Cyber attacks - a threat to businesses

Chris Storer, Head of Cyber Solutions at CIP, and Paul Bantick, Beazley’s UK Focus Group Leader for cyber risks, explain why the board of management is increasingly driving this paradigm shift. 

Cyber is on the agenda of every large company these days. What’s your assessment of the current situation?

Paul Bantick, Beazley: In the last year we have seen an increased awareness of cyber, particularly at the boardroom level. By now, boards have realised that 100% security is not attainable; it is not a matter of if but when you are going to have a breach. CEOs and CFOs now constantly ask: how secure are we and how do we protect ourselves? Board members understand that they need more than a “sleep-easy-yes-we-have-cyber-insurance” attitude. We offer a primary catastrophe-driven bespoke cyber policy with meaningful capacity up to $100m with which they can build large towers of cyber insurance unlike anything else.

Chris Storer, Munich Re: Particularly over the last 18 months, we have observed a real paradigm change in how large corporates are looking to purchase cyber insurance. They’ve realised that the impact of a cyber incident can go far beyond notification costs and extra operating expenses. They are now seeking something holistic that responds specifically to their business model and provides more comprehensive balance sheet protection. 

The world’s largest companies are found in different industries. Are they also affected in different ways by cyber attacks?
 

Paul Bantick: If you look at the Fortune 500 companies and enlarge this circle to the top 2,000 global corporations, we could sort them into three different buckets regarding cyber. In the first bucket are companies that have already bought an off-the-shelf cyber insurance product. They are in the market for more flexible solutions to build bigger programmes. In the next bucket are industries such as retail, finance and hospitality that could have bought cyber insurance in the past but never did because it was never a boardroom issue. And then there are industrial manufacturers, utilities and many other industries whose needs have not been met from a capacity standpoint. The coverage they needed simply wasn’t available in the market. 

Chris Storer: When we first put the Partnership together, we looked at other market offerings and realised that much of what was on offer was not necessarily fit for purpose in terms of the needs of large corporates and industrial clients. Many offerings were still very much focused on data breach protection and not necessarily catering for the coverage needs of companies beyond the traditional purchasers of cyber insurance. Many clients were also struggling to build significant towers and were looking for more sizable capacity, particularly from their primary insurer, on which to build more meaningful limits. And while there were many offerings to choose from, there was very little opportunity to customise policy wordings based on the specific requirements of an individual client. It was these three aspects that formed the foundation of our offering: a bespoke, holistic cyber protection that provides meaningful limits.

Do risk managers already feel the pressure from a much more alert board of management?
 

Paul Bantick: Risk managers are no longer comfortable having a certain amount of cover in their property policy and perhaps also in the general liability policy. They want to report affirmatively to the board that everything is covered. The only way to do that is to buy a policy that fills all gaps they have thought of – and those they haven’t.

Chris Storer: Risk managers feel the pressure of their boards. Boards of management are demanding seamless cyber cover. They want to be certain that a complete protection is in place to cushion the effects of an incident – and of course to avoid being personally liable. In turn, boards of management are also experiencing pressure from their investors and other stakeholders.

How did you find each other? How did this partnership evolve?
 

Paul Bantick: Beazley and Munich Re have had a business relationship from the beginning of Beazley’s existence thirty years ago. At Beazley, we’ve been very focused on traditional data breach products. As we saw an increase in these emerging markets, we also realised that many companies need high capacities and confront varied exposures in many different areas. In this partnership we combine our data breach expertise with Munich Re’s experience in cyber but also their knowledge and solutions in property damage, contingent business interruption (CBI) and other emerging areas. 

Chris Storer: The broad knowledge base that the Partnership affords and the combined expertise really allow us to push the boundaries of insurability. In the last six months we’ve been able to work together with a number of large companies and developed innovative cyber insurance policies that are truly fit for purpose. We now have a proven track record and we have a number of very happy customers.

Paul Bantick: Andrew Beazley once told me that it is actually rare for a new insurance product to really take off. If you are lucky this happens once in a lifetime, he said. When we launched this partnership I felt lucky. There are not many opportunities to partner in insurance, to start something ground-breaking. The demand and the first reactions we got from the market exceeded our expectations. Brokers have also been very supportive. 

After having worked jointly on many projects, what has been most surprising to you?

Chris Storer: We received very positive feedback on our willingness to tailor bespoke coverages depending on the specific risk landscape and insurance needs of our clients. They are very interested in having a deep dialogue to allow us to understand their situation and to translate that into a holistic insurance product.

Paul Bantick: We are going through a period in which a lot people are trying to be creative with their wordings. Companies and brokers appreciate our approach to start with any wording: a wording from Beazley, Munich Re, a broker or a client. Ultimately we are going to understand all the moving parts and create a customised solution that works efficiently.  

What surprised your clients?
 

Paul Bantick: They were surprised by the efficiency of the process. Clients can speak with Beazley or Munich Re – or both. When you come to an Armageddon situation, clients can be sure to deal with just their partner of choice and not various modular parties. This speeds up the claims process a lot, as you do not have to deal with multiple claims parties. 

Chris Storer: Our flexibility is very much appreciated, be it on developing new coverages, tailoring the wording, or in dealing with specific vendors and/or partners. Some clients have a certain level of comfort with preferred vendors where they have long-standing relationships. Some clients also want to see certain policy language they have used in the traditional property or liability policy for many years. Our task then would be to incorporate this into their cyber policy. 

Paul Bantick: Of course, the first thing a client wants to know is how much is it going to cost. So we work together with the brokers to help get answers very early on in the process. We want to keep it simple. At an early stage, clients should not perform a huge risk assessment, giving us all the data early on for us to then come up with something that does not give them the coverage or price they want. So we start by suggesting coverages and structures based on certain publicly available information. If everybody is comfortable with the process and the projected cost, we move on. 

Could you describe the process you are working on with your clients?
 

Chris Storer: After the initial early conversations to get to a ballpark figure in terms of cost, we engage in a dialogue with the client and their broker to get a detailed understanding of the client’s business model, how they generate their revenue and how cyber risks can touch the various parts of their organisation. Then we conduct a risk assessment which usually takes the form of an underwriting meeting with the client and their respective units responsible for cyber risk, such as Risk Management, IT Security, Compliance etc. Following that, we translate those insurance needs into specific coverage elements within the policy wording.

Paul Bantick: Brokers trying to put complex programmes in place have to address the information needs of 20 to 30+ markets. That’s a lot. We help brokers to manage, streamline and drive that process a lot more efficiently.  

Let’s look ahead a few years. What is going to change in the cyber insurance industry?
 

Paul Bantick: Besides more attacks and increasingly complex risks it will be all about education. We are in the early stages of this. Industries need to understand the wordings, the exposures, and how to manage them. Companies start building large programmes; some clients have aspirations to get this to $1bn covers. The only way to get there is to keep innovating, to stay abreast of the issues and to offer even more capacity. 

Chris Storer: The challenging situation in the case of cyber is that we are often not dealing with a static risk. Not only is the threat landscape subject to change, but the way our clients use technology and data is constantly evolving. In fact, a lot of our clients are going through significant changes in their business models. Naturally this will affect their risk landscape and their cyber risk exposure. Additionally we also see many third-party stakeholders such as regulators, financiers and rating agencies becoming much more focused on cyber risk. They want to make sure companies have appropriate cyber protection in place. Of course as the needs of our clients change, they need reliable partners in risk who are able to support them through such transitions. Together, Beazley and Munich are committed and well-equipped to accompany our clients on such journeys.

Cyber protection for the world’s largest companies - click here to learn more about our coverage.