CyberCompare talks cyber insurance (2): risk assessment & claim

Ole Sieverding

Interest in cyber insurance is growing, and that translates into lots of questions about the industry: What is the cyber insurance market like today? What risks should cyber insurance for an SME cover? Should ransom payments to hackers be included, or should companies targeted by ransomware attacks refuse to pay on principle? In our interview series, we discuss current questions about cyber insurance with industry experts. Ole Sieverding, Underwriting Manager for cyberinsurance at specialty insurer Hiscox, is our second interview partner.

Ole Sieverding, Underwriting Manager for cyberinsurance at Hiscox

Mr. Sieverding, could you tell us a little about your background?

I’ve been responsible for cyber insurance at Hiscox in Munich for five years now. At the beginning, cyber insurance was still a work in progress – a tender shoot that needed a lot of care. Since then, and thanks to the accomplishments of our whole team, it has become the top growth driver in our portfolio and a fundamental part of our strategy. Before taking on cyber insurance I worked in sales in Hamburg.

Are there any interesting anecdotes from your professional life that very few people have heard?

I actually wanted to work in banking and so I studied corporate finance. I came to insurance by chance, where my day-to-day work now revolves around IT security and dealing with cyber threats. At the beginning, I had no specialized knowledge on these topics at all. But I am convinced that the most important hiring criteria – more important than any official professional qualifications – should be a candidate’s attitude and willingness to learn. I would like to see more examples of varied career paths. That takes courage, of course, on the part of both job seekers and hiring companies.

What are your perceptions of the cyber insurance market – both looking back and today?

The first years were euphoric. Motivated by growth ambitions, more and more insurance companies brought out their own cyber products. The benefits expanded, capacity grew, and competition caused prices to fall. As a result, awareness of cyber insurance kept increasing and many companies bought this new type of additional coverage.

Today insurers are growing more cautious. They’re not just reading about cyber damage in the media, but seeing – and especially, feeling – how it affects their own customers. A situation like that inspires a steep learning curve in terms of both risk assessment and pricing. I am certain that German companies will continue to be able to find the right cyber insurance offerings for their needs. At the same time, prerequisites for coverage will become more specific. And as risk increases across the board, premiums will continue to rise. In a certain sense, the market is growing up.

Do any industries or types of companies have an especially hard time getting coverage?

In many lines of business, it has become common practice to assess a company’s risk based primarily on its industry or activities. But this question plays a subordinate role in cyber insurance. No matter what the company actually does – computers with standard software are used in nearly every field. Each company’s cyber risk situation and, of course, its ability to ward off risks depends on the maturity of its IT security systems. Businesses that never paid attention to IT security and now think they can completely transfer their cyber risk to an insurer will have a hard time getting adequate coverage.

Are there two or three less obvious aspects of cyber policies that companies should keep in mind? Could you share any tips or tricks?

First of all, it’s often tempting to just look at the price. But these customers are usually in for a big disappointment when they need to make a claim.

My tip: before signing a cyber policy, spend some time actively thinking about your cyber risk. Develop concrete worst-case scenarios so you better understand the points where you need cyber insurance as support, and then build that into your emergency plan. In general, you should regularly simulate crisis situations so that you can rely on your processes if the worst happens.

I also recommend looking at your potential insurer’s experience specifically in cyber coverage. A broad network of experts and well-oiled processes pay off when you really need it: during your own cyber crisis.

Is it true that insurers don’t pay claims if, for example, companies don’t conduct audits or employee training on time?

We’re taking a deep dive into insurance law here. When a claim is made, the specific case and underlying insurance terms are what count. In my view, the hurdles are extremely high for an insurer to refuse to pay any benefits in response to a claim event. Willful action by the customer would need to be involved. I like to explain cyber insurance by comparing it to a roadside assistance policy from an automobile association: the insurer’s role is to be at your side as a strong partner in a crisis and to resolve the situation as fast as possible. Keeping damage down is in both parties‘ interest.

With our Hiscox cyber insurance, for example, we offer companies who sign with us access to preventative services, like employee training programs, at no charge. These programs are updated each year based on our experience from the claims that we’ve resolved with our customers. In this way, the policyholder community can learn from one another and prevent certain patterns of loss from the start. Participation is completely voluntary and intentionally has no bearing on the benefits paid if a claim is made. In fact, we go a step further and offer to reduce the customer’s elected deductible if its employees successfully complete our cyber training.

Are there any other misrepresentations or half-truths that you frequently hear, even from experts?

Most industry surveys on cybersecurity indicate that many companies face enormous risk. And this risk is widely recognized in general – but interestingly, individual companies don’t think it applies to them. Attitudes like “that will only happen to the others” or “hackers have no reason to be interested in me” are very stubborn. Cyber risks can affect anyone, not just the others. Which brings us precisely to the problem – most hackers are opportunists, and companies that think this way are the easiest prey.  

What preventative measures would you recommend, especially for manufacturers?

Practice, practice, practice. Don’t just build up protective walls: the most important thing is to think about your response to a cyber crisis and test emergency scenarios within the company.

What technical developments in cyber security do you find especially interesting?

This doesn’t exactly answer your question, but the human factor still fascinates me despite all the technical advances that have taken place. I’m especially impressed when companies emerge from a cyber crisis stronger than before thanks to open communication and transparency.

In the first part of the cyber insurance series, Alexander Schudra, Head of Cyber Insurance at ERGO Group AG, gives answers on which cyber risks should be insured against.

In the third part of the cyber insurance series, Hanno Pingsmann, CEO / Founder CyberDirekt, gives tips & information on cyber policies.

Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.