The sophistication, frequency and severity of cyber losses are growing. As the economy has increased its dependency upon technology, exposure to Cyber losses has surged. As hybrid working has become the new normal, and with an over reliance on an ever integrated global supply chain, the attack surface for criminal activity has expanded. These foundational changes to the way we work has further increased organisational exposure to growing systemic risks. Threat actors are using these expanded threat surfaces, and new tactics, to expand their scope to cause harm.
Ransomware events also continue to grow significantly and remain a worry for both clients and insurers alike. A recent insurer report found that ransomware events have increased dramatically in recent months, up 323% from Q1 2019.
This raises the question of how businesses are dealing with their cyber risk. Historically, businesses have chosen to manage their exposures by investing in their IT systems to defend against cyber-attacks, as well as focusing on the education and training of staff against cyber threats. Alongside this, businesses may have relied on the expectation that their existing insurance policies provided some element of cover for their cyber exposures, however regulatory changes over recent years have meant that insureds have needed to reconsider this approach.
Regulatory changes
In 2019, the Prudential Regulatory Authority (PRA) advised all UK insurers that they must have “action plans to reduce the unintended exposure that can be caused by non-affirmative cyber cover”. Lloyd’s also advised that all policies must be clear on whether coverage is provided for losses caused by a cyber event. The intention was to eliminate silent cyber exposure and with it the doubt and uncertainty that existed around coverage. As a result of this, Insurers must now explicitly exclude cyber exposure where appropriate, or affirmatively cover it.
What we have seen over the last few years is insurance policies being re-drafted to accurately describe what cyber cover (if any) they will provide. For example, where historically some protection may have been afforded under widely worded Professional Indemnity insurance policies, cyber exposure is now routinely excluded by insurers.
Due to the regulatory changes and as a result of the increasing reliance on technology to conduct business today, we have seen an uptake in the demand for standalone cyber policies. There are various products available in the market that will provide appropriately tailored and value for money cover for those firms that wish to understand, address and where appropriate transfer their specific exposures via an insurance solution.
Cyber Policies
Cyber insurance is designed to protect businesses against financial loss resulting from a range of cyber events, including extortion, data breaches, and system interruption. Cyber insurance is of growing importance because as businesses increasingly use technology to operate, the digital assets they hold are becoming more valuable and therefore more vulnerable.
Cyber policies are generally split into three categories: first-party losses; cover for incident response costs; and third-party losses. First-party and incident response cover provides an indemnity to the insured and includes cover for the cost of investigating a cyber attack, appointing forensic IT services to identify and remedy breaches, recovering lost data and restoring computer systems. Third-party cover includes cover for damages and settlements that result from the insured being blamed for causing another firm’s cyber losses and the cost of legally defending the insured against claims of a data breach.
If this area has not yet been considered, we would recommend any business assesses its cyber risk and if appropriate makes enquiries into stand-alone cyber cover. As the world becomes increasingly more reliant on the use of information technology to conduct business, it is more important now than ever to ensure that a firm’s assets, and those of its customers, are adequately protected. For further details see: Cyber Insurance – Griffiths and Armour.
Griffiths & Armour is a leading independent and privately owned UK insurance broker and risk management adviser. If you have any queries regarding cyber insurance or any questions in relation to this article, then please do not hesitate to get in touch.
Article provided by:
Sarah McNeill
Client Services Director
Griffiths & Armour Professional Risks
0151 600 2071
Griffiths & Armour is authorised and regulated by the Financial Conduct Authority.