“We are still seeing businesses unaware of the costs they could incur should they suffer a breach ”
At the moment, we would agree with AIG CEO Peter Hancock’s recent statement that cyber capacity is still lacking, due to the fact that there is a serious lack of concern across the majority of businesses when it comes to the threat posed by cyber.
As a broker operating globally, we are still seeing regions where businesses are unaware of the costs they could incur should they suffer a breach.
For businesses that store card details (which have to be PCI compliant) the average cost of a breach is around $70,000.
For SMEs that suffer a breach and are subject to PCI regulation, 70% of these close within a year due to the costs they face. In spite of this, the recent UK government report on cyber security showed that less than 10% of UK companies have cyber insurance.
There is a clear picture being painted; businesses are unaware of the cyber threat which leads to low demand for cyber insurance, with insurers offering inadequate policies for the minority of businesses requesting them.
We are starting to see certain classes of business which have a greater need for cyber insurance than others. One is the retail industry, which can be prone to large losses due to the nature of data (PII, credit card) that they hold. Another is the public sector and healthcare industries, both of which are prone to damaging losses if PHI and payment details are exposed. There is a lack of capacity here as insurers are less inclined to underwrite organisations with large amounts of patient data.
So what is causing this insufficiency? One factor is a lack of security procedures, as many types of organisations lack basic procedures to prevent basic breaches occurring. Without this, many insurers will tend to either decline or write overly large premiums to mitigate against this.
Another reason is the ‘finger in the wind’ factor being followed by many insurers. With only a small number of large breaches recorded so far, many underwriters tend to follow the actions of others. As cyber insurance is still only offered by a small pool of insurers, this means that the capacity being offered is normally limited by this tentative attitude to quoting.
Around the world there are differences between regions in terms of how much cyber is being written. The US is certainly leading the way in terms of cyber capacity, as it is the most advanced in terms of regulation and penalties. The UK is catching up, although we have yet to see a major, UK company suffer from a high-profile breach, which is often what triggers a rush for insurance as we have seen in the US with Target, Sony, Anthem, JPMorgan and so on.
As we see more breaches I would expect to see a change in the amount of cyber capacity available. As the level of awareness rises, this should in turn create more demand for this type of insurance. As the type of cyber attack changes, we will see more policy crossover, for example D&O policies including some clauses on cyber, and also standalone cyber policies including more aspects such as terrorism as the need arises – so watch this space.