top of page
  • Rosanna Hayes

Selling Cyber Insurance in a Hard Market

It has been almost 20 years since we last saw a true ‘hard market’ for business insurance, and in fact, many of today’s insurance professionals will not have experience of trading under these conditions.

However, one infrequently discussed difficulty faced by brokers and insurers, is trying to sell to a generation of customers who’ve never purchased insurance in a market such as this.

This challenge is most evident in the cyber insurance market. Regulatory requirements (PRA Supervisory Statement, SS4/17 Cyber insurance underwriting risk, July 2017) and the outcome of the Lloyd’s review, means that all property policies incepting in 2020 should make the status of cyber cover clear, either positively affirming cover (and charging appropriately) or excluding cyber risks in robust and clear exclusions. With many insurers choosing the latter option, cyber risk insurance must now be purchased as a separate policy, to ensure that cover gaps are minimised. This of course will result in further costs to the insured. The challenge faced by brokers today is justifying this additional policy need and the associated expense.

Often clients are not convinced they need cyber cover and with such a relatively new class of cover, the lack of historical experience together with the very nature of cyber risk and its continuous evolution creates further challenges for brokers when quantifying cyber risk for their clients. Due to the constantly changing threat and software vulnerabilities, the complexity of cyber insurable risk is notoriously difficult to convey and often it would require a specialist risk management assessment to clarify and quantify the true risk. Rising to this challenge is an expense for brokers and, as there has been plenty of options for clients, the low cost of cover and available margins hasn’t always justified the cost of investment.

Several factors are likely to reduce the demand and often willingness of clients to pay for coverage including a lack of awareness of the potential losses from cybercrime and a lack of understanding of the need for coverage. A solution to the issue would be for brokers to start a discussion with their clients around the most common cyber risks they face and the potential size of their loss.

Discuss cyber risk

Business email compromise

When users of online office automation and messaging solutions fall victim to phishing scams, the attackers use the stolen credentials to commit unauthorised access resulting in data breaches and fraud. A failure to comply with GDPR regulations, for instance, in failing to identify all data subjects who may be at high risk, can result in the associated penalties and fines.


Ransomware causes a substantial proportion of all disruption to business and accounts for 41% of all cyber insurance claims. Even where a ransom is paid, victims may not recover all the lost data. This causes significant issues for a business, particularly when the victim is not adequately protected against the losses incurred.

IT services disruption

When a business’s IT service providers (cloud services, domain name system [DNS]), or physical power supply is attacked, it can lead to operational disruption. This is sometimes just minutes, however, often it can be much longer leading to a crippling of the business, its services, and its reputation.

What solutions can you offer?

It is quite clear that the only thing worse than not being able to get to your data is someone else being able to.

Not only do customers trust that their information is safe, but the law protects them in this. It would be wise for all businesses to ensure they are knowledgeable about the GDPR regulations. It is the responsibility of businesses to ensure their customers’ personal data, financial and sensitive information is protected from hackers and data leaks. With GDPR regulation adhered to, and cyber insurance in place, the risk of fines and large pay-outs is greatly reduced.

When a broker offers clarity over possible solutions and finds a policy that meets their client’s specific needs, then the customer gains confidence in the insurer and a resolution to their potential cyber risk concerns. STORM’s Cyber|Decider is a cyber insurance policy comparison engine, allowing a broker to compare leading policies to find the best match for the customer.

However, before insurance is purchased it is imperative that the correct risk factors are addressed so that brokers can help clients present their business risk management approach in the best possible light to underwriters. With key risk indicators clearly understood and managed, the insurer can offer the best terms – this is where the CYBER3 assessment can enhance a broker’s offerings. The service has been designed specifically for existing or prospective cyber insurance clients and provides each client with a comprehensive review of cyber risk as it applies to their business and a maturity rating which can be easily reviewed by brokers and insurers over time. This approach enables brokers to add some real value-added risk management services at a time when the hardening market is increasingly forcing brokers to differentiate on quality.

Offer potential for savings in other areas

There is no avoiding the additional cost to business a separate cyber insurance policy will incur.

Having addressed the cyber risk concerns of business today, together with the potential solutions, it may be worth a broker opening discussion on the various ways the client could save money in other areas of their business.

  • Look at cover across other lines of business. What is needed? Can any savings be made on 'nice to have' cover areas?

  • Look at package options – is there one policy which includes all areas of cover needing to be insured?

  • Is there potential for layering?

  • Run retention and self-insurance options to identify possible savings - avoid 'pound swapping' with insurers.

  • Differentiating with affordable services such as CYBER3: Rapid Risk Review

  • Consider alternative cover options such as parametric insurance – STORMs Cyber.Care service offers an immediate response to cybercrime for small businesses who pay a low monthly or annual hotline access subscription. This incident support may complement any parametric insurance payment.

According to the Allianz Risk Barometer 2020, cyber incidents pose the greatest threat to businesses today. We’ve known of the numerous other damage and disruption scenarios for many years and have insured against these losses accordingly. However, it has never been more critical to take out separate cyber policies than it is right now. It may be a hard market, however opportunities to add value now mean that when change comes, those brokers who have differentiated with affordable, insurance-aligned cyber risk management offerings, will be those who both defend and grow their cyber books.


Subscribe to STORM
cyber security insights

Stay informed on the latest trends in digital security, cyber insurance, incident response and more with our industry leading insights, blog and webinars.

bottom of page