Insurers are tightening up commercial property insurance policies as a result of Prudential Regulation Authority work, Simoney Kyriakou reports
Back in 2017, the Prudential Regulation Authority (PRA) set out to investigate non-affirmative and affirmative cyber risks in the general insurance market. Then, in 2019, Anna Sweeney, director of insurance supervision at the PRA, wrote to insurance bosses, warning that firms needed to do much more in relation to cyber insurance underwriting risks.
The 'Dear CEO' letter highlighted a disconnect between the potential cost of claims relating to cyber loss, compared with the low premium volume. The PRA implied insurers could face high volatility and reputational damage in the event of a significant cyber loss, especially where commercial property insurance policies did not explicitly cover cyber -- but did not explicitly exclude it, either.
Insurance companies have taken note of this, as well as missives from Lloyd's of London mandating greater clarity over what commercial property insurance policies cover in relation to a cyberattack.
Moreover, anything that might be considered to be a cyber loss -- for example, a data loss caused by flood or fire damage to a business's technology -- is now being clarified or even removed from policies. A
s a result, brokers and sector analysts have noticed a tightening up of existing and new policies. Some businesses have been told their commercial property insurance cover is removing any elements of cover that arises from 'traditional' types of property loss. Others cannot get this cover when it comes to renewal or purchasing new policies, unless they spend more to get cyber cover as an add-on.
IT system security coverage is a necessary part of commercial insurance. From data storage servers to email login passwords, USB downloads within the company IT network, to third-party online payments services -- it is all commercial risk
According to Rob Smart, technical director at insurance governance consultants Mactavish, this crackdown is leaving his business clients "exposed" and "underinsured" for technology-related risks.
He calls this an "alarming trend", saying: "While we welcome attempts to bring greater transparency to the insurance market, the redrafting of many commercial property policies is leaving clients underinsured and exposed to a range of broadly 'tech-related' risks, which they had believed would be covered."
Mr Smart believes this policy redrafting -- which he claims is happening with nearly every insurer -- goes "far beyond the intent of the Lloyd's mandate", which was supposed to bring clarity to what constitutes the insurance requirements for cyberattacks. Instead, it brings into the scope of this mandate any form of data loss, such as that caused by typical flood or fire damage to IT equipment.
Events that could lead to data loss include cyberattacks, the risk of fines under the General Data Protection Regulation, and climate change-related events such as seasonal fire and flooding risk.
Chris Andrew, fraud director for BAE Systems, highlights the fact that many commercial building property forms were drafted years ago, so it was reasonable for the regulating bodies to encourage insurers to update policies where necessary. After all, cybercrime such as hacking, phishing and malware attacks hardly existed even 20 years ago.
Coverage is essential. He states: "IT system security coverage is a necessary part of commercial insurance. From data storage servers to email login passwords, USB downloads within the company IT network, to third-party online payments services -- it is all commercial risk." And, as such, it needs to be paid for -- whether this means a hike in premiums for existing commercial property coverage, or that brokers recommend add-on tech and cyber insurance for their business clients.
Mark Andrews, director of insurance for Altus, says there "really is no excuse for data loss", given the availability of cloud technology, simple backup and archive processes, as well as disaster recovery implementation. "Too many companies stick with legacy tech rather than upgrading," he adds.
However, Mr Andrews adds, insurers could have taken a more measured approach: "Rather than stepping back from that risk, if they verified that necessary controls are in place, any subsequent loss would be an 'extraordinary event', because the business has done everything it can be expected to do, in which case it is something the insurer should cover."
The fact remains, however, that clients wanting cover for data loss as part of a commercial property policy will have to purchase additional, specific cyber loss insurance. This is making it harder for brokers and financial advisers who advise on insurance for their business-owning clients.
While the physical hardware should be covered, as the cost of damage is easy to measure, the loss of data is harder to quantify, as it is typically measured in business interruption and potential reputational damage.
However, Neil Liversidge, principal of West Riding Personal Financial Solutions, says that while it may be frustrating for business clients to rethink their coverage, it may benefit them in the long run.
"It is important in terms of pricing cover properly," he says. "A small business might need a sum assured of, say £100,000 to restore its systems, a larger entity might need £5m.
"By making this cover an add-on, well-run firms can assess how much cover they need and insure accordingly."
Otherwise, if every policy automatically priced in data-loss risk for every company, Mr Liversidge says companies could see business insurance premiums "going through the roof for data-light businesses, with them effectively cross-subsidising the data-heavy".
Mr Liversidge adds: "In my world, data is everything, but I'm looking at two cafes, which have nothing more sophisticated than a till. Premiums need to be pitched proportionately to the risk."
Simoney Kyriakou is a freelance journalist