Adrian Ladbury: Who should be responsible for cyber risk within a corporation? How should this risk be most effectively managed?
Patrick Smolka: It is still the case today that cyber security is too often and exclusively localised in IT departments. Yet cyber security cannot be equated with IT security only. A good cyber strategy encompasses not only IT aspects but also organisational measures. This means, among other things, managing relationships and interfaces with third parties – a task that includes classifying the information that comes into a company. In addition, roles and responsibilities, as well as processes, need to be defined and managed. It is important that companies engage with cyber security on an ongoing basis. That means they should deal with cyber risks like any other more “traditional” risk such as fi re, liability, business interruption or the like. This also means that buying a cyber insurance policy can be an additional step to complement their portfolio of measures. In a nutshell, cyber security is a responsibility for the top management and decision makers and, as such, it needs to be addressed by corporations at C-suite level. Depending on a company’s architecture, it is here that actions must be taken to ensure that preventive safeguards are put in place and sensibly coordinated.
What cyber risk is insurable?
Insurance cannot cover all cyber risks across the board. As a general rule, the insurance protection offered by cyber coverage complements already existing insurance policies. The additional protection then mostly extends to first-party losses such as those caused by business interruption and/ or third-party losses as a consequence of cyber events. As we see in the German market, the trend in cyber insurance is now also moving towards covering more than just the financial risk. Customers need to bear in mind that if a company falls victim to a cyber attack, what matters above all, right from the first minute, is acute crisis management. Therefore, insurers must also be able to offer their customers meaningful assistance to manage a crisis. HDI can do this. We make professional and internationally positioned service providers available to all of our customers on call – on a 24/7 basis. These are not just IT professionals, experts in computer forensics, network and internet specialists, but also PR crisis consultants and legal advisers.
What is not insurable in your view?
In the early days of cyber insurance it was basically only targeted cyber attacks that insurers wanted to cover. Similarly, providers struggled to come up with coverage solutions for the use of Cloud services back in the infancy of cyber insurance. But that is all in the past. The market now offers insurance solutions for these areas as well. One limitation in insurance cover may be in the area of theft of intellectual property.
Is there adequate cyber capacity currently and is this fairly priced?
According to our experience in the German market, large industrial enterprises and multinationals are able to buy an indemnity limit in the range of €400m to €500m through insurance consortiums. As far as we are concerned at HDI, we are normally able to offer our large customers a level of coverage up to around €50m. In specific cases the figure can be even higher under certain circumstances. On the German market, however, coverages running into the triple-digit millions are only required by the major DAX listed corporations. Leaving them aside, many of our other mid-sized customers are interested in limits of between €5m and €25m. As to the prices, from HDI’s standpoint we can say this: as with other lines, we only write those risks for which we believe the premium is commensurate with the risk. In other words, prices must be determined that are equally fair for policyholder and insurer alike.
How should insurers help risk managers prevent and manage cyber risk?
Early engagement is key, and buy-in from all stakeholders is critical to success. A cyber insurance policy should be more than a promise of indemnity, it needs to be a risk mitigation tool and provide access to the types of service provider that is going to help lessen the impact of a cyber event should one occur. This is why risk managers need to invest time and discuss risk scenarios and contingency plans with their broker and their insurer. They must do so before a cyber event occurs. By drawing on its network, the insurer can deliver useful services as part of these preventive measures. This can be especially beneficial for smaller enterprises that do not have their own network of IT experts, cyber experts and other specialists.
What proportion of cyber risk is currently covered and where are the coverage gaps that you would like to see filled?
Companies that currently have cyber insurance have clearly already given intensive consideration to their cyber risks. Accordingly, they have developed a cyber defence strategy. This usually includes cyber insurance along with technical safeguards and organisational measures. At such companies we may normally assume that the bulk of their cyber risks are covered. The situation is very different with companies that still believe cyber risks to be an issue affecting others but not themselves. There is reason to fear that significant gaps in protection and coverage exist at such enterprises.
Should governments create cyber pools as with terror and natural catastrophe to help foster the growth of a more vibrant cyber insurance market?
We launched our HDI Cyber policy in Germany in the summer of 2013. That was more than four years ago. Looking back, we have seen somewhat slow but consistent growth and evolution of the German and European cyber insurance markets. Over the years, expertise on the insurance market has been developing in step with the understanding of the risk, and hence new and innovative cyber insurance solutions are appearing. We are confident that this development is going to continue for quite some time to come. Against this background, we currently do not see any need for the German government to create a cyber pool.
This text was first published by Commercial Risk Europe. Publication on this website by courtesy of Commercial Risk Europe