Risk managers offer tips on managing cyber risks

15 April 2019

As organisations gain a better understanding of cyber risk, they increasingly seek more comprehensive insurance solutions. However, cyber is a complex and fast moving area of risk, making the task of buying insurance challenging, according to speakers at a recent Advisen Cyber Risk conference held in London.

Enterprise risk

During the buyers' perspective panel debate, moderated by Monica Tigleanu, Marsh JLT Specialty partner for Cyber & Technology E&O, senior risk managers discussed their approaches to managing and transferring cyber risk. Interestingly, the panel was unanimous that cyber risk should not be viewed as an isolated risk, but rather a risk to be managed alongside others.

Also speaking on the panel, Michael Paisley, CISO at a payment card processing company and former head of operational risk at Santander, said there is no such thing as cyber risk, just risk. In this context, he advises risk managers to categorise losses from cyber events into buckets, such as property damage, business interruption, and reputation.

These should then be overlaid with existing insurance coverages in order to ascertain where there is or is not cover.

Jordane Terrasse, head of Group Risk Management and Risk Transfer at the London Stock Exchange, echoed Mr Paisley. She believes that cyber risk is just a collection of risks that could fall under a range of coverages including: property damage, business interruption, or crime.

At the end of the day, whether triggered by cyber or not, a company suffers a property or crime loss, she said.

Risk managers offer tips on managing cyber risksIn transition

The overlaps and gaps in coverage between traditional insurance policies and specialist cyber insurance was the subject of another panel debate and a recurring theme of the Advisen conference.

For example, Terrasse questioned why there was a need for a separate cyber policy when the risk spans so many loss categories and existing lines of business.

In an ideal world, a company would be able to purchase cyber on an all-risk basis, as part of their property and casualty (P&C) insurance programmes, according to David Pryce, managing partner at Fenchurch Law. However, the market is not in that position yet, he said during the coverage issues debate.

Affirmative cyber cover is available in some traditional P&C policies, although it is often narrow in scope and limits, according to the participants in the debate.

Non-affirmative, or silent, cyber cover is also available in P&C insurance, but there is uncertainty around a policyholder's ability to recover these losses, as evidenced in recent coverage disputes involving property insurers over notPetya claims.

“When it comes to the catastrophic losses and tail events that we are concerned about, companies will want to know under what circumstances their insurance will or will not pay out,” said Paisley, noting media reports of coverages disputes.

Specialist cover

According to Laila Khudairi, divisional head of Enterprise Risk at Tokio Marine Kiln, the insurance market is in a “transitional phase”, a situation that is “not helpful” for buyers. However, she noted that standalone cyber insurance contains many elements of cover that are not available in traditional policies, as well as much of the cover that is available in P&C insurance.

She also pointed out that the standalone cyber market has experienced few, if any, disputes. Pryce supported this by saying that the rate of disputes in the cyber market was far lower than in the property market.

He also noted that cyber coverage disputes in the property market are not just about wordings, but also “perspective”. In contrast to the standalone cyber market, property insurers are less willing to pay a cyber loss when the cover was “grey”, he said.

Pryce said that purchasing cyber insurance is justified, although buyers will need to line up their P&C covers against the modules of a cyber policy. “A cyber insurance policy is a series of heavy endorsements to traditional policies. Unfortunately most policyholders do not see it that way,” he said.

Risk managers offer tips on managing cyber risksWorkout

One way risk managers can reduce the uncertainty with transferring cyber risk to the insurance market is to work more closely with their brokers and carriers, testing cover against loss scenarios.

Stephen Porter, vice president, Insurance and Treasury at publishing group Pearson, shared his positive experience of holding a cyber workshop with his insurers and insurance broker.

A cyber workshop can explore how cover will respond and expose any uninsured gaps, avoiding nasty surprises and potential coverage disputes.

“The biggest help for us was holding a cyber workshop. This really brings home to underwriters and our [senior executives] where there is cover and where there is not,” he said.

Workshops are particularly useful for preparing crisis management plans and anticipating the increased cost of working, according to Porter.

He found that the workshop’s insight was also helpful when preparing for a cyber event and potential insurance claims, as it allowed him to develop a ‘playbook’ to share with relevant colleagues.

An insured will need to follow certain procedures and agree to certain mitigation costs to make a successful claim.

Budgets will also need to be set for additional expenses, such as the cost of bringing in forensic accountants and other experts. These actions can be revealed in a workshop.

According to Terrasse, an organisation’s crisis response also needs to be considered alongside insurance.

The first hours of a breach are critical, but underwriters may need to agree to the use of external consultants and service providers, she said. According to Porter, Pearson uses a large deductible to give it flexibility and control during the early part of a data breach.

Seeking certainty

The differences in the language used by cybersecurity, risk and insurance practitioners is another factor influencing the certainty of cover being purchased, according to the buyers’ panel debate.

How a risk manager “frames the problem” of cyber risk is critical to how companies purchase cover and requires “translation” to the insurance market, according to Paisley.

“This is a young industry. Cybersecurity has grown out of the IT department and many senior people came from IT. But I can’t understand how a CISO can see themselves as anything but a risk manager.

It is a risk management job, but often the CISO’s background and frame of reference is IT, not risk management," he said.

The dearth of cyber expertise is a wider issue, and one that affects insurers and their clients alike, according to Paisley.

For more articles like this, download our Cyber Decoder
Cyber Learn more about cyber insurance solutions and risk management >>

Sarah StephensTALK TO AN EXPERT

If you would like to talk about any of the issues raised in this article, please contact Sarah Stephens, Head of Cyber on
+44 (0)20 3394 0486.

As part of Marsh JLT Specialty's London-based Financial Lines Group, Sarah and her team work both directly with our clients and with network colleagues and independent partners to make sense of cyber, technology, and media E&O (PI) risks and create leading edge bespoke insurance solutions in the London market.

Prior, Sarah spent 12 years with Aon in a variety of roles. Her last role at Aon was Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions.

Previously, Sarah spent seven years with Aon’s US Cyber and Errors & Omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the Account Management group working with large clients and developing a keen eye for excellent client service.

View our latest cyber videos here