By: John Merchant - Head of Cyber and Professional Liability
There is no doubt that the cyber insurance market has come a long way in recent years, with insurers investing heavily in boosting their technical knowledge. Our market’s recruitment of underwriters with technology industry backgrounds, and risk engineering and cyber security qualifications, has been a crucial and much-needed step forward which has filled what was a clear knowledge gap.
This focus is of course not surprising. After all, the majority of claims and losses in the last few years have stemmed from attacks on clients which were quite preventable with certain security technologies in place, including MFA and PAM tools. Most of these ransomware attacks and phishing expeditions by criminals, should, or could, I believe have been blocked.
However, whilst the onus on understanding what hard technology controls companies have in place against attack remains paramount, traditional cyber exposures around privacy should not be overlooked. That is, questions around how and what data firms are collecting, how they are managing and protecting it, and what they are using it for.
This swing in focus by underwriters should ring alarm bells across the market, as issues around privacy and compliance have not gone away. In fact, there are clear signs that these risks are starting to increase. Recent legal actions against companies over devices eavesdropping or snooping on customers, and concerns over the use of biometric data are not going to be isolated cases. The US government and European Union privacy offices are also turning their attention more on more to consumer-focused businesses, questioning what they are doing with customer information and data, with regulators increasingly issuing harsh fines and penalties for non-compliance.
Underwriters should ensure that they really understand who they are insuring – that is, what the company does, why it is doing it, how it intends to grow, and ultimately what information or data it needs to deliver on its strategy. Only then can an underwriter really investigate what information the insured is collecting, what they are doing with it, how they are protecting it and of course, what they are informing customers in terms of what they are doing with it. And sure, if an underwriter does not really know what a business does, should they be insuring it at all?
The bottom line is that privacy needs to be given equal billing to end-point protection when it comes to talking about, and underwriting, cyber insurance coverage, which is, after all, essentially cover for operational risk.
So, let’s all get back to basics. Let’s rebalance the underwriting equation and ensure clients are protected as far as is possible from both cyber-attacks and failings over data use and regulatory compliance wherever they are operating in the world.