In an era in which almost every aspect of every business is dependent on digital technology and the internet it is only natural that companies should spend more time thinking about how they can protect themselves from cyber losses.
However, while most boards will readily comprehend the dangers of fire, flood, crime, product or service failures and of course, legal action against directors and officers, far fewer really understand cyber risks – or how those risks relate to the companies they help govern. This is not meant as a criticism, it merely reflects the speed with which these concerns have risen up the agenda, the complexity of the subject matter and the pace at which new cyber risks evolve.
Nonetheless, responsible business leaders are attempting to grapple with these issues with the aim of making their organisations more resilient. A great deal of that effort will be spent on putting in place technological and behavioural solutions, but some will also focus on accessing reliable forms of risk transfer via specialist insurance.
What might make 2021 different?
Market participants and commentators have long hailed the moment at which cyber insurance entered the mainstream and became a default purchase for most companies. In truth, reality has not quite kept up with expectations. In August 2019 the Association of British Insurers found that the UK cyber insurance market was one tenth the size of that for pet insurance, and noted that only 11% of businesses had a specific cyber insurance policy in place. Despite this modest uptake we believe that 2021 will be the year that cyber insurance comes of age.
There are a number of factors behind our prediction. Firstly, cyber risk is changing. A recent report from the insurer Hiscox, demonstrated that cyber losses had grown from $1.2bn in 2019 to $1.8bn in 2020. Despite this, the reported proportion of UK firms affected by a cyber loss actually decreased from 55% to 30% while the median size of loss for those firms shot up from $10,000 to $46,000. This may reflect the increasing sophistication of cyber criminals, but it is also a reflection of the ever-increasing dependency on connected digital assets.
The second key factor is Covid-19 and its impact on business practices. The rapid move to home working would not have been possible without the widespread adoption of relatively new technologies. While these have been a tremendous boon, they also bring with them a new set of vulnerabilities and risks. Based on more recent data than the Hiscox report, cyber security firm Nexor reported that the UK saw a 31% uptick in cyber crime in the first phase (defined as May to June) of the pandemic alone. It would be very surprising if this trend had not continued throughout the remainder of the year.
Finally, there is a third factor that Mactavish has flagged in previous articles, but that most buyers remain unaware of: ‘silent cyber’. This reflects a change brought about by a Lloyd’s mandate in the second half of 2019. Put simply, many non-specialist policies contained elements of cover for cyber related losses, however, the extent of coverage was often opaque and open to interpretation. The mandate addressed this problem by requiring underwriters to explicitly state whether these policies did contain cyber cover and, if so, which types of loss event were covered. Unsurprisingly, this led many insurers to simply remove all cyber cover from their policies. This has had a significant knock-on impact on other classes of insurance (as we discuss here), but it also means that many buyers may now not have cover that they assume is in place. Once policyholders realise this (hopefully without incurring a painful uncovered loss first), we would expect a marked rise in the number of companies that buy standalone cyber policies.
Are there any limits on the uptake of cyber insurance?
Unfortunately, at precisely the moment at which demand is picking up, the industry’s ability to supply cyber cover is coming under intense pressure. The long soft market that has been in place for over a decade and a half has now come to an abrupt end. Prices are spiking across many classes of insurance as insurers look to protect themselves by withdrawing capacity from the market. This, in turn, means that underwriters are in the enviable position of being able to pick and choose between the risks they agree to take on. Naturally, risks that are less well-understood – and that are demonstrably increasing in severity – are unlikely to attract the most interest.
It is important to understand that this applies equally to small and large companies. The corporate behemoths will likely experience a reduction in the limits they are able to buy, leaving some of their risks uncovered, while SMEs may struggle to get any useful insurance at a reasonable price. As is usually the case, new capacity will eventually enter the market, but that is unlikely to occur in the first half of 2021. In the meantime, businesses that have come to realise that they are 15 times more likely to suffer a cyber loss as they are a fire-related loss (according to Hiscox’s report) will be left underserved.
Next week we will publish some practical guidance on how policyholders can navigate this evolving landscape. In the meantime, if you have any concerns about your cyber exposures our team is always here to help.