Education and awareness continue to be the biggest hurdles among insurance firms who want to provide cyber coverage to their markets, was the consensus of the expert panel at the recent Insurance Business Cyber Risk Master Class.
Citing Council of Insurance Agents and Brokers (CIAB) data, AHT Insurance president and chief executive David Schaefer said that 29% of the clients of the insurers surveyed are covered by cyber insurance.
Further, Robert Rosenzweig, DeWitt Stern risk strategies group cyber practice lead, noted that it is especially challenging to convince small and medium enterprises (SMEs) that they carry cyber risk, especially because they do not have a dedicated workforce with the expertise and the necessary vendor relationships to respond to a crisis.
The situation is exacerbated by mounting cyber threats that are trickling from the large national accounts down to the smallest mom and pop stores as a result of the continued uptake of computers in business operations.
In 2015, for instance, cyber security firm Symantec reported that almost half a billion personal records were stolen or lost. This is a 23% increase over the figure reported in 2014, and the company says this is just the tip of the iceberg.
“These numbers are likely higher, as many companies are choosing not to reveal the full extent of their data breaches,” Symantec said in its 2016 Internet Security Threat Report.
Thus, Rosenzweig added that that a lot of time and energy is spent helping clients understand that they have a risk. Even the process of applying for coverage is an obstacle, he said because forms are usually five to 15 pages long, and among SMEs that do not have in-house expertise to deal with it, the application process can be tedious. He explained that it is a challenge to help client understand what kind of information the underwriter is looking for.
Christine Marciano, president of Cyber Risk Data Managers, also emphasized how comparison shopping could be an intimidating process for the client because of the sheer diversity and variety of coverages available in the market.
“Clients don’t really know where to start,” she observed, thus underwriters really need to “take time to understand the product and how to explain to (them).”
Shopping around based on premiums is not as simple as it seems, she said, as it is an “apples to bananas” comparison because of the variations in wordings, conditions, and exclusions that clients may discover on their quotes.
Schaefer also noted that it takes a while for clients, especially those who do not belong to the healthcare, finance, infrastructure and retail sectors where uptake is relatively high; to accept that they carry cyber risk, and will need to spend for protection.
It is “even more of an uphill climb” to provide insurance among SMEs in sectors outside those he previously mentioned. Usually, he said, it takes three to four attempts before such firms can be convinced to get covered for their cyber exposure.
This hurdle needs to be addressed with further education, Rosenzweig noted, as insurers must help their clients understand how risk is being priced.
Another challenge, Schaefer noted, is that clients from the larger business segments usually buy a cyber policy for risk transfer, while smaller enterprises get coverage to simply comply with contractual requirements.
Cyber protection is a cooperative effort between the insurer and the insured: experts
Insurers need to catch up with evolving technology risks: experts