One third of RMs are concerned about cyber-driven interruption and loss or theft of personal data, according to research conducted on behalf of Chubb by Airmic in Q2 of 2017 – and they believe this risk will persist as the pace of digital change accelerates.
Yet the same survey of 150-plus risk and insurance managers (RMs) reveals two thirds have yet to persuade their organisations that cyber is an enterprise risk, with many only coming together with technology or security teams at times of crisis.
This is a particular challenge at middle-market organisations. The reasons vary but it is often because RMs focus on risk transfer, not risk management. It falls on the C-Suite to drive ownership, which means the RM’s role is primarily as an influencer to the C-Suite.
That’s why we try to bring all relevant parties to the table when we have a client visit. It’s also why we have an expert who can speak the language of IT and information security to the relevant department heads, which can make a difference in moving insurance engagement from a transaction to a partnership.
Part of Chubb’s cyber appeal for middle-market companies is the incident response. Most do not possess an established incident response plan with pre-contracted vendors. A turnkey approach can improve their response time and response quality immediately. We know that the key to mitigating an event comes down to shortening the time from ‘hour zero’ of the incident to when appropriate expertise is on site and delivering.
The Airmic research also showed that managers want data breach recovery and a greater breadth of cover for intellectual property (IP) theft and business interruption. The industry continues to refine the approach to insurance, but we recognise there’s work to do.
For instance, IP theft is particularly challenging. It is very difficult to identify who took the IP, how it is going to be used and by whom. There isn’t an avenue along which to appropriately prosecute these thefts either. So, for now, the best IP protection is to focus on prevention. Policies can still pay for the response and attribution, but beyond that it becomes quite a different animal.
But in facing emerging cyber risks, the challenge for both risk managers and insurers is to ensure the pace of change does not exceed the rate of industry innovation.
At Chubb, we are privileged to be able to have underwriters and product expertise positioned globally that regularly collaborate to stay on top of emerging risks. If we notice a trend in Australia, our teams in Europe, LATAM, Asia and North Africa know the same day. That applies to trends in exposure, claims, incidents and market movements. We are committed to the long-term health of the cyber insurance proposition, so we make sure that we dedicate enough time and resource to adequately manage the exposures for ourselves and use these outcomes to educate our clients.
One trend that is clear is the growth in middle-market appetite for cyber cover. The middle market is key to our cyber lines growth strategy. With any early-stage market, first buyers are going to be the most risk-aware and likely highest risk or large complex organisations. Markets are not made until there is adoption in the middle market.
I expect with the European Union’s General Data Protection Regulation coming in 2018, the take-up with middle-market companies will grow exponentially. If we look at our experience in the Netherlands following their data protection act in 2016, it would not be shocking to see growth in the multiples, not percentages.