The more things change – cyber and D&O Insurance

Published on Thu, 12/11/2020 - 10:45

Authored by Ben Hobby, Partner, Baker Tilly

It was the French writer, Jean-Baptiste Alphonse Karr, who first wrote “the more things change, the more they stay the same” back in 1849[1]. It’s such an evocative line that many musicians have used it in their songs, including artists as diverse as Bon Jovi, Rush, Jay-Z and Willie Nelson. The line also springs to mind when considering cyber and Directors’ and Officers’ (D&O) insurance – I know it may not seem obvious on first review but bear with me while I explain.

Sometime back in 2015 I wrote an article where I queried the extent to which insurers may be able to use D&O insurance as a crude mechanism with which to drive the take-up of cyber insurance. The theory behind this was that every company has an IT risk, given our reliance on IT for continuing commercial operations, meaning that every company has a cyber risk.

The relevance to D&O was this: if a company was quoted on a stock exchange and then suffered a cyber incident but had not bought a cyber policy, then the share price would fall, possibly resulting in legal action by those shareholders. As the costs of such a court case would probably fall to the D&O policy, then perhaps D&O underwriters might be interested to know if their prospective policyholder also bought cyber. If not, then the premium quoted under the D&O policy would increase automatically.

In writing that article I readily acknowledged that this approach was using a sledgehammer to crack a nut. However, in the intervening five years what, if anything, has changed?

Well, in terms of world events, a lot has happened. We have had Brexit, the election of President Trump, a worldwide pandemic and, on a lighter note, the previously unheralded Leicester City winning the English Premier League. It has certainly not been dull.

In terms of cyber insurance, a huge amount has changed. Back in 2015 cyber was perhaps seen as a niche product. The WannaCry and NotPetya events of 2017 highlighted the value of these policies and this moved the product more towards centre stage. However, the fact that the Association of British Insurers (ABI) reported in 2019 that only 11% of UK companies were “thought to have a specific cyber insurance policy in place” indicates there is still some way to go.

In addition, underwriters have seen such an increase in ransomware claims[2] that the number of limit losses that are occurring is increasing. Consequently, premium rates are hardening and insurers are either amending their risk appetite or, in the case of some carriers, leaving the cyber market altogether.

But why are we seeing so many limit losses? It’s fair to say that some of this will be driven by the fact that ransoms are becoming ever larger, with a number of recent reported demands being in the millions of pounds, sometimes tens of millions. However, not every ransom is paid so that can’t be the only factor at play here.

One point that is contributing to this growing trend of limit losses is the simple fact that a company’s cyber exposures are unlikely to have been properly identified, understood and quantified. For example, regarding the threat of a ransomware attack, have the board and/or senior management given any thought to the following:

  • The impact that this may have on the IT network
  • The length of time that it will take to restore IT functionality to business as usual
  • How the business is going to operate during the period when a) there is no IT and b) when there is limited IT functionality
  • What the likely customer reaction will be to the incident

If the answer to any or all of the above is no, then there is probably a strong argument that the board has not properly discharged its responsibilities. If the answer is a partial yes, but the exercise has not resulted in the purchase of a cyber policy that is the result of a proper risk transfer analysis, I query if the board has done its job properly.

However, even if the answer is a resounding yes to all of the above and a policy has been bought, the wording of which has been compared to the actual risks faced by the company following a proper policy selection process, the board may still be at risk from a shareholder action if the sum insured is less than the actual financial loss, leaving the company, in effect, with an uninsured exposure.

And this is where D&O insurers still have a role to play. Given that the cost of defending a shareholder action could never be described as “cheap”, it is not unreasonable to think that questions around a company’s cyber security stance should form part of the D&O proposal form. Any indication that the board has not properly discharged its cyber responsibilities leads to an increase in premium that is only reversed once appropriate corrective action has been taken. And part of this corrective action will usually include the purchase of a cyber policy that matches the company’s actual needs.

Given the above, don’t be surprised if, in future, cyber and D&O underwriters start to work in a more collaborative way. Yes, this is still using the sledgehammer as a bit of a nutcracker but the view that I set out back in 2015 of the role that D&O can play when it comes to cyber security would seem still to be valid - plus ça change, plus c'est la même chose.

[1]plus ça change, plus c'est la même chose

[2] COVID-19 is not the only pandemic that the insurance industry is currently having to deal with