Submissions uptick following retail cyberattacks despite 'lagging' concerns

By Rebecca Delaney

June 10 - (The Insurer) - A survey of Airmic members has indicated concern that cyber insurance solutions are still failing to meet the needs of businesses, the association said on Tuesday.

However, carriers have reiterated that the standard product remains fit for purpose, with a flurry of submissions following the recent UK retail cyberattacks.

Airmic’s latest member survey, published on Tuesday at the Airmic annual conference in Liverpool, identified that member firms with a significant dependency on technology feel they are evolving more rapidly than what the insurance industry is currently equipped to deal with.

“Some respondents felt that their organisation’s use of technology had been evolving more quickly than for the insurance and risk industry, with the outcome that the available solutions are lagging behind business needs,” said the report.

“This has spawned concerns as to whether insurance is fit as a risk management tool for their organisations.”

Other respondents that had refreshed their enterprise risk management frameworks said this had led to a greater re-evaluation of how they absorb risk and whether their current insurance portfolio is still the best fit for their needs, with the development of cyber insurance products described as critical.

The report added that recent cyberattacks on UK retailers underlined the importance of risk management, rather than an emphasis on post-event response.

Chris Burgess, director of technology PI and cyber at Markel, told The Insurer that the retail attacks have helped to raise the profile of cyber insurance among corporates.

“If ever there was a time that cyber insurance was playing an important role, it's now with the attacks on retail. The cyber product has really come into its own. I really do think that it's arrived on the scene as a key purchase,” he said.

Burgess added that Markel has observed a “surge” in interest in cyber insurance following the retail attacks.

“Following those retail attacks, we've had a lot of clients coming back to us – clients who explored cyber previously, but for various reasons decided not to proceed, or they only purchased a small limit indemnity,” said Burgess.

“It's raised the profile, it's put it back on the table for people. When people are talking to clients about cyber, often it's tricky to articulate what the exposure is. It's helped to be able to point to some well-publicised cyber attacks on a sector that the general public is familiar with.”

Burgess added that the particular targeting of large publicly listed retail companies is unlikely to lead to significant rate increases for the sector specifically.

“Some retailers are coming to the market at the moment and buying more cyber insurance, but it doesn't necessarily mean that cyber insurers are putting rates up at all at the moment,” he said.

“Yes, there's been some attacks and there's been some focus, but that doesn't necessarily mean that retailers need to be paying a lot more for cyber insurance. It's a moving target, it just happens to be retail at the moment.”

He continued that, overall, cyber insurance as a product is “well-priced,” although acknowledged that this can vary by sector and company size.

“We often have this conversation in cyber about people being on a journey. Every industry is very different. It's very difficult in cyber to just say, are rates coming off? Is pricing adequate?” said Burgess.

“It depends what kind of business you are, how much data you have, and how far along you are in your journey of defence and IT security. All those things have a bearing on premium. It's not quite as simple in my mind as to say, ‘here is the pricing’.”

Beth Garthwaite, corporate tech and cyber team leader at CFC, affirmed that the insurer has also seen an uptick in submissions in the UK.

“We have seen a handful of high-profile attacks in the UK which, because of the names of the organisations, has hit headline news,” she said. “Ultimately, I hope it will encourage new buyers to come to market. In the recent months we've seen our UK submissions increase quite significantly.”

Garthwaite added that broadened cyber coverage (terms and conditions were described as “as far as they can go”) should be showcased rather than drawn back, in order to encourage first-time buyers.

“Ultimately, I don't foresee a knee-jerk change in pricing because of a couple of high-profile retail losses. If anything, the coverage should really be showcased because we should be covering loss of profit in the event of a cyberattack and the extra expense as well,” she said.

“Sometimes the insurance market isn't very good at showcasing the basics of what we cover, and there can be some misconceptions of whether cyber will pay. We need to be probably better at communicating what the product is there to cover.”

Garthwaite said any significant change in pricing is more likely to be driven by systemic losses across the book, rather than individual losses coming through for insurers as in the retail attacks.

“In terms of the market at the moment, it does feel like either it's already there or it's hitting almost the bottom of what it can withstand from a loss perspective,” she concluded.

“I think the market will likely see change at some point in the next year, but in order for that to happen, we likely need a more seismic or a more systemic event than a couple of losses in the UK market.”