Shortly before coronavirus was first detected, PwC published its Global Crisis Survey 2019 which found that crisis preparedness was rapidly becoming a source of competitive advantage. In the same way that financial institutions were put to the test in 2008/2009, the travel and hospitality sectors are currently bearing the brunt of the pandemic. Once the dust settles, we will see how well these organisations coped and whether those that were ‘crisis ready’, weathered the pandemic any better than their peers, just as some firms came through the financial crisis comparatively unscathed.
Back in 2019 the PwC study took the long view, and while it identified some health risks, it saw cyber risk gradually overtaking health risk, financial risk and all other risks to become the greatest risk that we all face. Indeed there are some concerning parallels between the focus on risk and revenue over risk in the run up to the global financial crisis, that can be seen in the current cyber threat landscape (see this 5 minute video for an overview of the cyber risk context https://buff.ly/3asCeVT).
Surely, I don’t need cyber crisis preparedness as I have cyber insurance
Currently most companies don’t actually have any cyber insurance. Coverage rates are only 40% in the U.S., and 10% in the U.K. Elsewhere, it’s even lower.
Many cyber insurers boast that they can provide an insurance quote in under an hour. If they are able to provide cover for such a complex policy in such a short period of time then this should risk alarm bells. You should be concerned with their ability not only to accurately assess your risk position, but also to price the policy accurately.
Some insurers base their risk assessment on cyber security risk ratings. Some of these ratings are produced by firms that use web crawlers that check externally facing end-points for known vulnerabilities.
This is a fairly crude method, but it’s probably still the best way to address the mass market at low cost. The problem is, it’s a bit like evaluating fire-safety risk by looking at a photograph of a building taken from across the street. You can get an idea of the building’s shape and size … But you can’t tell if there’s flammable material inside, or if the building is equipped with fire alarms, or sprinkler systems. A photo like this is better than nothing; but it still provides only a basic, limited idea of the real risk.
The reason that some insurers can probably afford to base premiums on such crude risk metrics is that cyber insurance policies often include a host of provisions and exclusions that in effect make it impossible to claim for almost any incident of any kind. If they want to refuse to pay out, they’re probably going to find a way of justifying this. Indeed, almost the only reason they would pay out at all is to encourage other clients to sign up. So, if there is a global cyber crisis they may well refuse to pay out on any policies and consider withdrawing from the market entirely.
Examples of common cyber insurance terms or exclusions are as follows: