Progress in cyber cover is poorly communicated, claims Airmic
Increased dialogue is therefore needed across the risk transfer chain to make the most of recent developments, the risk management association said.
The report coincides with a survey by Marsh and Chubb Insurance that found cyber risks are misunderstood, despite a growing concern among risk managers of the threat they pose. It says cyber risks are yet to be fully integrated into risk management strategies.
Airmic’s Review of Recent Developments in the Cyber Insurance Market, released yesterday, concluded that ‘cyber insurance is now a more cost-effective risk transfer mechanism than was previously the case’.
hide
Unveiled at the association’s annual conference, the report also finds there have been big advances in the ‘range’ of cyber insurance products available for both first-party and third-party exposures.
It says that typical limits of indemnity for cyber exposures range between £1m and £5m in the UK for the primary layer, with capacity of up to £100m available. In the US, primary layers are around $10m, with greater total capacity available.
“In the last couple of years, the market has developed considerably, both in terms of the scope of cover offered and a wide range of cyber risks, and also in terms of affordability and limits available. The cyber risk market has extended and aligned itself much more clearly with what insurance buyers and risk managers are looking for,” said Airmic Technical Director Paul Hopkin.
However, it seems this positive message on cyber insurance development needs to be communicated loud and clear because many insurance buyers remain in the dark about improvements in cover. A lot of buyers have not been made aware of what is available, the report says.
“We found that many buyers were simply unaware of the speed with which the insurance market has developed, which indicates the need for improved dialogue between risk managers, their brokers and underwriters,” added Mr Hopkin.
“If there is a criticism of the insurance market in this area, it is that although they have made a lot of advances, perhaps insurers haven’t communicated these as effectively to Airmic members as they should have done,” he said
The association now plans further discussions with its members and partner organisations about future product development to ensure insurance solutions continue to develop.
Although the report found that organisations are looking more carefully at the range of cyber risks they face, both in terms of first party and third party liability exposures, it urges risk managers to develop internal relationships, especially with their IT departments, so that cyber risks can be effectively managed.
“Risk managers need to play a more influential role in the management of these risks and, to do so, should be consulted at an early stage about any IT developments within their organisations,” said Mr Hopkin.
Separate research from Marsh and Chubb also suggests risk managers need to do more to get on top of cyber risks.
“Despite mounting concerns about cyber risk and the potential financial and reputational consequences of information security breaches, leading organisations across Europe are failing to integrate cyber threats fully into their risk management strategies,” said the companies in a joint statement.
According to their survey, conducted at Marsh’s annual Communications, Media and Technology (CMT) conference, risk managers are more concerned about the threat of cyber risks to their organisations than 12 months ago. Sixty-nine per cent of the CMT, financial services, insurance and law delegates questioned said that their concern over cyber risk has increased over that period.
Although there is a rise in perceived cyber threat, Marsh said the survey suggests that awareness and understanding of cyber risk among the insurance and risk management community ‘remains low’.
Over half (54%) of respondents did not know whether their organisation had been subjected to a cyber attack in the last 12 months. Only 41% said that their organisation had estimated the financial impact of a cyber attack.
Fredrik Motzfeldt, CMT Practice Leader for Europe, the Middle East and Africa (EMEA) at Marsh, commented: “Risk managers are right to be concerned about cyber risk. These threats will become considerably more acute for organisations as a result of our growing dependence on technology and web-based solutions such as cloud computing.
“Despite these concerns, risk managers continue to have a minority stake in the management of cyber risk. Our research found that 33% of respondents believed that the IT department was responsible for cyber risk management in their organisations, compared to only 13% who thought it was a matter for the risk management function,” he added.
“Cyber risks pose too great a risk to the continued success of organisations to be misunderstood. Closer alignment to the risk management function is a vital first step to countering this threat and ensuring that a risk-based approach to IT investments is adopted,” he concluded.
Backing up Airmic’s assertion that many risk managers believe insurance cover for cyber risk remains inadequate, only 11% of respondents felt confident with their current cyber insurance provision. Only 21% stated that their organisation currently even buy cyber insurance cover. “This raises questions about the insurance industry’s ability to respond to cyber threats,” said Marsh and Chubb.
Richard Lambert, European Technology Insurance Manager, Chubb Insurance said: “Changing technology and the increased value of data are presenting new risks to business. Cyber risk is just one of many emerging hazards resulting from the increased digitalisation of society, where everything from bank to health records is stored electronically. The insurance market response to this is to see an opportunity to develop new products and provide risk solutions to business—product innovation is key. The fact that only a minority of those surveyed felt that the cyber insurance available in the marketplace today is meeting their needs is a clear call for continued dialogue between the business, legal and insurance communities.”