- Cyber Insurance
Many small- to medium-size financial institutions are holding out on buying dedicated cyber insurance – even though big banks have been buying cyber policies for a long time. This contrasts with what we are seeing in professional services like law firms or engineering companies.
Smaller firms sometimes assume they are sufficiently protected by “silent cyber” – the potential cyber protections contained within a traditional insurance policy. While these policies are originally designed to cover non-cyber aspects of a business, they might still be used to pay a cyber claim. A professional indemnity or civil liability policy might help cover cyber claims, for example, but it leaves less money in the pot for what that cover is actually meant to protect.
New cyber security research from the UK government confirms that businesses are not going far enough to protect themselves from a breach or attack – and the consequences are damaging. It found that among the 39% of businesses and 26%of charities that identify breaches or attacks, one in five lose money, data or other assets. A cyber prevention framework that includes stand-alone cyber insurance can help a business contain those losses and eliminate gaps in cover. That is increasingly important as cyber risks evolve and financial institutions become more interconnected.
When traditional insurance is used to cover a cyber breach, it often leaves gaps. A liability policy could cover a claim for a liability resulting from a privacy breach, but it may not cover the costs of notifying individuals as required through GDPR, or of the IT forensic work needed to determine the extent of the breach. Those post-breach services, which are central to stand-alone cyber policies, are critical to getting a business back on track after a breach. The minutes and hours after a breach are often where cyber policies prove their worth.
As part of a regulated industry, financial institutions have generally had better cyber controls than businesses in other sectors – and for a longer period of time. While financial institutions have experienced breaches in recent months, ransomware claims have hit other industries harder. When the industry as a whole has yet to experience significant claims, it can be challenging to prove the value of standalone cyber insurance.
But the risks are changing. Ransomware is no longer about stealing information. It’s about preventing access to the insured’s critical systems and threatening to publish confidential information – as well as demanding multiple ransom payments in the process.
As cyber threats evolve, so will insurance protection. Lloyd’s recently voiced concerns that silent cyber poses unexpected risks to insurers’ portfolios, which will require insurers to take more active steps to reduce ambiguities. Protecting financial institutions from these threats is a fundamental concern we’ve had for a long time. And by working together with our broking partner, we can help reduce these threats and risks for our clients.