BI still misunderstood in cyber market

By Michael Loney

April 25 - (The Insurer) - The business interruption process following a cyber incident is still not adequately understood by the insurance value chain, warned Resilience’s Tom Egglestone, with vendor risk potentially poised as the next claims explosion in the market.

Egglestone, head of claims, international at Resilience, outlined that there is still a lack of understanding among companies as to how critical system compromise may impact their top and bottom lines.

“There is still, generally, a bit of a misunderstanding around BI in the market,” he said on a panel at the recent Zywave Cyber Risk Insights event in London.

“A lot of this comes down to good communication early. Really, it's about making sure that robust incident response planning is well practiced.”

This includes identifying vendors that are carrying out incident response work early on in the process, potentially as a requirement within an insurance policy.

“We talk about market softening. One area we're seeing a lot of pushback is on choice of vendors,” Egglestone continued.

“I do think that's an area that insurers need to be mindful of. You need to make sure, in this period of instability in the global markets, that we have the right people working on these cases as these things get more complicated.”

More than 40% of claims seen by Resilience in 2024 and in 2025 so far have stemmed from a vendor in some form, underlining the complexity of monitoring the cybersecurity posture of third-parties.

Tim Geschwindt, deputy head of incident response, Europe at S-RM, added during the panel that systemic cyber risk will likely be compounded by the proliferation of AI technologies and open-source software.

“My prediction is that there will be a digital cornerstone that we're not aware of in our economy that will be compromised and have a massive downstream effect that we're not yet ready for,” said Geschwindt.

“We call it open-source digital cornerstones. Moving forward, it's something that I'm quite worried about. I think people lack an understanding of how the tools are built on a pyramid, which can ultimately get down to one forum and a handful of folks just making their own software decisions.”

DAC Beachcroft partner Hans Allnutt added that while systemic exposures and ransomware losses are under focus from an underwriting perspective, attritional losses must also be afforded greater attention.

“Business email compromise is a classic example of an attritional loss; you're looking at, easily, a four- or five-figure loss for a data breach and a data mining exercise, for maybe a three-figure premium,” said Allnutt.

“We talk about AI or other technologies, there is certainly a case that might say that suddenly business email compromise picks up and you've got a huge amount of attritional exposure.”

Allnutt added that the introduction of cyber insurance products with zero deductibles and unlimited reinstatements throughout the policy year could lead to attritional claims if the market covers multiple low-level incidents across the policy period.

REGULATORY CHANGES IN UK AND AUSTRALIA

Elsewhere, he highlighted the importance of understanding upcoming regulatory changes around ransom payments and reporting processes, particularly for multinational companies.

For example, the UK is currently consulting on government proposals to introduce mandatory reporting for private sector companies that suffer a cyber incident and consider a ransom payment. The government is also considering a form of ban on payments for public sector bodies.

In Australia, as of May 30, firms with an annual turnover exceeding $3 million must report any ransomware or cyber extortion payments within 72 hours of occurrence.

“What this really shows is, country by country, governments themselves are now taking steps around ransomware reporting and bans,” said Allnutt.

“If you've got a breach that is on a cross-jurisdictional basis, if you’re a company that operates in different jurisdictions, we're now going to have to look at these jurisdictions to the reporting requirements.”

He continued: “From an insurance perspective, claims have a cross-jurisdictional nature depending on where the capacity is provided. So (it’s) not so much a claims explosion in terms of exposure. But a real hot topic area in the coming years will be getting the claims processes and breach processes in place for these emerging areas of law around ransomware payments.”