Cyber is a very real new risk that all businesses and individuals are now exposed to that did not exist 25 years ago. Markel International’s Gustaf Kristiansson gives some expert insights.
Whilst, in general, the response of the insurance industry to this new risk has been good, it has highlighted some of the old familiar failings. The consideration of the exposure by some as unquantifiable may be valid but is not particularly helpful.
The very purpose of insurance is to give any party exposed to risk a fixed price solution to reduce its impact, if not take it away entirely. Where the trigger events and indemnity amounts are somewhat ethereal, as in the case of cyber, it is the role of the insurance industry to engage with stakeholders to propose wider risk management solutions in order to define exposures and to make them appear manageable, putting ‘hard’ numbers on the indemnity amounts.
Looking inwards
Cyber has also highlighted another Achilles’ heel of the insurance industry which is its internal focus when it comes to product development. Insurance companies are unique in that they sell a product where the main component of the final price charged, the claims, is unknown at the time the price is set.
Think of McDonalds not knowing the price of beef or Ford not knowing the price of steel. As a result, the industry is very focused on predicting this cost correctly to ensure a profitable outcome. This is great for shareholders but not necessarily so for customers as the effort to predict this cost often drives individual product lines into silos where their data becomes increasingly easier to analyse. When viewed from the customers’ standpoint, this has the effect of making any business’s insurance programme somewhat piecemeal and cyber risk highlights this flaw.
Malicious attacks
The vast majority of devices are now connected through shared clouds and encompass every aspect of our personal and professional lives. Individual computer processors do not know (or care) what they are controlling or where they are in the world. They simply carry out their programmed task, communicating seamlessly across different industries and jurisdictions. They could be on a desk in a home office, or on a ship at sea, or even part of a satellite orbiting the earth. Their basic operations remain the same.
When it comes to cyber insurance, it is this universal nature of the exposure that butts hard against the insurance industry’s more segmented view of the world. The chance of a computer system being maliciously attacked, the potential methods used, and the risk management deployed are very similar across all computer systems but the extent to which the risk can be insured depends very much on the industry that the system is deployed in.
The nature of the cyber cover available for a bank, for instance, is very different to that available for a ship owner. The limits, deductibles, cover for consequential loss and cover for reputational damage may all be different for different industries (if they are available at all) which is far from satisfactory from a customer’s point of view.
The piecemeal approach by the insurance industry to cyber exposures leave some winners and some losers. The financial services sector is very well served with innovative products and appropriately large limits which is in stark contrast to the marine sector which is very poorly served. Given marine insurance’s status as the ‘Grand Old Dame’ of the insurance world, this is not a great surprise but is of little comfort if you are a ship owner concerned about cyber risk.
Protecting valuable assets
Modern vessels are highly automated and are regarded as valuable capital assets containing many sophisticated computer systems which are combined with some of the lowest cyber security standards of any industry. Added to this, there is little practical support from the insurance industry with regards to this exposure.
As such, specialist insurers like Markel are constantly assessing risks from the customers’ perspective. Gone are the days when good customer outcomes are limited to just paying claims. Insurers need to become integrated parts of any clients’ risk management structure if they are to remain relevant. Talking to several cyber risk service providers helps in developing a viable insurance product for ship owners. It is imperative that we get this right to provide a risk a management led solution to one of the marine industry’s most pressing ‘silent’ problems. A
Mr Gustaf Kristiansson is a marine underwriter at Markel International’s Singapore office. He is responsible for hull, builders’ risk as well as cargo risk underwriting.