Philipp Seebohm is the Head of Sales Cyber-Solutions DACH for Aon Germany. In the following interview, he shares thoughts on his career and discusses the potential of cyber insurance and the opportunities and challenges it poses. He also provides tips for what to keep in mind when buying cyber policies and looks ahead at how cyber insurance premiums are likely to develop.
Mr. Seebohm, could you tell us a bit about your background?
While earning my degree in a cooperative education program, I worked for a large insurance broker and got my start in the wonderful world of business insurance. Shortly after graduation, I discovered the up-and-coming field of cyber insurance. Through different training programs in information security, data protection, and risk management I supplemented my focus on the insurability of cyber risks with a growing interest in technical and organizational measures to keep information secure. Since November 2020 I’ve been in charge of Aon’s sales of cyber-risk-related consulting services.
Are there any anecdotes from your professional life that few people know about
It must have been about 2016 – cyber insurance was still quite a new topic. I was advising a company that became the victim of encryption malware – in the middle of one of our discussions. A very worried employee appeared and called the head of IT out of the meeting room. At that point we could skip over the part where I share examples of cyberattack damage.
What are your thoughts on the cyber insurance market – looking back and today?
When I look back, I almost get nostalgic. In retrospect, behavior on the cyber insurance market was naive, of course: premiums were extremely low and risk assessments barely took place. At the same time, I am increasingly critical about developments today. Proper underwriting – that is to say, a risk assessment – certainly makes sense and contributes to increasing security broadly in the medium term. However, the costs for cyber insurances combined with the limits on coverage imposed in some cases, especially for ransomware attacks, sometimes raise the question of whether coverage is worth it at all.
Most of Aon’s clients are larger companies, typically with annual revenue of EUR 500 million or more. Can’t large businesses simply invest in technical and organizational measures themselves and absorb any remaining risk on their own? To put it another way: what do both sides get from cyber insurance in the long run?
Naturally large companies can make frequent investments in information security, but they also face much higher risk potential than smaller ones do. It’s very difficult for companies to protect themselves from some threats, like those caused by zero-day exploits, but the consequences can be immense. Losing tens of millions of euros would represent significant damage for many large companies.
What preventative measures would you especially recommend for manufacturers?
In today’s high-pressure security situation, I think preparing to respond is especially important. Response covers everything from exercises for the organization (for example, in tabletop exercise formats) to creating playbooks and putting appropriate disaster recovery measures in place.
What technical developments in cybersecurity do you find especially interesting?
Topics involving AI-based anomaly detection and automated response to incidents are very exciting. In a few years, this approach could enable many smaller and medium-sized companies to significantly improve their information security.
Are any industries or types of companies especially difficult to insure?
Today very few insurers are willing to cover cryptocurrency companies, airlines, and companies that process a lot of credit card data (PCI data).
Could you share two or three less obvious points that companies should keep in mind when it comes to cyber insurance? Are there any tips or tricks
- Don’t just leave the emergency plan on the file server – print it out.
- Audits are absolutely necessary to determine whether technical (and organizational) measures are being implemented and applied correctly, for example at domestic and foreign subsidiaries. Systems are connected to such a high extent that a single weak point there can threaten information security throughout the company.
Is it true that insurance companies don’t pay claims in some situations – for example, if clients fail to take certain measures on time, or if information provided about the company’s IT is wrong?
Such cases exist, but they are exceptions. Organizational measures in particular can’t be captured in a binary yes/no questionnaire. For this reason, we provide an assessment tool for our clients that can reflect measures’ maturity levels and allows for comments, or we conduct a risk dialog with them. With either approach, we document measures as faithfully as possible and avoid non-compliance with precontractual disclosure requirements.
Are there any incorrect statements or half-truths that you regularly hear from other experts?
I get angry when I see cyber insurance presented as the silver bullet for every cyber risk. In the medium term, this attitude just leads to disappointment and misplaced investment. Actions to avoid risk in the first place are more important than insurances to protect the balance sheet. And insurances can’t be used to transfer all cyber risks – you have to look carefully and analyze what’s possible and what makes sense.
From today’s perspective: do you expect premiums to continue to increase, or to eventually fall again (adjusted for inflation, etc.) as security measures become more common at companies?
In the short term, I don’t expect premiums to ease notably – capacity, especially for basic contracts, is still very scarce and therefore expensive. As some new risk carriers enter the excess insurance market, we could at least see some stabilization there. I very much hope that premiums stop climbing soon and the market
Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.
And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.