[Check Against Delivery]
Good afternoon
Thank you to Baroness Neville-Jones for that introduction and to the Digital Policy Alliance for the invitation to with you today.
Cyber insurance has been on a significant journey since the first policies of this kind were written almost two decades ago. What began simply as insurance to help notify and compensate third parties whose data had been compromised, now covers a much broader range of economic losses that businesses face. To give just one example, it is now not only commonplace for cyber insurance policies to cover business interruption – but also contingent business interruption for losses incurred as a result of cyber-attacks in the IT supply chain. And importantly, cyber insurance is not just about an insurer writing a cheque to cover a loss but is more like a service proposition where the insurer sends in public affairs experts to help corporates to manage customer and media communication as we well as providing expert IT support to repair damage to a customer’s computer systems. Cyber insurance is becoming as essential to 21st Century commerce as fire, employers’ liability or motor insurance was in the 20th Century.
Uptake of cyber insurance by businesses is growing, with a rapid increase in the percentage of medium and larger businesses turning to cyber insurance as a way of managing the risks faced by those firms.
But the cyber insurance market does have its challenges. From within our own industry, the product faces misplaced criticism which we nonetheless need to respond to. Although policy limits are significantly larger than five years ago, for many larger corporates, those limits are insufficient to cover the sheer size of the losses they might face were they to be the victim of a cyber attack. And finally, the cyber protection gap remains vast. While the global cyber insurance market is estimated to be around $4.5 billion, estimates of the total global cost of cyber-crime range from the hundreds of billions to the trillions of dollars.
So, what to do? Raising awareness amongst the business community generally, but the small business community specifically, about the risks they face and the options available to mitigate those risks is critical. The primer we are launching today is an important step forward in this regard as it sets out a strong case for cyber insurance as a catalyst for good cyber security. It feels a bit self-serving for me as a representative of the insurance trade body to tell small businesses that they need to buy more cyber insurance. So, the message about the importance of considering insurance as part of a company’s overall approach to cyber risk mitigation needs to come from both Government and from insurance brokers and both should continue to do more to get that message out.
One of the most significant issues with cyber insurance pricing and underwriting is the lack of robust data on cyber risk. Unlike colleagues in the property insurance sector who can rely on hundreds of years of claims experience, cyber underwriters do not have such a wealth of information. This lack of data makes it more challenging to price risk accurately and manage exposure effectively, which can impact on the products and coverage offered to businesses. Improving the data that underwriters can access is absolutely central to improving pricing accuracy, growing the levels of cyber insurance coverage and ultimately improving the cyber resilience of the economy.
In the US, many States, publish detailed information about data breaches which cyber insurance underwriters use to help them understand and assess the risk faced by potential customers.
We are calling for a similar approach in the UK, based on the data collected by the Information Commissioner’s Office through the mandatory breach reporting requirement under the GDPR. Anonymising this data and providing access to it to the cyber insurance sector is one of the key strategic priorities of our market. We have set out the case for insurer access to this data and our proposals have been well received across Whitehall. Progress in delivering this access with the ICO has not been as swift as we would have liked. Of course, we understand that the ICO has competing priorities, but ultimately a healthier cyber insurance market is good for businesses, good for the economy and, most importantly, good for all of us as customers of businesses dealing with ever increasing amounts of our data. Our ask is for a collective refocussing of minds and a redoubling of effort to get a meaningful sharing of the ICO’s data over the line.
As important as it is to highlight what the market needs, it is equally important to be clear on what it does not. There have been proposals from various stakeholders to impose product standardisation in the cyber insurance market. In our view, these must be firmly resisted. Cyber risk is constantly changing and evolving. As a consequence, insurers need to frequently adapt and change their policy wordings, question sets, and underwriting approaches in order to ensure that they are best serving their customers while managing their exposures prudently in line with their regulatory responsibilities.
Furthermore, the needs of businesses vary widely. There are sector specific coverages, such as for technology providers or the payment services sectors. Depending on the jurisdiction, there will be different legal approaches to issues like the insurability of fines and penalties, as well as different approaches to litigation following a breach of personal data.
It is misguided, therefore, to attempt to impose standards on the cyber insurance market, especially one that is in its relative infancy and one that needs flexibility to respond to an ever-changing cyber risk landscape. The ABI, together with other insurance trade bodies both in London and across the world have worked together and been vocal in our opposition to the ISO standard on cyber insurance currently under development.
So, the cyber insurance market does face its challenges and we are responding as an industry. My hope is that the primer that we have worked so hard to develop, with many of you represented here today, forms an important part of the response to one of those challenges – that of increasing business engagement with the cyber security risks that they face.