Mr Holmgrun says there is unfortunately no single “golden rule” for deciding who should be responsible for cyber risk within companies in the Nordic countries. Although there are large international corporate groups within the region, the vast majority of companies are not that big and so do not have dedicated risk management resources, points out Mr Holmgrun. This means that currently, responsibility for cyber risk tends to sit within the IT department, which is clearly not ideal.
“Ideally, this risk should be located within a newly established compliance department directly reporting to the managing director or board, and with threads leading into HR and IT departments to ensure that IT security is accompanied by training of the employees to minimise risks,” says Mr Holmgrun.
Insurers and brokers can definitely help companies manage this fluid risk, says the insurer. But the first step is to raise awareness within organisations at senior level, adds Mr Holmgrun.
“First and foremost, companies should recognise that there is a need to deal with this risk. This is the very first step before anyone can help them. If a company does not see cyber as a problem, then why would it want anyone else to address the issue? We therefore have to take a step back and identify the emerging risk,” he explains.
“Managers and decision-makers then have to accept it. Once you have acknowledged that your company is facing a new risk, you can start a dialogue about how to reduce that risk. And at that point, brokers have a consulting role to play. As an insurance company, we can then start a dialogue with our client in order to assess the situation in each individual company,” he continues.
Once management has understood it faces a cyber exposure, it can then start to think about which part of the risk could or should be insured, says Mr Holmgrun.
“In summary, there are three steps: address the cyber risks, do everything possible to minimise them for your company and insure the remaining part of the risk,” he adds.
Mr Holmgrun says it is difficult to say precisely what proportion of cyber risk can be covered currently.
He explains that HDI Global’s cyber insurance, for example, includes cover against first-party damage such as manufacturing interruptions. Third-party damage is also covered, for example when a customer holds a company responsible and submits a claim. The policyholder can also secure crisis communication and forensic investigation cover.
“We believe this is quite a broad scope of coverage. It is difficult, though, to specify this proportion of coverage in percentage terms. After all, each client is different and many of our insurance solutions are tailormade. Furthermore, it is still quite difficult to identify corporate risks because we do not have a huge amount of data for us to base our assessment on as an insurer,” says Mr Holmgrun.
The European Union’s new GDPR will, however, help in this regard, according to the insurer. “The GDPR rules will probably enable us to draw a much clearer picture of these risks,” he says.
Risk managers across Europe still feel there are significant gaps in cyber cover that need to be filled. Mr Holmgrun was asked where he believes these gaps are.
“One gap we ought to discuss here is the knowledge gap. I think there is a gap in knowledge about what we, as an insurance company, offer in terms of cyber insurance and what the client expects. As cyber is often connected to cybercrime, there could be elements where a criminal act visited on the company happens by internet or email,” he says.
“However, this may not necessarily be a hack into the company’s system. As an insurer, we need to be more robust about communicating to our customers which elements of these attacks are insured. If we do this, we can help to minimise the knowledge gap,” explains Mr Holmgrun.
The Denmark-based insurer was also asked what improvements he has seen in cyber insurance during recent times.
“More and more companies are making enquiries about this topic. This may be a small step but it is an important one. More companies are becoming aware that there is new legislation on the way,” he says.
“Another factor is that we are very digitalised societies in the Nordic countries. Cyber is more or less on everybody’s mind these days because of hacks and data breaches. The media frequently cover these cases. That is also a driver for an increasing interest in solutions to mitigate this risk,” adds Mr Holmgrun.
This text was first published by Commercial Risk Europe. Publication on this website by courtesy of Commercial Risk Europe.