Very few insurance policies are mandatory. Whilst forms of cover such as Public Liability, Professional Indemnity & Cyber Insurance are a strongly recommended addition to commercial client’s portfolios. It is only mandatory for firms to have Employer's Liability insurance in the commercial world.   

Despite the well-publicised increase in Cyberattacks, only 55% of companies have cyber insurance. When exposures are so vast and affect most UK businesses. Why aren't other product lines made mandatory? 

In the modern business world, with most companies now transacting online the largest risk exposures facing firms are cyber-related. From Ransomware, Data Breaches and Funds Transfer Fraud, these exposures remain the biggest threats to a company's bottom line.  Therefore, should Cyber Insurance be regulated and mandatory for firms in this digital age?

Below we have compiled a short article on the pros and cons of making Cyber Insurance a compulsory purchase.   

Pros:

Establishing a Baseline Standard of Cyber Security 

Before offering a quotation, insurers would require a minimum level of cyber security from their insureds. Should Cyber Insurance become mandatory, businesses must review their current cyber security strategy and improve it to an acceptable standard for underwriters. Such improvements ensure a strengthened baseline standard of cyber risk management. Resulting in lower claims per business.

Increased Competition Between Insurers 

According to International Data Corporation (IDC), the cybersecurity market is growing at a CAGR of 23.6% and will reach a market value of $46.3 billion in 2027. Should Cyber Insurance become mandatory, there would be billions of pounds available in premium and increased appetite in primary cover for insurers. Increased competition would result in rate stabilisation and more choice for the insured, driving down premium levels.   

Protecting SME Business

43% of cyber-attacks are aimed at small businesses, but only 14% are prepared to defend themselves. Whilst larger businesses can handle the financial impact of a cyber-attack. Cyber-attacks and other cyber-related exposures can have a detrimental effect on the solvency of SME businesses. Holding mandatory Cyber Insurance cover, SME businesses mitigate the financial impact of the cyber-attack.   

Encouraging Business Growth 

Previously, we have seen Professional Indemnity and Liabilities as the subject of contractual requirements. However, more recently, Cyber Insurance is becoming a common contractual requirement between two parties looking to do business with each other. Compulsory Cyber Insurance removes these hurdles in contract negotiations.  

Mandatory Cyber Insurance also allows businesses to manage their cash flow efficiently and promote growth. Transferring the risk using insurance allows the business to allocate funds towards other areas of the business such as growth and expansion by reducing any cash reserves that would be used for claims.  

Cons:

Increased Ransomware Demands 

Where Cyber Insurance is mandatory, cybercriminals would factor this into their strategy. When an insured has Cyber Insurance, threat actors could leverage this by increasing ransom demands after nefariously encrypting the client’s systems.

An example of this:

Instead of requesting £5k to unencrypt the client’s computer systems, cyber threat actors would increase this to £20k, knowing the target's insurance would cover them with little impact on the business.   

Additional Cost for The Insured 

Insurance can be a costly expense for a small business. Most of a client’s portfolio is purchased by choice (apart from Employer’s Liability). Adding another mandatory purchase will increase the costs of their overall package - Especially if they were not previously purchasing the policy or believed that their cyber exposures are relatively insignificant to their business.  

Increased Claims for Insurers 

Despite cyber security risk management improving with mandatory Cyber Insurance, insurers would see an increase in claims due to the sheer scale of cyber insurance policies they are writing. A larger claims volume will lead to more stringent cybersecurity requirements and higher premiums in the forthcoming years.   

A False Sense of Security

A mandatory cyber policy can lead a company into a false sense of security, believing it would be fully protected in the event of a cyber-attack. 

This is not true. Risk transfer (via Insurance) should remain the last pillar of a risk management strategy, with risk prevention being the most critical. Therefore, clients should ensure they have best-in-class cybersecurity controls. Insurance acts as a safety net if things were to escalate.

Limited Coverage 

Should Cyber Insurance become compulsory, it is likely the mandatory cover will be standard covers 3rd Party covers only and will not include some of the key 1st Party covers such as Ransomware payments, Funds Transfer Fraud & Business Interruption. Despite not having a comprehensive cyber policy, the client could be under the impression they are fully covered for all the various cyber exposures and therefore not look to explore additional covers that may be vital to their business.

Summary 

As illustrated, there are various advantages and disadvantages to making Cyber security insurance a regulated and compulsory purchase and the debate continues amongst those involved in the market. Overall, the pros outweigh the cons and whilst risk prevention should be the first step to mitigating cyber risk, making cyber insurance a mandatory purchase would provide the protection and peace of mind businesses need when transacting in the modern business environment.

Written by George Grimshaw

Cyber Insurance Specialist - UK & International