Advisen takes a look at the European cyber risk landscape with Kyle Bryant, regional cyber manager for ACE Continental Europe, and Gilbert Flepp, first-party cyber risks manager with ACE Continental Europe.
Advisen: What are the greatest cyber risks in Europe today?
Kyle Bryant: There is a great amount of uncertainty over how the regulatory landscape will shape up in Europe in the next 6-12 months and this is a critical period for cyber regulation in the region.
The outcome of individual country’s actions and Europe-wide decisions from the EU will have a significant bearing on how cyber risk is perceived and handled within corporations.
Secondly, I would add that reputational risk is motivating conversations with our clients today. There is limited regulatory burden for reporting breach events, so individual companies have to handle communications with their vendors, supply chains and customers.
Gilbert Flepp: The increasing reliance on data processing facilities is a real issue in Europe currently. The more companies are reliant on outsourcing data processing – and across national borders – the more vulnerable they are to an interruption of IT systems.
Advisen: What will the greatest risks be in five years’ time?
Gilbert Flepp: Many of the emerging cyber issues – such as driverless cars, or the Internet of Things – will be an increasing part of our daily lives in five years time. These pose new risk management challenges that corporations and the insurance industry will have to address.
As Kyle mentioned, the regulatory landscape in Europe is changing and even if delays occur to current developments, in five years time we will have stricter cyber regulation. This will drive more risk awareness at a corporate level.
Kyle Bryant: The interconnectedness of companies will only increase and this will bring more challenges for risk managers. Many technological developments are positive – the cloud, software scalability, processes, the Internet of Things – however, these also bring new risks. These new risks will not be controlled using traditional risk management practices, but will necessitate a shift in the way risk is managed within organizations. Insurance will play a part in helping risk managers to control this process of change.
Advisen: What should the insurance industry be doing to address those risks?
Kyle Bryant: Privacy is a well-developed concept in Europe and risk managers generally have a handle on the associated risks to their corporation.
However, many European companies are just beginning to assess their cyber security and the insurance industry needs to put itself in the shoes of the risk manager at this crucial stage to understand what it is they need.
To do this, insurers and brokers need to have expertise on the ground that can align with the risk profile those companies face.
The insurance industry’s biggest role is to act as an additional resource as risk managers assess their cyber risks and upgrade their IT systems to cope with changing threats. We need to design a policy that can bridge that gap for them as their IT capabilities evolve. .
At the same time, we need to recognize that the cyber insurance market is young and there is still a real need for education – of both brokers and clients – on cyber exposures. This will ensure the long-term health of the marketplace.
Gilbert Flepp: While it is important to have a stand-alone cyber product, adaptation is key. The ability to communicate across lines of business and across geographical borders is critical.
Insurers that can put together multi-discipline teams – from the property, crime, general liability lines – will be more successful. With the all-encompassing nature of cyber risk, the industry needs to be able to escape its ‘silos’ and bring together specialists in each aspect of the risk.
Advisen: How is ACE aligning itself in Europe to support its clients?
Gilbert Flepp: As we said before, our clients increasingly work across borders and therefore we need to be flexible and global to best meet their needs.
We have been writing first party products in Europe for a long time and have dedicated cyber underwriters in most countries across Europe.
We already had a multinational cyber capability, but recently we have formalized that into a cross-border cyber practice. Kyle’s move to Europe from the US was one major part of that.
Kyle Bryant: We are being deliberate and methodical about our cyber practice in Europe: We are asking our clients and brokers what they need and what their biggest concerns are. We need to recognize their concerns and ensure we have a real appreciation for the voice of each European country.
Only by doing this can we tailor flexible solutions across borders and across coverage lines.
Advisen: In your opinion, what is the greatest development in the cyber risk sector in the past 12 months?
Kyle Bryant: I’ll highlight two, if I may!
Firstly, many of the different rulings in the EU regulatory environment (including the ‘right to be forgotten’, compliance across borders and rulings on the location of processing versus the site of data collection) – will have lasting impact on the cyber risk landscape in Europe.
Secondly, the increased awareness of critical infrastructure risks – such as the reported Norwegian oil and gas incident – have raised cyber discussions to board level.
However, there is inevitably a delay between these discussions occurring and processes being in place should an incident occur. This is where insurance has a role to play in providing some certainty in a volatile environment.
Gilbert Flepp: The development and design of internal cyber governance and security has moved forward dramatically in this past year.
Now, almost all corporations have a multi-discipline approach to cyber risk, combining the expertise of the entire organization and the board of directors.
Crucially, insurance is a part of that conversation and the increase in submissions that we receive is testament to that.