Introduction
Good morning and thank you to the Westminster eForum for the invitation to be with you today.
In an increasingly inter-connected world in which people produce enormous quantities of data on a daily basis, insurers have had to respond to the challenges that the digital environment brings. And to help serve our social and economic purpose, insurers continue to develop product offerings to respond to these challenges.
Cyber insurance policies
Cyber insurance is the latest of these product offerings.
And in the week after one of the largest and highest profile cyber attacks ever faced, there has been an important wake up call for many Governments and businesses across the globe about the critical importance of effective cyber security. Most of the headlines here focussed on the impact on the NHS. But many businesses were also affected by last Friday’s ransom-ware attack, highlighting the importance of cyber insurance in helping businesses manage the risks they increasingly face.
Cyber insurance comes in many different shapes and sizes, dependent on the policy offered and the specific needs of the business customer in question. But most cyber insurance policies have the following as common features:
- Cyber business interruption loss: whereas traditional business interruption insurance covers a business for losses resulting from a physical event, cyber BI policies cover losses resulting from a business being offline.
- Privacy breach costs: covering things like the costs associated with notifying customers of a data breach, responding to regulatory bodies and public relations support
- Forensic incident response: this covers the immediate 24/7 support from cyber specialists that insurers provide to their customers following a hack or data breach.
So insurance can, and does, help many businesses prepare for, and manage, cyber risk.
Challenges for cyber insurance
But as a relatively new product offering in the UK, the cyber insurance market faces several challenges. I wanted to cover four of those challenges with you today and set out what we as an industry are doing to address them.
Low awareness and low demand
The first challenge is the low level of awareness amongst the business community, especially small businesses, of the cyber risks they face and, consequently, the low level of demand for cyber insurance.
As cyber-related threats grow, insurance can help build resilience, but this message needs to be better understood by businesses, brokers and the Government. With reports suggesting that almost half of all UK business suffered a cyber attack last year, we are looking to actively promote the availability of cyber insurance as one part of the toolkit for businesses in managing cyber risks. To this end, we recently published a Cyber Insurance Guide for SMEs and high street insurance brokers, where expertise on cyber is limited.
The ABI has met regularly with the newly established National Cyber Security Centre (part of GCHQ) on the role of insurance in helping businesses mitigate their cyber risks. Earlier this year, the Joint Committee on the National Security Strategy undertook an inquiry into cyber security. In our response we highlighted the role insurance can play in building business resilience and how the Government can work with insurers to achieve this. And it was good to hear former Prime Minister, David Cameron, speaking at the British Insurance Brokers Association’s annual conference last week, recognise that the Government needed to help insurers to tackle cyber threats.
We will continue to raise the profile of cyber insurance in our meetings with Ministers and Parliamentarians after the election; continue to work with other trade bodies across the business and insurance communities; and work with all of you to ensure that knowledge of the available products is better understood.
The lack of robust data on cyber risk to inform pricing and underwriting
A key issue with cyber insurance pricing and underwriting is a lack of robust data on cyber risk. Insurers’ own claims data is relatively limited at present, and there is no suitable external data source to help inform pricing.
This year we have mapped out with our members the types of data that would be helpful for the industry to have in order to accurately price cyber risk. And we have called on Government to collect this information, more than likely building on the mandatory breach reporting required by Europe’s General Data Protection Regulation from 2018. Without data on cyber losses, it will be hard for insurers to accurately price cyber risks and this will hinder the availability and choice of cover available to business.
So we are very pleased that, to date, conversations with the Department for Culture, Media and Sport and HM Treasury have indicated that they are firmly supportive of our proposal. We want to build on this support in our discussions with the Information Commissioner’s Office as they implement GDPR. So we have arranged a joint workshop between insurers and the ICO on the data fields and formats that will best meet these objectives. That workshop takes place at the ABI tomorrow. Clearly, the devil is in the detail and will require collaboration so the industry has access to the right information to best help insurers support the business community through the right insurance products.
Silent cyber
There is increasing concern that insurers have significant implicit exposure to cyber underwriting risk within traditional insurance business lines such as aviation, Directors and Officers, professional indemnity, property and motor insurance. More commonly referred to as “silent cyber” exposure, the potential examples of such exposure could be a cyber attack on a firm resulting in a loss of customer data where a company’s Directors are found to be negligent or, in the future, an autonomous vehicle causing an accident as a result of being hacked.
The Prudential Regulation Authority has recently consulted on a new supervisory statement, setting out its expectations for the prudent management of cyber underwriting risk. Insurers must, of course, understand the risks that they are taking on. But given the evolving nature of these risks and their non-uniform treatment by the marketplace, it is important for the PRA to allow the industry time to converge on common best practice approaches. It does serve as a useful reminder, however, that regulatory pressures can lead to changes in how products are offered.
Aggregation of cyber risk
The fourth challenge that insurers are grappling with is that of aggregation. This risk can manifest itself in one of two ways. Firstly, the aggregation risk could occur across policyholders, many of whom could potentially be covered by the same insurer. We saw this in the Wanna Cry attack which affected a wide range of different organisations across the globe. Another example occurred earlier this year when human error at Amazon’s cloud computing division disrupted hundreds of thousands of websites over a four hour period. Secondly, there is an aggregation risk across various lines of insurance business where there may be elements of invisible cyber exposure. For example, where a hack on the national grid results in claims in diverse areas across personal and commercial insurance.
In order to manage the enormous costs posed by these aggregation risks, some have called for a Government scheme to be set up to provide a backstop – a Cyber Re, if you will, similar to the Pool Re scheme operating for terrorism risks. Now is not the time for a Cyber Re scheme. But if last week taught us anything, it should be that it is increasingly likely that such a model will one day be needed. And when it is, it will need to be rolled out quickly so the work to understand how such a scheme might work in practice needs to start now. The ABI will continue to work closely with Lloyd’s and other London insurance market bodies on the scoping work for how a Cyber Re model might work. And, of course, the Government will have a critical role to play.
Conclusion
In conclusion, I hope in the relatively short time available I’ve provided you with an overview of how insurers are responding to one of the key threats associated with increased digitalisation in terms of the development and roll out of cyber insurance products. There are a number of challenges and policy issues ahead as the market continues to develop. And I hope that events like today’s conference will continue to provide a useful forum for the insurance industry to work with all of you to address these challenges in the months and years ahead.
Thank you.