CFC Summit: Your burning cyber questions, answered

Rather than being industry-specific, our data shows that governance is key in determining whether a business understands and mitigates its cyber risk. 

If you tried to sell a cyber policy to a chief information security officer ten years ago, they might take the pitch as an accusation that they can’t do their jobs. That’s now changed, with most businesses today recognizing cyber as a corporate risk. But there’s still a perception gap. For example, businesses that outsource their IT infrastructure may claim they have no cyber risk, when in fact cyber insurance is vital for any business that uses computers. 

It's all about education. We must better explain what impacts cyber risk and what that risk entails, and how the true value of cyber insurance isn’t the words in a policy but the proactive prevention services that come with them. Here are six things every successful cyber broker knows.

The rising level of cyber risk isn’t uninsurable. It’s just heightening the need for businesses to purchase cover.

We’re investing heavily in our proactive prevention services, assembling the largest in-house team of cyber responders in market. Through vulnerability scanning, threat monitoring and real-time cyber attack prevention, we’re not just here to react when incidents occur but to stop them from happening in the first place. That’s all as part of a standalone cyber policy with CFC.

By working with law enforcement organizations across the globe, we’re looking to reduce the frequency of claims and tackle cybercrime for society at large. Law enforcement is making great strides in the cyber world, but as cybercriminals continue to adapt, so must we.

The insurance market can push forward the initiative initially, as we're seeing the need for it firsthand. But the body for an industry-wide declaration system has to be independent. Otherwise, there would be a natural conflict. We can't have an insurer-owned body declaring events off the back of which major reinsurance contracts and payouts are based.

That's why, on 1 January 2024, CFC is launching an independent cyber monitoring center, as we look to address the perennial challenge of systemic risk.

We're looking at the type of model that charities use, where insurance providers can be members without anybody actually owning the body. The body has to be staffed by a technical committee; four or five individuals from a variety of backgrounds across law enforcement, cyber security and so on.

Different wordings cover IP loss in different ways. At CFC, we specifically cover the recreation of data, which differs massively to merely the recovery of IP.

In a recent claim, an engineering firm fell victim to a cyber attack and lost a series of essential blueprints it used to pitch for new jobs. It transpired that the blueprints could not be recovered, but since the firm’s policy covered the recreation of data, extra resource was hired to recreate the blueprints from scratch. If the firm had a policy which just offered the recovery of IP, since the electronic files couldn’t be found, it would’ve been left with nothing.

It’s difficult to value and measure the loss of IP, but the extent to which IP can be recreated is a different story. So read the fine print and ensure you go with the right policy. Find more about our cyber products here.