Should Cyber Insurance be regulated & mandatory for firms? 

Should Cyber Insurance be regulated & mandatory for firms? 

Should Cyber Insurance be regulated & mandatory for firms? 

9 Mar 2023

In today's world, most companies are operating and transacting online increasing their overall exposure to cyber-related risks. We have highlighted the pros and cons of making Cyber Security Insurance a compulsory purchase.

Very few insurance policies are mandatory. Whilst forms of cover such as Public Liability, Professional Indemnity & Cyber Insurance are a strongly recommended addition to commercial client’s portfolios. It is only mandatory for firms to have Employer's Liability insurance in the commercial world. 

Despite the well-publicised increase in Cyberattacks, only 55% of companies have cyber insurance. When exposures are so vast and affect most UK businesses. Why aren't other product lines made mandatory? 

In the modern business world, with most companies now transacting online the largest risk exposures facing firms are cyber-related. From Ransomware, Data Breaches and Funds Transfer Fraud, these exposures remain the biggest threats to a company's bottom line.  Therefore, should Cyber Insurance be regulated and mandatory for firms in this digital age?

Below we have compiled a short article on the pros and cons of making Cyber Insurance a compulsory purchase.   

Pros

Establishing a Baseline Standard of Cyber Security 

Before offering a quotation, insurers would require a minimum level of cyber security from their insureds. Should Cyber Insurance become mandatory, businesses must review their current cyber security strategy and improve it to an acceptable standard for underwriters. Such improvements ensure a strengthened baseline standard of cyber risk management. Resulting in lower claims per business.

Increased Competition Between Insurers

According to International Data Corporation (IDC), the cybersecurity market is growing at a CAGR of 23.6% and will reach a market value of $46.3 billion in 2027. Should Cyber Insurance become mandatory, there would be billions of pounds available in premium and increased appetite in primary cover for insurers. Increased competition would result in rate stabilisation and more choice for the insured, driving down premium levels.   

Protecting SME Business

43% of cyber-attacks are aimed at small businesses, but only 14% are prepared to defend themselves. Whilst larger businesses can handle the financial impact of a cyber-attack. Cyber-attacks and other cyber-related exposures can have a detrimental effect on the solvency of SME businesses. Holding mandatory Cyber Insurance cover, SME businesses mitigate the financial impact of the cyber-attack.   

Encouraging Business Growth

Previously, we have seen Professional Indemnity and Liabilities as the subject of contractual requirements. However, more recently, Cyber Insurance is becoming a common contractual requirement between two parties looking to do business with each other. Compulsory Cyber Insurance removes these hurdles in contract negotiations.  

Mandatory Cyber Insurance also allows businesses to manage their cash flow efficiently and promote growth. Transferring the risk using insurance allows the business to allocate funds towards other areas of the business such as growth and expansion by reducing any cash reserves that would be used for claims.  

Cons

Increased Ransomware Demands

Where Cyber Insurance is mandatory, cybercriminals would factor this into their strategy. When an insured has Cyber Insurance, threat actors could leverage this by increasing ransom demands after nefariously encrypting the client’s systems.

An example of this:

Instead of requesting £5k to unencrypt the client’s computer systems, cyber threat actors would increase this to £20k, knowing the target's insurance would cover them with little impact on the business. 

Additional Cost for The Insured

Insurance can be a costly expense for a small business. Most of a client’s portfolio is purchased by choice (apart from Employer’s Liability). Adding another mandatory purchase will increase the costs of their overall package - Especially if they were not previously purchasing the policy or believed that their cyber exposures are relatively insignificant to their business.

Increased Claims for Insurers 

Despite cyber security risk management improving with mandatory Cyber Insurance, insurers would see an increase in claims due to the sheer scale of cyber insurance policies they are writing. A larger claims volume will lead to more stringent cybersecurity requirements and higher premiums in the forthcoming years.   

A False Sense of Security

A mandatory cyber policy can lead a company into a false sense of security, believing it would be fully protected in the event of a cyber-attack. 

This is not true. Risk transfer (via Insurance) should remain the last pillar of a risk management strategy, with risk prevention being the most critical. Therefore, clients should ensure they have best-in-class cybersecurity controls. Insurance acts as a safety net if things were to escalate.

Limited Coverage

Should Cyber Insurance become compulsory, it is likely the mandatory cover will be standard covers 3rd Party covers only and will not include some of the key 1st Party covers such as Ransomware payments, Funds Transfer Fraud & Business Interruption. Despite not having a comprehensive cyber policy, the client could be under the impression they are fully covered for all the various cyber exposures and therefore not look to explore additional covers that may be vital to their business.

Summary

As illustrated, there are various advantages and disadvantages to making Cyber security insurance a regulated and compulsory purchase and the debate continues among those involved in the market. Overall, the pros outweigh the cons and whilst risk prevention should be the first step to mitigating cyber risk, making cyber insurance a mandatory purchase would provide the protection and peace of mind businesses need when transacting in the modern business environment.

Very few insurance policies are mandatory. Whilst forms of cover such as Public Liability, Professional Indemnity & Cyber Insurance are a strongly recommended addition to commercial client’s portfolios. It is only mandatory for firms to have Employer's Liability insurance in the commercial world. 

Despite the well-publicised increase in Cyberattacks, only 55% of companies have cyber insurance. When exposures are so vast and affect most UK businesses. Why aren't other product lines made mandatory? 

In the modern business world, with most companies now transacting online the largest risk exposures facing firms are cyber-related. From Ransomware, Data Breaches and Funds Transfer Fraud, these exposures remain the biggest threats to a company's bottom line.  Therefore, should Cyber Insurance be regulated and mandatory for firms in this digital age?

Below we have compiled a short article on the pros and cons of making Cyber Insurance a compulsory purchase.   

Pros

Establishing a Baseline Standard of Cyber Security 

Before offering a quotation, insurers would require a minimum level of cyber security from their insureds. Should Cyber Insurance become mandatory, businesses must review their current cyber security strategy and improve it to an acceptable standard for underwriters. Such improvements ensure a strengthened baseline standard of cyber risk management. Resulting in lower claims per business.

Increased Competition Between Insurers

According to International Data Corporation (IDC), the cybersecurity market is growing at a CAGR of 23.6% and will reach a market value of $46.3 billion in 2027. Should Cyber Insurance become mandatory, there would be billions of pounds available in premium and increased appetite in primary cover for insurers. Increased competition would result in rate stabilisation and more choice for the insured, driving down premium levels.   

Protecting SME Business

43% of cyber-attacks are aimed at small businesses, but only 14% are prepared to defend themselves. Whilst larger businesses can handle the financial impact of a cyber-attack. Cyber-attacks and other cyber-related exposures can have a detrimental effect on the solvency of SME businesses. Holding mandatory Cyber Insurance cover, SME businesses mitigate the financial impact of the cyber-attack.   

Encouraging Business Growth

Previously, we have seen Professional Indemnity and Liabilities as the subject of contractual requirements. However, more recently, Cyber Insurance is becoming a common contractual requirement between two parties looking to do business with each other. Compulsory Cyber Insurance removes these hurdles in contract negotiations.  

Mandatory Cyber Insurance also allows businesses to manage their cash flow efficiently and promote growth. Transferring the risk using insurance allows the business to allocate funds towards other areas of the business such as growth and expansion by reducing any cash reserves that would be used for claims.  

Cons

Increased Ransomware Demands

Where Cyber Insurance is mandatory, cybercriminals would factor this into their strategy. When an insured has Cyber Insurance, threat actors could leverage this by increasing ransom demands after nefariously encrypting the client’s systems.

An example of this:

Instead of requesting £5k to unencrypt the client’s computer systems, cyber threat actors would increase this to £20k, knowing the target's insurance would cover them with little impact on the business. 

Additional Cost for The Insured

Insurance can be a costly expense for a small business. Most of a client’s portfolio is purchased by choice (apart from Employer’s Liability). Adding another mandatory purchase will increase the costs of their overall package - Especially if they were not previously purchasing the policy or believed that their cyber exposures are relatively insignificant to their business.

Increased Claims for Insurers 

Despite cyber security risk management improving with mandatory Cyber Insurance, insurers would see an increase in claims due to the sheer scale of cyber insurance policies they are writing. A larger claims volume will lead to more stringent cybersecurity requirements and higher premiums in the forthcoming years.   

A False Sense of Security

A mandatory cyber policy can lead a company into a false sense of security, believing it would be fully protected in the event of a cyber-attack. 

This is not true. Risk transfer (via Insurance) should remain the last pillar of a risk management strategy, with risk prevention being the most critical. Therefore, clients should ensure they have best-in-class cybersecurity controls. Insurance acts as a safety net if things were to escalate.

Limited Coverage

Should Cyber Insurance become compulsory, it is likely the mandatory cover will be standard covers 3rd Party covers only and will not include some of the key 1st Party covers such as Ransomware payments, Funds Transfer Fraud & Business Interruption. Despite not having a comprehensive cyber policy, the client could be under the impression they are fully covered for all the various cyber exposures and therefore not look to explore additional covers that may be vital to their business.

Summary

As illustrated, there are various advantages and disadvantages to making Cyber security insurance a regulated and compulsory purchase and the debate continues among those involved in the market. Overall, the pros outweigh the cons and whilst risk prevention should be the first step to mitigating cyber risk, making cyber insurance a mandatory purchase would provide the protection and peace of mind businesses need when transacting in the modern business environment.

Global Headquarters

Servca Group

Dukes House

32-38 Dukes Place

5th Floor

London, EC3A 7LP

United Kingdom


+44 (0) 207 2250000

info@servca.com


Broker at Lloyd’s SLM1389

European Office

Servca Europe

Dragonara Business Centre

Dragonara Road

5th Floor

St Julian’s, STJ 3141

Republic of Malta


+356 (20) 341690

eu@servca.com


Broker at Lloyd’s (Brussels) SLM1883

Canadian Office

Servca Canada Insurance Group Inc
40 King Street West
Suite 2100
Toronto
M5H 3C2
Canada


+1 (647) 846 5555

canada@servca.com


Non-regulated servicing company

Northern Ireland

Servca Northern Ireland
River House Belfast

48-60 High Street

Belfast

BT1 2BE



+44 (0) 2895582000

ni@servca.com


Broker at Lloyd’s SLM1389

© 2024 Servca


Servca Group Ltd is a private limited company registered in England and Wales; Registered Number: 7727494; Registered Office: Dukes House, 32-38 Dukes Place, 5th Floor, London, EC3A 7LP, United Kingdom. Authorised and regulated by the Financial Conduct Authority. Servca European Insurance Brokers Ltd (a private limited company incorporated in Malta and enrolled to act as an insurance broker); Tower Business Centre, Level 3, Tower Street, Swatar, BKR, 4013, Republic of Malta. UK branch office is registered in England and Wales, authorised and regulated by the Financial Conduct Authority. Servca Canada Insurance Group Inc, a private limited company incorporated at 40 King Street West, Suite 2100, Toronto, M5H 3C2, Canada. Servca group of companies are owned and operated by Servca Group Holdings Ltd, a private limited company registered in England & Wales.

Privacy Policy

Cookies

Global Headquarters

Servca Group

Dukes House

32-38 Dukes Place

5th Floor

London, EC3A 7LP

United Kingdom


+44 (0) 207 2250000

info@servca.com


Broker at Lloyd’s SLM1389

European Office

Servca Europe

Dragonara Business Centre

Dragonara Road

5th Floor

St Julian’s, STJ 3141

Republic of Malta


+356 (20) 341690

eu@servca.com


Broker at Lloyd’s (Brussels) SLM1883

Canadian Office

Servca Canada Insurance Group Inc
40 King Street West
Suite 2100
Toronto
M5H 3C2
Canada


+1 (647) 846 5555

canada@servca.com


Non-regulated servicing company

Northern Ireland

Servca Northern Ireland
River House Belfast

48-60 High Street

Belfast

BT1 2BE



+44 (0) 2895582000

ni@servca.com


Broker at Lloyd’s SLM1389

© 2024 Servca


Servca Group Ltd is a private limited company registered in England and Wales; Registered Number: 7727494; Registered Office: Dukes House, 32-38 Dukes Place, 5th Floor, London, EC3A 7LP, United Kingdom. Authorised and regulated by the Financial Conduct Authority. Servca European Insurance Brokers Ltd (a private limited company incorporated in Malta and enrolled to act as an insurance broker); Tower Business Centre, Level 3, Tower Street, Swatar, BKR, 4013, Republic of Malta. UK branch office is registered in England and Wales, authorised and regulated by the Financial Conduct Authority. Servca Canada Insurance Group Inc, a private limited company incorporated at 40 King Street West, Suite 2100, Toronto, M5H 3C2, Canada. Servca group of companies are owned and operated by Servca Group Holdings Ltd, a private limited company registered in England & Wales.

Privacy Policy

Cookies

Global Headquarters

Servca Group

Dukes House

32-38 Dukes Place

5th Floor

London, EC3A 7LP

United Kingdom


+44 (0) 207 2250000

info@servca.com


Broker at Lloyd’s SLM1389

European Office

Servca Europe

Dragonara Business Centre

Dragonara Road

5th Floor

St Julian’s, STJ 3141

Republic of Malta


+356 (20) 341690

eu@servca.com


Broker at Lloyd’s (Brussels) SLM1883

Canadian Office

Servca Canada Insurance Group Inc
40 King Street West
Suite 2100
Toronto
M5H 3C2
Canada


+1 (647) 846 5555

canada@servca.com


Non-regulated servicing company

Northern Ireland

Servca Northern Ireland
River House Belfast

48-60 High Street

Belfast

BT1 2BE


+44 (0) 2895582000

ni@servca.com


Broker at Lloyd’s SLM1389

© 2024 Servca


Servca Group Ltd is a private limited company registered in England and Wales; Registered Number: 7727494; Registered Office: Dukes House, 32-38 Dukes Place, 5th Floor, London, EC3A 7LP, United Kingdom. Authorised and regulated by the Financial Conduct Authority. Servca European Insurance Brokers Ltd (a private limited company incorporated in Malta and enrolled to act as an insurance broker); Tower Business Centre, Level 3, Tower Street, Swatar, BKR, 4013, Republic of Malta. UK branch office is registered in England and Wales, authorised and regulated by the Financial Conduct Authority. Servca Canada Insurance Group Inc, a private limited company incorporated at 40 King Street West, Suite 2100, Toronto, M5H 3C2, Canada. Servca group of companies are owned and operated by Servca Group Holdings Ltd, a private limited company registered in England & Wales.

Privacy Policy

Cookies