Cyber insurance is not perfect, but the market is offering decent coverage with a strong claims performance. This was the overriding message at the lively cyber debate, chaired by Georgina Wainwright, market development manager at Airmic.
"I think the products work, but we have a horrendous PR problem," observed Graeme Newton from CFC Underwriting. A large part of the problem, he argued, is a lingering misperception that cyber policies don't pay out. In the past year, over 1000 cyber claims have been paid, he noted, and the percentage of claims that were turned down was lower than any other peril.
Paul Gooch from Tokio Marine Kiln agreed, noting that Lloyd's has paid £300 million of cyber claims since 2013, and his own company has paid £100 million in claims since it started writing this class.
The NotPetya cyber-attack in 2017 was particularly damaging to the market, according Mr Gooch. Three high profile insurance claims were denied on war exclusion grounds, which many wrongly assumed were cyber policies. In fact, the denied claims were for property and kidnap & ransom. The lesson to be learnt, he commented, is not that cyber doesn't pay, it's that you shouldn't "shoe horn" a cyber exposure into a property policy.
What does cyber mean?
There is a lot of confusion about the meaning of the word cyber, according to James Tuplin from AXA XL. Businesses hear the phrase "cyber insurance" and expect an all-in cyber policy that covers everything. In reality, cyber is a peril, just like fire is a peril, he explained. Fire requires different types of policies, and so does cyber: "It's not an all-risk policy. We need to think about cyber a peril."
We therefore need a "new language" to better express the nature of this complex insurance class, argued Mr Tuplin. Distinguishing between direct cyber (today's cyber insurance policies) and indirect cyber (all other policies that may also cover cyber) is a useful start, he argued. And while he believes the market offers "pretty good" direct cyber cover, "indirect cyber is where the cover needs to grow further."
Shannan Fort from Aon agreed. "This is a living and breathing market in that it is changing and evolving...The cyber market is trying to fill in the gaps through the indirect cyber cover. We are at a crossroads and need to decide where indirect cover sits."
The risk manager's role
The panel noted that the risk manager also has an important role to play, not only in achieving the best cover, but also responding appropriately in the event of a cyber incident.
The onus is on risk managers to speak to people in the business to thoroughly map their cyber exposures, according to Grieg Anderson from law firm Herbert Smith Freehills: "Risk managers can't liaise with their broker in a vacuum."
Insurance can be of great support to risk managers in the immediate aftermath of a cyber event, Ankura's Richard Patterson argued. The first 24 hours is crucial and "pretty much determines the final outcome". Crisis management teams can benefit from bringing experts in to bring "confidence and calm" and this is where insurance is vital, he said.
One area in which all agreed that reform is needed was on the thorny subject of cyber insurance forms which are notoriously burdensome. Many participants in the room noted the laborious nature of cyber applications.
"We know, and we are desperately trying to make it better", Mr Newton conceded. Ms Fort agreed, noting that the challenge stems from the fact that "there is not a consistent method of underwriting". Insurers are aware it's a problem and are trying to address it, she stressed.