By Douglas Mower; Innovation and Business Transformation Director; Crawford & Commpany.
IT IS LIKELY that an increasing number of conversations between brokers and their subject matter expert (SME) clients at renewal revolve around the ‘should we, shouldn’t we?’ question of cyber risk and insurance.
Businesses, particularly at the smaller end of the spectrum, have little guidance available to them beyond generic figures, such as those published on the Association of British Insurers’ website—which tells us the average cost of a breach ranges from £65k to £115k for a small business.
Of course, the actual threat posed by cyber to a ‘normal’ business remains abstract. The reality is that small businesses may only have one question: Is my organisation really at risk?
Today’s broker is required to make a first assessment of these potential exposures, which is no mean feat given the intangible nature of cyber risk. However, a growing number of brokers respond to this question by focusing less on the potential threats posed by cyber risk and more on the client’s ability to respond, should one occur.
The insurance industry has been climbing a steep learning curve, and in the past 12 to 18 months, the market has begun to create a range of more robust solutions designed to step in after a data breach. Focusing on service-level response, these solutions are built to withstand regulators’ ever-increasing interest in the obligations companies have after a cyber-attack or data breach, such as the requirement to notify customers within strict time frames.
These insurance-backed solutions provide rapid response services, but crucially seek to minimise the risks of mis-handling the aftermath of a cyber-attack. They do this by ensuring that pre-event plans are mapped out, and supplier nominations are scoped and contracted.
When customers experience a flood, the insurance industry’s response is collaborative and flexible: In many instances, contractors are instructed by the client, and work can be managed in tandem with all parties.
We are discovering cyber risk is a much less travelled path and one requiring resources that can support customers without the ability to respond themselves.
Brokers will increasingly advise their clients to consider this type of solution, where a network of suppliers wholly supports the customer the moment a breach is discovered.
In a recent interview with Crawford & Company’s On the FrontLine magazine, Tom Ridge said, “There are only two types of company. Those which have been hacked and know about it, and those which have been hacked and don’t.” Ridge is CEO of Ridge Global LLC, chairman of Ridge Insurance Solutions, the first U.S. secretary of Homeland Security and 43rd governor of Pennsylvania.
Such certainty indicates a clear and present danger about which we are constantly reminded. What companies do to ensure they can quickly dust themselves down after a breach is up to them, but it’s important to first acknowledge the realities of expert service delivery. Without scenario planning and pre-nomination, companies will find themselves bogged down in paperwork at the point when their digital reputation is in tatters.