This September, my daughter started senior school. A momentous occasion for her, for certain, and one to which she has taken much like a duck to water, but also a momentous occasion for us, her parents, as we can’t quite believe that we are old enough to have an 11-year-old daughter. The reflection in the mirror tells a rather different story…
Watching her do her homework (thus far, without the need for parental assistance) reminded me of a scene from Blackadder. Readers of my previous blogs will no doubt be aware of my rather questionable sense of humour – for those who don’t, go find Blackadder videos on YouTube. Classic comedy!
Anyway, the scene in question concerns Blackadder’s attempts to teach his brainless assistant or dogsbody, Baldrick, some basic maths, the precis of which is:
Q: If I have one bean and add a further bean, how many beans do I have?
A: Two beans
Q: If I add a further three beans to the two beans, how many do I now have?
A: Some beans!
So near, but, yet, so far. And so it seems with the Association of British Insurers (“ABI”).
In response to the series of recent press articles in both the UK and the US (incorrectly) criticising cyber insurance, the ABI has conducted some research on cyber claims, establishing that 99% of claims included in their sample were paid. Great news, as it confirms what the cyber market has been saying until it is blue in the face – the product works!
However, the ABI add a note of doom by continuing to comment that penetration of cyber insurance amongst British business is “worryingly low” at around 11%. A shocking statistic, given that pretty much every business nowadays has an IT failure risk, never mind a data risk.
Thus far, so good – we have two beans, in that an important issue has been highlighted.
The ABI press release adds that this penetration can be improved if only cyber insurers shared breach data. This would allow the risk to be priced more accurately, exposures to be better modelled, thus allowing the product to be more widely available, more accurately priced and better tailored to each business.
What absolute claptrap.
Based on our discussions with the cyber market as a whole, the reason for the poor penetration of the product is due to companies not properly understanding their own cyber risk. Even when the company understands that they at least have a cyber-risk and have bought a policy, the sum insured is sometimes woefully inadequate.
For example, we have seen a claim for an Insured that is a global multinational business where the aggregate sum insured on their cyber policy represents 0.6% of total global revenues. Ignoring incident response costs, the policy therefore provides business interruption cover for approximately 3 to 4 days. Including incident response costs merely serves to reduce the extent of the business interruption cover.
This is a multi-site business with many IT applications that, based on our experience of similar claims, will take weeks to fully restore in the event of a ransomware attack. How, in all that is holy, did anyone think that this sum insured was a good idea?!
Now, underwriters can only underwrite what is put in front of them by brokers. If the proposed sum insured is too low based on the accounting information provided with the proposal form, this will increase the risk of a limit loss and you would think that underwriters would price this into the premium. Maybe this is why buyers perceive the cover to be too expensive?
The solution, therefore, is one of education. Yes, there are good brokers out there who understand cyber risk and can assist their clients in putting together a well thought out cyber programme. However, based on our claims experience, there are a number of brokers who do not have the requisite experience to do a proper job. Underwriters of broker professional indemnity risks, as well as underwriters of corporate D&O risks, may want to take note.
It seems to me, therefore, that the ABI have come up with the answer “some beans”. While this was undoubtedly funny in Blackadder, for the cyber insurance market, this ain’t no laughing matter.