The ABI found that 99% of cyber insurance claims were paid by its members in 2018, but insurance governance consultant Mactavish says this misses the point
The Association of British Insurers (ABI) says 99% of cyber insurance claims made against its members’ policies were paid in 2018 — but not everyone is convinced by the statistic.
Alongside its payment announcement, the ABI renewed calls for the Information Commissioners Office (ICO) — the UK’s data protection watchdog — to release anonymised breach data from cyber-attacks so that underwriters can improve the accuracy of their risk analyses.
The ABI’s call for access to this data was stepped up in March this year, when its director of general insurance policy James Dalton called for a “redoubling of effort” from the ICO to achieve a data-sharing agreement.
With the release of these statistics, the associate body has stepped up its case further, claiming that “the inability to access raw breach data risks limiting the potential of the market.”
Dalton adds: “Data is key to insurers’ ability to better understand and more accurately price cyber risk.
“We need the ICO to work with us to find what data can be shared to help insurers provide more cover to the many businesses that need it in this digital age.”
“Cyber cover provides extensive services focused on preventing a breach from occurring in the first place, as well as helping with the recovery and management of costs associated with an attack.
“Cyber insurance is a valuable product – the claims acceptance rates speak for themselves and the additional support a business receives, beyond dealing with the pure financial losses is a key attribute of most cyber insurance policies, too often overlooked.”
Mactavish technical director says ABI “misses the point”
Insurance governance consultancy Mactavish has clashed with the ABI several times in the past on the issue of cyber insurance, and technical director Rob Smart believes the latest payment statistic shouldn’t override the larger concern of insurers not paying complex claims.
He said: “We would 100% agree that the UK has the potential to be a world leader in cyber insurance, although we also feel that the 99% of claims paid statistic misses the point.
“What matters, both in cyber and in other classes of insurance, is the larger, more complex claims that present a threat to the client’s business — not the majority of small claims that tend to be more straightforward, but dominate such statistics.
“For most classes, the dispute rate for large or complex claims is many times higher, and this is what ultimately determines the value of insurance.”
Despite this disagreement, Smart believes the ABI makes an interesting point in identifying the ICO’s reluctance to share breach data with insurers as a blockade to growing the cyber market — but he also claims there are several other issues holding them back.
“It is also held back by the over-standardisation of wordings and by those insurers and brokers who sell off-the-shelf products without helping clients properly understand their exposure — which can then lead to a nasty surprise when a claim happens.
“The winners should be those underwriters and brokers who can work with clients to develop better understanding of their cyber exposures and who can translate this into an adapted policy which fits a given client’s needs.”
Lack of knowledge is another barrier to cyber insurance take-up
The ABI announcement highlighted the fact that just 11% of businesses are thought to have a specific cyber insurance policy in order to warn that millions of small businesses could be at risk.
Daniel Pearce, senior insurance analyst at analytics company GlobalData, believes another barrier to take up is the shortage of knowledge among businesses — something access to data breach information can’t solve alone.
“The inability to access raw breach data will limit the market to an extent, but it is certainly not the sole barrier.
“A lack of awareness amongst the customer base is also a major barrier the insurance industry must overcome.”
“Although companies are becoming increasingly aware of the cyber risks they face, many — in particular SMEs — feel they are unlikely to be the victim of a cyber-attack, and therefore don’t seek cover.
“Some will also feel that elements of other insurance policies they already have in place may cover some of the risks covered by cyber insurance.”
This last point was addressed by Smart in a previous discussion with NS Insurance, where he referred to relying on non-cyber-specific coverage in the event of a cyber-attack without adjusting the policy to include “very clear” cyber inclusions as “abhorrent”.