This is what your cyber policies should focus on

By Jason Contant | February 1, 2018 | Last updated on October 30, 2024
2 min read

Business interruption should be the focus of cyber insurance policies nowadays, Lindsey Nelson, international cyber team leader with CFC Underwriting, said to Canadian Underwriter in an interview on Monday.

“I think it might be a matter of insurers are really focusing on the wrong aspects of cover… to sell to clients,” Nelson said.

While cyber policies typically include first and third party coverage, a “massive focus” of the cyber conversation still revolves around third party liability, such as data breaches and privacy liability. “When we talk about third party liability and cyber and privacy, those words are very much U.S.-driven and U.S.-focused terminology for very large companies,” Nelson said.

But when speaking to clients, especially those outside of traditional industries like healthcare and retail, third party liability is a lot less relevant to them. “If you are looking at a manufacturer, for example, they’re not going to hold large amounts of data, but they are going to have huge business interruption exposure,” Nelson said. “So why are we still going to a manufacturer and talking about the word cyber and privacy liability when they don’t have any data?” she asked.

Instead, Nelson recommends shifting the focus to first party exposures. “So, if your systems go down for a certain amount of time, how much money are you going to lose as a company and what’s your reputational harm exposure going to be if you have an outage that leads to business interruption?”

An outage could even take the form of a ransomware attack. While media stories tend to focus on the ransom amounts in these types of attacks, “what’s less mentioned is the business interruption exposure that results from your systems being down because those files are encrypted and that’s where the costs really incur for clients,” Nelson said.

Once the conversation includes first party exposures, that allows insurers to expand who they are selling the coverage to, she added. “We could go to an architect or a law firm or a manufacturer and start talking about business interruption and then, even a step further, cybercrime, and that all of a sudden becomes more relevant to them and they see the value in purchasing a cyber policy.”

Catherine Evans, vice president of Marsh Canada, said that insurers are starting to move more into business interruption coverage. “Insurers are pushing more into the areas where it’s really more of an operational disruption issue, as opposed to a privacy loss type of concern,” she said. “So, really, they are targeting some of those industries that haven’t had a significant appetite for this type of cover to date,” such as manufacturing, mining and energy.

Jason Contant