18 May 2021

What do insurers consider when underwriting a cyber risk?

By Lesley Fitzpatrick Associate Director

Cyber-attacks are on the rise for businesses, pushing many to the brink. [1] One-in-six firms attacked in the past year have said the financial impact materially threatened their future. With this report and an increase in claims frequency from ransomware attacks, it is no wonder why the underwriting process in cyber insurance is changing significantly.

Previously, underwriters had required only a minimal amount of information for cyber insurance applications but now look for much more.

What do insurers consider when underwriting a cyber risk?

Sector – The sector of the firm will tell insurers what exposure they face when underwriting cyber insurance. Construction and manufacturing sectors have had a high frequency of large losses in the last few years so insurers would look to charge a higher rate to businesses operating in this space. Some additional covers like crime may not be provided to businesses in certain sectors.

Turnover – This is used by all insurers to calculate the potential exposure a firm may pose, especially in relation to business interruption cover. It is also the best indication of company size.

The number of records held – This gives insurers an indication of the likely number of data subjects affected in the event of a data breach and also allows insurers to get a handle on the type of information held and whether it is high risk such as medical records, payment card details etc.

Insurers define a record as Personal Identifiable Information (PII) – A PII is a personally identifiable record that can be used to identify, contact or locate a single individual.
From experience, insurers know that there is a direct relationship between the number of data subjects affected by a data breach and the costs of the breach. The volume of records, therefore, provides the best guide to the likely cost of a cyber and data claim.

Risk management is arguably the most important area that is considered. Some insurers offer a suite of risk management services to their clients on the inception of a cyber policy, with their aim to improve risk management and security before a crisis strikes.Good risk management would take the form of employee awareness and training, executive buy-in and training, strong policies and procedures in place, good awareness of their data and how it is stored.

Taking a proactive approach demonstrates a lot about the business. Statistics show a vast majority of data breaches and cyber-attacks stem from human error, so having a culture where information and cybersecurity are ingrained in the business can have a significant impact on both the chances of an incident occurring and the speed of resolution.

Security – Cybersecurity refers to the body of technologies, processes and practices designed to protect the insured’s network, devices, programs and data from attack or damage. Examples would include encryption of data, anti-virus software and firewalls, user management (segmentation of data), password protection, patch management, IT security personnel, segmentation of different networks from one another.

Territories – There is an increased exposure in the US/Canada as they have class action suits that are very expensive to defend. Regulators, there, have a reputation for being heavy-handed and imposing hefty fines. In the US there is an increased likelihood of third parties seeking damages for cyber and data breaches in comparison to Ireland and the UK. Cover varies by the insurer, but most offer Worldwide cover as standard.

At Robertson Low, we work with a broad range of insurers offering best in class cover and service in the cyber sector. Talk to us today on 01-9131155. to source competitive, comprehensive cover for your clients.

[1] Source: Hiscox Cyber Readiness Report 2021