Buyers rally against standalone cyber market
Leading risk managers have urged the insurance market to cover cyber risks in existing policies rather than develop a standalone product that they say will be a hard sell internally, create great confusion and could lead to paying for the same protection twice.
The risk managers are prepared to pay extra for cyber cover in existing lines and hope insurers will come around to their way of thinking once they realise this revenue stream is on the table.
The calls come as the risk transfer industry ploughs ahead with creating a standalone cyber insurance market. Only last month JLT claimed this is the best way to deliver the depth and breadth of cover organisations now demand. But risk managers will be pleased to hear that the property market is making strides to include cyber protection within its policies.
Lennart Edström, vice-president – group risk management at AB Electrolux, told Commercial Risk Europe that the insurance market has a “huge desire” to create a standalone cyber marker. But he is strongly against this approach.
“I am opposing this 110%,” he said. “In property cover we have some named cyber elements and some elements that are not named cyber but are related. We have cyber elements in the casualty programme that is covered today, and it is a similar story across all sorts of different insurance policies. The insurance market is now intimating that it would be better to transfer cyber risk on a standalone basis. I oppose that – I don’t want or need to buy double capacity for the same risk.”
He concedes that standalone cyber cover may work, and be needed, for some industries such as banking, where cyber risks do not necessarily fall neatly into existing lines. But he believes this is not the case for the majority of industries.
“If you invent a completely new line of insurance, it is going to be a hard sell internally for buyers. Insurers need to understand our internal struggles. I think most risk managers would prefer to have cover in existing programmes and I think the market is starting to listen to our concerns on this issue,” continued Mr Edström.
He advised fellow risk and insurance managers to identify their organistions’ cyber risks and then approach the market to work out what is covered by existing policies and what is not. Buyers should then make it clear that they would prefer any residual risk to be covered through existing lines, he argued.
“I don’t want a situation where part of the risk is covered in the existing programme and the other part needs to be covered in a standalone programme. The market needs to rethink this. I don’t think they really know which way to go right now. I think we as risk managers need to help them and strongly encourage adaptation of existing policies rather than a brand new coverage,” said Mr Edström.
He believes a key reason why insurers resist incorporating cyber into existing programmes is they don’t think they will be able to get extra money for the coverage.
“But they are wrong,” said Mr Edström. “They will get extra money for it if they provide the cover. When this becomes clear to them, I think insurers will come around to my way of thinking.”
Fellow risk manager Fredrik Finnman is equally unimpressed by insurers’ attempts to create a new line and coverage for cyber risk. He argued that cyber exclusions to existing policies in favour of standalone cover will create confusion. Like Mr Edström, he made it clear that buyers are prepared to pay for any new risks that are incorporated into existing lines.
“We don’t want to see a development where policies start to exclude hacker attacks because that will complicate matters. We are prepared to pay for any new risk coverage, but we just want that to be rolled into existing coverage to stop things getting out of control,” said Mr Finnman, who is group risk and insurance manager at ASSA ABLOY.
“We see insurers increasingly try to carve out cyber exposures from exiting liability policies and put them in standalone cover. We also see that on the property insurance side. What we want to see is insurers expanding on the existing coverage to include cyber risks. If you think five to ten years ahead, every piece of machinery in the manufacturing process will be connected to the internet and everything will be cyber related. So what are we supposed to do then? Only buy cyber insurance? Some insurers are expanding on existing coverage, which is what we want,” he added.
Melinda Johansen, group risk and insurance manager at engineering group FLSmidth & Co, would also like to see cyber risks covered through extensions to existing policies. She is then happy to see cover on a standalone basis for new risks, or if they are not related to another line.
“If you were looking at shut down of operations, then it would be great if you could get cyber attached as an extension to a property policy covering business interruption. But this is not going to help you if someone is holding you to ransom over data. So where it is relevant and makes sense in terms of exposure, it would be great to have extensions on existing coverages. But when there is new risk not related to another line, it makes sense to have it on a standalone basis,” she argued.
Most risk managers we speak to are critical of the insurance market’s desire to create a standalone cyber market. Yet the risk transfer industry seems determined to push ahead with this approach. Many believe the insurance market sees this is a way to secure new income, and of course it is only fair that organisations pay to cover genuinely new risks. But as risk managers have argued, there is the opportunity to charge for this through extensions to existing policies.
But only last month JLT reiterated the market’s desire for a standalone coverage, arguing this is the best way for the risk transfer industry to be comfortable with cyber risk and therefore deliver the solutions that organisations demand.
In a Viewpoint Report launched at the RIMS annual conference in Philadelphia, JLT and JLT Re state that carriers are being held back from providing these solutions by concerns over unquantified cyber exposures potentially buried in traditional policies.
They believe that more resilience to cyber risk, for both policyholder and carriers, can be created by considering cyber as a standalone line of business rather than a peril.
JLT notes that this shift would benefit insurance buyers by delivering “greater certainty, expertise, capacity and stability from the (re)insurance market in a complex and growing risk area”.
Sarah Stephens, head of cyber, technology and media E&O at JLT, commented: “Insurance solutions for cyber risk can differ considerably from one company to the next, reflecting the view that cyber can either be considered a peril that falls within traditional P&C products or a line of coverage in its own right.”
“But in order to address buyers’ changing needs, we see the standalone market as best placed to facilitate innovative and comprehensive solutions for future cyber risks. As more premiums flow into the standalone market, carriers will be able to evaluate and price risks more accurately as good quality claims data and sophisticated modelling tools become increasingly accessible. This, in turn, will help ensure the market is better placed to trade through future systemic losses by encouraging innovative reinsurance and insurance-linked securities structures,” she added.
Ms Stephens continued: “A more robust cyber market, with comprehensive standalone policies at its core, would also help eliminate the risk of silent exposures and, ultimately, make the market more resilient to future catastrophic cyber losses.”