With cyber insurance take-up still low among SMBs, GlobalData believes other commercial insurers are at significant risk of paying out for an attack

Cyber insurance take-up is on the up, but commercial insurers are still exposed to paying out attacks

The risk of a cyber attack poses an increased threat to insurance companies outside of those providing specialised cover for such events, according to analytics firm GlobalData.

A report from the company claimed 66% of medium-sized companies reported a breach in 2018, with the figure amounting to 47% for smaller organisations, and 40% for those considered micro-sized.

With a comparably low uptake of 14% in the case of micro companies — the least likely SMB to have a specific cyber insurance policy — GlobalData concluded insurance companies that cover other events, but don’t exclude cyber breaches in their policy wording, are at risk of having to pay more cyber-related claims.

Cyber insurance uptake is lowest among micro-sized companies (Credit: GlobalData Insurance Intelligence Center)

Senior GlobalData insurance analyst Daniel Pearce said: “This situation — where the uptake of cyber insurance is far lower than the percentage of business owners detecting a cyber-breach — means commercial insurance providers may be exposed to cover the cost of cyber claims on traditional policies such as business interruption.”

Several high-profile examples of this happening have come to light in the wake of a string of cyber attacks that began in 2017, such as the infamous NotPetya ransomware — including the ongoing “act of war” legal dispute between US food and beverage giant Mondelez and major multi-line insurer Zurich.

According to Pearce, there has also been a significant boost in the uptake of cyber cover since 2017, with the 14% of micro companies covered in 2018 jumping up from 4% in 2017.

The UK cyber insurance market is still in its infancy, particularly when compared to the more established commercial insurance products. Yet, the rate of growth is substantial. Findings from GlobalData’s 2018 UK small and medium sized enterprises (SME) Insurance Survey found that 27.2% of SMEs held a standalone cyber insurance product, which is an increase of 14 percentage points when compared with 2017.

Praise for AIG’s move to affirmative cyber insurance to address risk

Multi-insurance giant American International Group (AIG) said earlier this month that from 2020, all of its commercial property and casualty policies will affirmatively cover or exclude both physical and non-physical cyber risks.

Pearce sees this as a positive move for an insurer protecting themselves from cyber-risk exposure, but also claimed it will have a benefit to customers by reducing ambiguity in policy wording.

“Clearly, steps such as this, which clearly outline what cyber risks are insured, will benefit insurance providers, enabling them to exert greater influence over their exposure,” he said.

“Yet policyholders also stand to benefit, as moves such as AIG’s transition towards affirmative cyber insurance will help ensure policyholders have a clear understanding of which cyber perils are covered through a commercial insurance policy that is not cyber-specific.”

“This, in turn, will help businesses owners more easily identify the benefits offered by a specialist cyber insurance product.”