Time will tell on cyber

ADD is the Belgian representative of European Risk Frontiers sponsor Worldwide Broker Network (WBN). Commercial Risk Europe editor Adrian Ladbury asked Door Cooreman, account manager – cyber specialist and Paul Caekebeke, product manager – cyber specialist at ADD for their perspective on cyber risk.

Q: Who do you feel should be responsible for cyber risk within an organisation?

A: Each individual within an organisation has a role to fulfil, but ultimate responsibility lies with top management. Management must properly inform itself internally (ICT department) and externally (ICT security consultants and assessments) on existing security, risks that exist and how they can be reduced. The ICT department may formulate the necessary proposals to increase system security on the one hand, and reduce the risk of systems failure or a breach on the other. Management must decide on the necessary investments, including physical security, training and the like. Companies can only benefit from investments in safety and security if the entire organisation – every individual within the organisation – deals with the ICT systems with the necessary awareness and according to corporate guidelines.

Q: How should insurers and brokers help risk managers prevent cyber risk?

A: Some brokers offer customers a non-binding ICT self-security assessment of their individual cybersecurity level. Customers can then use the reporting to address problem areas in depth, and take necessary decisions to improve security. Insurers can also provide insured parties with a number of technical tools, without obligations. This may include the provision of online training tools or a vulnerability scan to test the vulnerability of IP addresses.

Q: What proportion of cyber risk can be covered in your view?

A: That is a difficult question to answer. Cyber insurance is a reasonably young product. Insurers in the European market with US roots have been active the longest and probably offer the most comprehensive wordings.

The terms used by the various providers seem to be very similar. But they often do not offer the same qualitative coverage. Thus, brokers must provide customers with correct advice.

The number of Belgian companies that have bought cyber insurance remained limited until the end of 2016. But since 2017, we have seen a sharp increase in the number of offers submitted and new contracts signed. The recent WannaCry virus suddenly raised awareness and made many realise that the risks are real and insurance is no luxury. Belgium still has a lot to do though. Perhaps more than 95% of Belgian companies have not yet signed a policy. This means there is strong growth potential here and a lot of work for the brokers. For clients that operate in multiple countries, it is essential to understand needs specific to each territory. This is why membership of our network is so important.

Q: Where are the coverage gaps that you believe need to be filled?

A: When a major cyber incident occurs, speed of action is critical. Insurers that offer insureds external consultants (ICT and legal) offer a very important service contract. Cyber damage cannot be handled like any other material damage. Many policies exclude failure with a cloud supplier. However, the majority of companies place data in the cloud and rely on external suppliers. It is therefore very important that this is stated in the policy and that the coverage is extended. In many policies, contractual penalties remain uninsured when the insured party failed to fulfill their contractual commitments to customers after a cyber incident. Proper contract management and the provision of coverage in cyber insurance are helpful.

Q: Is there adequate cyber capacity currently and is this fairly priced?

A: The Belgian insurance market has sufficient capacity to offer customers desired guarantee limits. Premiums seem to be correct, but only the future will tell if this is truly the case.

There are two elements in play here: the harmful effects of the application of the General Data Protection Regulation (GDPR) on the one hand, which are difficult for companies to estimate at this time. There is also no jurisprudence for the GDPR as it is only effective as of May 2018. And, on the other hand, there is also the fact that hackers keep moving forward to get into ICT systems, with security updates always a little behind. This means potential major damages for insurers. The premiums paid today for the risks seem affordable, but the future will tell whether premiums will show a declining or rising trend.

Q: Should governments create cyber pools as with terror and natural catastrophe to help foster the growth of a more vibrant cyber insurance market?

A: That is a good question. Insurance for cyber risk through pooling doesn’t seem useful. Today, companies have the freedom to subscribe to insurance. They weigh the subscription of this insurance in part against the risks they experience at their organisations, and this is also a function of the established services and protection. But pooling may perhaps be organised by the government for risks that are excluded from the guarantees of cyber policies, such as cyberterrorism and extortion by government agencies.

Back to top button