Cyber risk is constantly evolving – cyber insurance is much the same
Be prepared for a lot of questions, says Airmic board member Fiona Davidge, a risk manager for Wellcome, a London-based health charity of global importance.
Cyber risks are ever more complex, so insurers want ever more information for their underwriting. When Wellcome renewed its cyber insurance with an established specialist insurer in 2021, it completed a detailed questionnaire sent by the broker. “For most responses we gave,” Fiona said, “there were three or four requests for more information. It took time and effort to complete, even though this was a renewal. Also,” she adds, “the premium doubled.”
For Wellcome, the rationale for buying cyber insurance is immediate access to top-quality expertise in a crisis provided as part of the policy, more than indemnity. Fiona says a direct retainer with service providers is an alternative, but she concluded that an insurer would carry more weight in getting priority for clients in case of a widespread cyber incident than even a major charity.
This thinking also led Wellcome to continue with its existing insurer. Although it would have been possible to switch to a different underwriter, that company was a new entrant on the market with a limited track record.
Cyber today is an enormous operational risk for organisations of any size. Fiona says that the cyber insurance buyer has to know as much as possible about what they are getting, and she warns there is no consistency across providers. Wellcome has an IT team of more than 100 out of about 900 core employees, so buying cyber insurance will be a demanding exercise for small companies.
“You need to sit down with the insurer and the broker, and make sure that you all understand each other. You need to scrutinise all insurance contracts, but with cyber it is critical. You have to know what happens when there is a breach, and you should also get the IT security and tech team to read and approve the policy.”
For the insurance industry, it is early days of learning about this risk, Fiona explains. “Insurers are going to ask a lot of questions, and they are likely to charge more money as they learn the extent of the exposures and the level of uncertainty.”
She also reminds risk managers that a security breach leaves a residual exposure. It is not like a fire where a building can be rebuilt, perhaps better than before. “It is never 100 percent resolved; if your information has been taken, you can’t get it back again. Data still has value.”