouldn’t see themselves as competing with them. We need to be working together to make sure that clients are adequately protected.”

This broader education piece does take some effort, Burns said, but that effort is rewarded by the increased confidence that brokers have when having conversations about cyber and in turn educating insureds about their own cyber risk profile.

“The underwriters and insurers need to be supporting that confidence by talking about the product,” he said. “Cyberattacks are essentially a form of crime for which there is no emergency service and so a cyber insurance policy is that emergency service. If you think about it in those simplified terms, you realise it’s a product which is sorely needed and a phenomenally broad product which no organisation should be without. So, we do need to get confident talking to customers about this again.”