Beazley Group specialty lines underwriter Jimaan Sane sorts fact from fiction
In the current soft pricing environment, and with increasing numbers of new markets entering the data breach insurance arena, brokers are very much in the driving seat. They can, and do, demand broad coverage for a combination of both first and third party risks.
Over the past decade cyber insurance has evolved considerably. Larger brokers and risk managed clients are increasingly well-versed in the risks posed by data breaches, and the coverage options available. Specialist insurance now covers regulation issues, as well as new risks such as cyber extortion, network and system issues, merchant monthly payment liabilities and policies can be tailored to suit the client.
Education is still required
However, there is clearly still a lot of work to do in educating mid-size and smaller clients about the risks posed, and the cover available, as many are not purchasing this form of insurance. But hackers are indiscriminate in whom they target, and often go for smaller companies as their systems are less well protected. This fact was backed up in a recent report by PwC and the UK government, which stated that 87% of small businesses reported a data breach in 2012, a 50% increase on the previous year.
Part of the problem is that there appears to be confusion about the level of cover provided under more traditional commercial covers, but in reality this is very limited, and over the next few years it seems likely that these elements may be withdrawn.
There is also a need for clients to be convinced that this form of insurance is cost-effective. It is essential they understand that a service-led data breach insurance policy not only provides financial assistance, but also a valuable service in their moment of need should a data breach occur.
A timely reminder
Although exceptional in its size, the malicious attack on US retail giant Target over Christmas is a timely reminder of the scale of the risk faced by a business which holds sensitive, personally identifiable customer information. The points of particular note in the Target’s case are that the hackers used a new and unknown virus to get into the company’s IT system, and the malware went undetected for over 20 days. As a result, Target estimates that between 70m to 110m customers could be affected, and it has offered credit monitoring services to each of them.
In addition to the client notification and credit monitoring costs, there is the IT forensic work that has been undertaken to identify and rid Target’s system of the virus; the impact on its share price; not to mention potential regulatory fines, class action lawsuits from affected individuals; and the massive impact that it has had on the company’s brand reputation.
Times are changing
It is always hard to persuade buyers to purchase a new form of insurance, but times are changing and the impetus to buy is increasing. This will be exacerbated further when the proposed new EU-wide data privacy regulations become law in the next year or so. These changes are potentially a market game-changer and the insurance industry – both brokers and insurers need to be ready.
What is certain is that hackers are getting increasingly sophisticated and daring, their activities know no territorial boundaries and data is a valuable commodity. The insurance market has been proactive to date, developing a range of first and third party covers, and various approaches to help clients. The result is a highly competitive market vying for business.
We all need to play our part in educating insureds as to the options available and the value of these policies. Insureds need to understand their exposures and put in place robust risk management procedures to protect their data and be prepared for a data breach As we always tell our clients,it is not a case of ‘if’ but ‘when’.