How does a broker help clients navigate the complexities of purchasing cyber liability insurance?
In this episode of the Broker Feature, we speak with Gautam Mahey (Head of Property, Casualty & Financial Lines) from Pacific Prime. Gautam is an experienced leader with nearly a decade of experience in the insurance industry. With a fortified background in portfolio risk management across APAC, Gautam helps clients bridge gaps between cross-functional domains, corporate segments and markets, to provide businesses with tailored cyber insurance and risk management solutions.
Watch Episode 2 here:
How widespread is the adoption of cyber insurance in the current market?
Gautam: When we talk about the current market, it is also really important to define the geographical scope of the current market. If you look at Asia—Singapore in general—the adoption of cyber insurance is not as strong as we expect it to be as compared to that of the US or the UK. [At Pacific Prime], we have offices all over the globe, so we sort of see the different rates of adoption. If we focus on where I am currently based—Singapore in Asia—I would say that the cyber market has grown, but only because the risk [of cyber threats] has grown. And the question is, would it have grown that much if the risks had not grown as much? [Cyber liability insurance] is different from policies such as directors liability and professional indemnity, where they have always been prominent and cyber insurance not as much.
In today’s day and age—again, when we say cyber insurance has grown in terms of market adoption, in the past it was only 2% of businesses that had it, maybe now it's 15%–20%. At the same time, it is important to run through those figures because we think that is not as much as it should be. In today’s day, 70% of businesses, if not all, should have this coverage. But when we speak about growth from 2% to 15%–20%, it's not where it should be, which is 70–80%. Looking at how many businesses are coming under threat and how many businesses are suffering because of cyber losses, whether or not they realise it. To reiterate, the cyber insurance market has grown, but not as much as it should.
When should an organisation start thinking about adopting cyber insurance? Does the size of the enterprise matter?
Gautam: We are talking about all industry scales SMES, we’re talking about large businesses as well. And of course each of them has their own reasons.
MNCs have more data and information that is at risk, and they also have a huge reputation, which is also at risk. This could all be jeopardised if they are hit with a cyber attack. But on the flip side, they also have very good cyber security systems or have the investments that they can make towards cyber security systems. On the other hand, SMEs don’t have as strong cyber security systems, and a lot of them think that they are too small to come under the radar for being attacked or having a cyber breach, but those are the businesses that the cyber hackers could actually more easily penetrate into and take advantage of the vulnerabilities of. Because those are the kinds of businesses that, because of one cyber attack, could go under because of the kinds of losses they might face. For a MNC, maybe they could tide through a cyber loss of $200,000 to $300,000, maybe half a million or maybe more. For a small enterprise, a $250,000 loss could mean that their entire lives' savings or capital that they have gained are gone, and that could be much more catastrophic.
So I would say that all businesses, whether they are SMEs or MNCs, should have cyber insurance because smaller ones have high risk, but larger ones have an even higher risk, even though they might have some or more protection measures than the SMEs, so they should have it.
70% to 80% of businesses should have cyber insurance. Of course, the question is: who are the 20–30% who don’t necessarily need it? These are businesses that are more freelance in nature—a one- or two-man operation running a mini-mart—so maybe cyber insurance is not as essential. A freelance truck driver, a sole proprietor, or a delivery person who is a one-man show—these are maybe businesses that would not require cyber insurance, who are not online, who are more manual, who are more blue collar—those would fall under the 15–20% of businesses that could do without cyber insurance. However, for 70-80% of businesses involved in service manufacturing and data storage, having cyber insurance is essential.
What is the uptake of cyber insurance policies by small businesses?
Gautam: I think in the Asian market, the uptake is not as great as it should be. There are smaller businesses, and a loss of $200,000 to $300,000 is more catastrophic for them as compared to large businesses. They have limited resources and a [limited] client pool. If their client pool gets alienated, they suffer more than a large business would because they have a more diverse and larger client pool, and so on and so forth. They lack the proper cyber infrastructure and the knowledge as well. Some of them might not know what a phishing attack is, and some of them might not know how to deal with hackers in the case of a ransomware attack. Because of these reasons, they should have policies. The uptake is low because many of them feel that it is something that would not happen to them because:
1. They think they are too small to come under the radar—why would anyone want to attack me? What can they get out of me?
2. The thought that they are not in the US; we are in Asia, and these stories are not commonplace here.
3. Why they think they have immunity: because of the litigious environment. They might think that Asia is not as litigious in these kinds of aspects, such as privacy suits, etc., as societies, territories, and jurisdictions such as the US, UK, or Australia might be.
What are the most important coverages in a cyber insurance policy, such as customer notification, liability, business interruption, fund transfer fraud, and ransom and extortion?
Gautam: Of the three main things—and of course we as brokers want to recommend everything because we think everything is essential—the three things that they should focus on are firstly, third-party losses. If they are hit with privacy suits or any other kind of civil liability suit, they should be able to protect themselves. Secondly, ransomware, because money is a big part of what hackers are after. Thirdly, a policy that comes with a good crisis response team or crisis response management is really important because, unlike bigger companies, smaller companies and SMEs might not have a dedicated cyber team or a cyber security team, so for them to have an outsourced arm to take care of crises if and when they happen is really important.
Why do enterprises rely on brokers to obtain policy coverage?
Gautam: Firstly, as a broker, we are able to educate our clients with claims examples and market benchmarking: what sum insured should you get? What's the average premium supposed to be depending on the security systems, turnovers, and geographical split that you have? So on and so forth. If and when there is a claim, with a broker, you have an added arm of support to guide them, to help them, and to respond to their queries. As brokers, we are more aware of the market's offerings as to who would be a better insurer and who would offer better pricing for their clients to meet their budget as well as their requirements. Having a broker is definitely essential. Because all insurers only have a limited amount of resources, not all insurers might want to deal with clients on a direct basis as well.
I think the two most important are benchmarking and the ability to get [our clients] quotes from multiple sources so that they can do a comparison so that they can make an informed decision and understand the differences between one quote and the other. For example, one client might get two quotes from two different insurers for a one-million-dollar sum insured by each. Both of them might have the same deductible, but one of them might have co-insurance for ransomware while the other might not—which is a big difference in policy. One might cover ransomware while the other might not cover ransomware. One might cover social engineering while another might not cover social engineering. These are big differences that might otherwise seem insignificant to the layman, but as brokers, we are able to advise them on the different scopes of coverage, which can make a big difference to the kind of coverage that you have. In today's date, social engineering and ransomware losses are among the biggest and most frequent losses that take place. If these are excluded from your policy, or if you have high coinsurance or a low sublimit for these events, your coverage is really substandard as compared to other policies with the same premium.
These technicalities are not obvious to the layman, but we as brokers are able to look out for them for the clients because we do this as part of our job every day and we are able to advise on them in this economy.