An intro to cyber insurance for SMEs

Stephen Ridley, Lead Cyber Underwriter

Business insight

3

ENHANCE FLEXIBILITYBeing able to choose what and how much to include

is appealing

01

SIMPLIFY LANGUAGEThey still may not know enough to decide which to

include – simplify policy language and buying

process

INCLUDE SERVICESThese came through as very appealing aspect of

proposition – consider including this component in

the base product

02

03

What do businesses want?Getting the structure right

CONSULTATIONAs many don’t know exactly what they need to do, a

consultation when they first sign up to evaluate

existing policies and measures and advise on

improvements would be valued

04

4

SPECIALIST ADVISORCyber is a new purchase. Customers want objective

guidance to ensure they get the right cover for their

needs. Can an advisor go through a series of

scenarios one on one?

01

SIMPLE QUESTIONSThey don’t know exactly what they need. Questions

to form the quote need to be simple and easy to

answer

ADVICE ON BUILDING

QUOTEThey are open to being educated and adding

additional cover – in order to do they need

objective, genuine advice but not a sales pitch

02

03

What do businesses want?Enhancing the purchase process

5

LEAD WITH SERVICESThe most unique feature and addresses key needs,

especially for those less engaged in category

01

TAILORED APPROACHPromote ability to pick and choose to suit business

size and needs

PROVIDE EVIDENCESuccess stories to show what happened when they

claimed, especially showcasing how a loss is

valued

LEAN ON HISCOX

EXPERTISEFew have a cyber insurance benchmark but believe

you get what you pay for so want to go with reliable

providers

02

03

04

What do businesses want?Communicating about the new product

Spotlight on cover:

Hiscox CyberClearWhat does a typical policy look like?

Own lossesClaims and

investigations

Financial crime and

fraud

Property damage

Hiscox CyberClearWhat does a typical policy look like?

Own losses

• IT forensics to get to the bottom of what has occurred

• Legal costs to determine next steps

• Notification costs to regulators and customers, if

necessary

• Provision of credit monitoring to affected individuals

• PR / communications support, including call centre

set up

• Ransom payments – where necessary

• Data / system rectification costs

• Lost revenue or increased costs incurred as a result

• Temporary recruitment costs

Hiscox CyberClearWhat does a typical policy look like?

• Legal costs to defend lawsuits

• Damages awarded or settlements made

• Regulatory investigations, including GDPR

• Fines / penalties, where insurable

• Breaches of PCI-DSS

• Claims for onward transmission of a virus

• Defamation or breach of IP arising from online

content, including social media

Claims and investigations

Hiscox CyberClearWhat does a typical policy look like?

• Systems being hacked and funds / property stolen

• Employees being conned in to transferring funds to

criminals

• Customers / suppliers being conned in to paying to

criminals, following a hack of your system

• Corporate identity theft

• Fake, imitation websites being set up

Financial crime and

fraud

It’s not just about insurance cover

The Hiscox CyberClear AcademyBackground

12

The CyberClear Academy is an online cyber security training tool available for Hiscox cyber insurance policy holders and their employees. Its benefits:

• Extensive training on cyber security, featuring over ten modules including phishing, social engineering, password safety, BYOD and social media use

• Content is tailored based on existing knowledge

• Learning is continuous – on-going employee cyber awareness training

• Helps clients to stay cyber compliantwith regulatory obligations

Cyber claims proposition

Cyber insuranceClaims proposition for traditional vs cyber

14

Cyber insuranceClaims proposition for traditional vs cyber

15

vs

Cyber insuranceThe claims proposition

What are the mechanics of getting covered?

18

Hiscox CyberClearPortfolio underwriting

Question 0-1m 1m- 10m 10m - 50m 50m +

Are you Cyber essentials accredited? Yes Yes Yes Yes

Do you have a formal password policy that explains good password hygiene, such

as not using obvious or repeated passwords, for all systems providing access to

personal or confidential information?| No Yes Yes Yes

Do you update all systems including firewalls and anti virus software at least every

30 days? No Yes Yes Yes

Are full system backups taken at least weekly and stored either off site or

disconnected from your network? No No Yes Yes

Do you hold, process, transact or store any of the following personally identifiable

information (other than your employees' information);

credit or debit card information;

bank details;

medical information;

or government issued identification? No Yes Yes No

For how many people (including customers, employees and suppliers) do you

process, transact or store any of the following information;

credit or debit card information;

bank details;

medical information;

or government issued identification? No Yes Yes Yes

How many people do you process, transact or store basic profile information

(name, address, email, phone number)? No Yes Yes Yes

Do you have a policy to encrypt mobile computing devices (for example laptops,

tablets, mobile telephones, PDAs) and portable data storage media (for example

external drives or magnetic tapes) which hold, process, transact or store any of

the above personal data? No Yes Yes Yes

Are you compliant with the Payment Card Industry Data Security Standards

(PCI/DSS)? No Yes Yes Yes

Turnover

Cyber insuranceHow is cover priced?

19

Vehicle groupDriver’s

age/experienceLocation Usage

Security devices

Modifications = Premium

Base ratingCulture /

awareness

Understanding data /

assigning responsibility

Managing security

Patch management

Identifying issues

Readiness for breach

= Premium

Motor

Cyber

Thank you