Cyber: Risk prevention and management are key

For the Belgian leg of this year’s European Risk Frontiers survey, Adrian Ladbury asked sponsor HDI Global’s Belgian cyber and casualty experts – Frank Linguelet, director casualty; Michel Verlinden, underwriter casualty; and Françoise Nyssens, underwriter casualty – for their views on the fast-evolving cyber risk and insurance arena.

Q: Who should be responsible for cyber risk within a corporation? How should this risk be most effectively managed?

A: For the industrial sector, the IT department is obviously in the driving seat. A close relationship with the risk manager and the chief operating officer is also important to make sure that the measures and decisions taken are coherent and enforced within the company structures. In that sense, the role of data protection officer brings a huge added value for IT security and cyber risks protection and should be promoted, certainly in the industrial segment.

Ideally, internal security managers or similar functions should also be involved in the process. Cyber risks are increasingly regarded as strategic issues, and as important as topics such as compliance or financial audits. Going forward, cyber protection is not only a question of third-party protection (risk of doing business), but also about protecting the company’s own assets (first-party protection). Therefore, risk managers should be able to take crucial decisions independently from the IT department, in direct contact with the board.

The same can be said for SMEs. However, the size and structure of smaller companies does not allow, in most of the cases, for an internal organisation capable of handling this process. External support, such as cyber experts and specialised insurers, will provide an efficient and affordable solution.

Q: What cyber risk is insurable and what is not insurable in your view?

A: It all comes down to the IT maturity of the company. By using proposal forms or questionnaires, insurers obtain a better knowledge and feeling about how cyber risks are perceived by their clients.

But cyber insurance needs to be regarded as complementary to the loss prevention process and not as a replacement for any IT security measures. A high level of awareness of risks within a company is always beneficial. A better knowledge of the risks and exposures will open the way to improved and more creative solutions.

Proposal forms are also an opportunity for a company to think about its own risks. It may be a first step towards an exciting cooperation between the client, broker and insurer, often involving consultants.

Q: Is there adequate cyber capacity currently and is this fairly priced?

A: Cyber insurance is an emerging market in Europe, and certainly in Belgium and Luxembourg. Large capacity is available. Some capacity is provided by insurers without local representation in our market. This might be a problem with respect to the quality of the services provided to the insured because clients need a close relationship with their insurers and need to be confident they can deliver the critical services such as claims handling. Trust in the financial and technical strengths of the insurer is also crucial. Without this, there can be no true partnership.

We currently see pressure on the pricing of cyber insurance and this leads to great concern about the quality of the services available and sustainability in the long run.

Q: How should insurers help risk managers prevent and manage cyber risk?

A: Insurers support their clients with improved risk management, as well as advice on exposures and liabilities, but they also assist their clients with risk assessment pre-incident plans, often with the support of consultants. This is especially true for SMEs.

In times of financial pressures, it is not easy to spend money on expensive IT measures. It is important to avoid useless expenses. Dialogue and partnership lead to trust. Based on that trust, insurers will offer guidance to their clients in order to improve the quality of their investments. Clients can then make the right choices that will improve their own protection and this will also have a direct impact on their insurance conditions.

Q: What proportion of cyber risk is currently covered and where are the coverage gaps that you would like to see filled?

A: A large proportion of cyber-related risks are already insurable in our market. Third-party risks are covered as well as first-party exposures, such as the reputational rehabilitation costs, legal assistance, forensic investigations to determine the root cause of the failure, mitigation costs and continued support to clients even without claims.

Because the world is becoming more and more complex, cyberinsurance will need to evolve, together with the development of our insureds. The skills and technological resources of the perpetrators of cyber risk are also constantly growing. Insurers therefore need constant improvement too.

The coverage has already evolved significantly. There has been an accumulation of side coverages, including extensions for non-cyber-related events or breaches. We have to consider these adaptions very carefully. Firstly, because the consistency of the coverage is at risk and, secondly, this could lead to additional pressure on the premiums and consequently a deterioration in the sustainability of the protection offered.

Q: Should governments create cyber pools as with terror and natural catastrophe to help foster the growth of a more vibrant cyberinsurance market?

A: As capacity and efficient solutions exist already on the market, we don’t see any necessity for creating pools for cyberinsurance. To fix conditions of coverage through the creation of pools would probably dramatically limit the flexibility and creativity of the solutions available in the market. Rather than creating such pools, it could be useful for governments or supranational authorities to promote the creation of taskforces or workgroups in order to improve cyber risk awareness and share experience on a broad scale.

Back to top button