Mike Ashurst:
Hi everyone. Welcome to today’s ICMIF webinar: “All things cyber, what you need to know about providing cyber insurance coverage to your clients”.
I’d like to introduce our speakers today. First of all from Berkeley Re Solutions, we have Michael Born and Jeff Cron. They will be delivering the first half of the presentation. Michael is SVP commercial cyber liability product leader, and Jeff is VP & solutions leader. Then later on in the presentation we will have a case study from Anders Nises, who is the team leader of group reinsurance at LF (Länsförsäkringar) in Sweden. So welcome to you all and thank you for joining us today. Without further ado I’ll hand you over to Michael to start the presentation.
Michael Born:
Thank you, Mike. We are thrilled to be here with ICMIF and its members to talk a little bit about cyber insurance, a very hot topic right now, and to let you know a little bit about what’s happening in the cyber insurance world, what’s happening with cyber threats, and how you might be able to offer some solutions to your clients even if you don’t necessarily have expertise in-house.
Our agenda is we’re going to start by talking about the personal lines and family cyber piece. It’s a piece that we haven’t focused on in the past but it’s getting more important and Jeff is going to talk about that. Then we’ll switch over and talk a bit about the commercial lines and what is happening with the commercial lines, which is a bit more developed in this field.
Then we’ll talk about a hybrid cover that will deal specifically with farms and agriculture, which again is becoming a more and more important area of cyber risk exposure and potential insurance solutions. Then we’ll talk about how you can partner with experts and other turnkey providers to help launch a cyber program without taking too much of the risk and without having to have your own expertise in house to do so, it’s a way to jumpstart your program.
Finally, we’ll hear from Anders who will tell us a little bit about their experience in implementing one of these turnkey programs in partnership with Berkeley. So without taking too much more time, we’ve got a lot on our agenda. This is the intro page with some of our contact information. We’ll jump right into family cyber and I’ll turn it over to Jeff.
Jeff Cron:
Thanks. As Michael said, family cyber is newer, personal line cyber is newer, kind of the last couple years now. This slide really goes through how we got here with the development of these personalized cyber programs and what we’re seeing so far. This really came about through our partnerships and relationships, we were having a lot of conversations about the changing nature of cyber, as both in the commercial space, but also and probably more importantly in our daily lives.
We were discussing the risks and coverages available, but really more importantly on the personal lines side, I kept coming back to this same coverage gap that existed in the market. It kind of took us backwards where we were thinking about how our commercial product evolved over time, which started with very traditional general data breach coverage, but as time has gone on has evolved into full cyber suites. Bringing in new and advanced coverages, business interruption, extortion, adding additional risk management services.
We’ve felt that that same transition was kind of on the verge of coming to the personal lines space. Where most people in the market had an identity theft solution, whether it contained insurance or just contained services, it’s been around for a long time and frankly it’s not going far enough anymore. So that opportunity really led us to develop and create this personal lines cyber product. What we look at today and talk about today, we think will be different in the next three to five years as this product continues to evolve over time as that cyber risk evolves as well.
This slide and really the next couple of slides, they go through some numbers and stats, and I’m not going to read all of these numbers off the page to you but it’s clear that the risk is there. Actually, here we go. It’s not cooperating but anyway, we’ll move through the slides here. What should be there is a slide that talks about how many cyber risks are out there on a daily basis.a number of attacks per year, number of attacks per day, per hour. And really what we always say is that these numbers were out of date the day we wrote them. You just can’t keep up with this growing number of attacks.
But it’s also key to recognize how frequent these attacks are, and it’s amazing to think about the sheer volume of emails that are sent every day. You see that 300 billion emails are sent every day. More importantly, 90% of those are spam. That means 270 billion spam emails are sent every day, all of which have some sort of end goal. If it’s general marketing or some sort of scam or phishing scam, whatever it may be. That volume of risk is in our everyday connected life and just something to think about as we put all of this into perspective.
This next slide further highlights those touch points and connections that we’re all dealing with, really focusing on the internet of things. Our connected devices and all those things that are going on in the world today. This chart is showing the growth there. We’re looking essentially at an estimated growth to be up to 40 billion devices by 2025. And these devices, they’re everywhere, they’re great. I think we’re all guilty of owning three, five, 10 of them. But what’s important to think about is they were not built to be secure. They’re consumable devices and criminals know that. They know that they can access these devices fairly easily. The data’s not encrypted, there’s no administrative password, generally it doesn’t sit behind your firewall. What this device does, it provides an access point and an access point for those to get into your broader system and just see and have a touch point to your vulnerabilities and your protected information.
Lastly here just bringing this home in terms of financial loss. Again, we’re not going to read all these off the slide here. But let’s point out just a few more important ones here. So 37% of survey respondents to the National Cyber Security Annual Review thought that losing money online was unavoidable. That’s fairly scary, but further 70% of them felt that they would be a victim to at least one cybercrime in the next two years. And these crimes are ranging from anything from theft of money to someone accessing your password and just being in your system, to your personal information actually being stolen. All of this is kind of highlighting the prevalence of cybercrime.
When I look at this, what’s really interesting to me is how we approach cybercrime in regard to our daily lives. For the most part, cybercrime is out of sight, it’s out of mind, and I compare this to my nightly routine. At night-time I lock my doors, I set my alarm and I feel secure, I feel good about what’s going on. But none of us think twice about joining the coffee shop WiFi network because we’ve got to check our email, we’ve got to be connected. Yet, our phones, our laptops, whatever it may be, they store our passwords, they store our credit cards and other personal information. And we’re happy to hand the keys over to anyone who could be hundreds of… across the world, whatever it is, who has access to these unsecure WiFi networks that we all happily join. So just kind of leave you with the thought process of you don’t need to see the threat to be exposed to the threat in this world of cybercrime.
I think we have our first poll question. So does your company currently offer any of these types of cyber coverage? Again, there’s the personal lines, the commercial lines, the farm specific cyber we’ll get in and you are not sure.
Okay, that’s great news. At least we have a lot of folks that are familiar with what we’re talking about today, especially on the commercial side. So, perfect. On the next slide, if we can get ourselves there… This slide is going to give a quick overview of the coverages available right now on the personal lines space, and we’re going to go through these at a high level to make sure we have enough time for everyone to go through their topics today but also leave time for Q&A at the end.
Starting off at the top of the list is online extortion. Online extortion, otherwise known as ransomware, it’s a lot of what it sounds like. It’s the indemnification of expenses or ransom paid for an online extortion event. Very simply speaking, the insured has clicked a bad link, it locks up their computer, their files are encrypted, there’s that red screen of death there with a ticking timer and the ransom demand. And those files will stay encrypted until they pay a ransom.
Again, in simplest terms, if the insured pays that ransom the policy would have the ability to indemnify them for that ransom paid and the financial loss that came with it. Number two on the list, social engineering, this covers the intentional deception of the insured that led them to willingly transfer money to a bad actor. That’s really the hook of this insurance coverage here is the insured has willingly sent the money, and typically when that happens you think of commercial crime or whatever it may be, there is not coverage if you’ve willingly sent the money. We’re aiming to fix that. We’re looking at certain scams like tax scams, confidence and romance scams, grandparent scams where they’re telling you have a grandchild in prison and please wire some money to us.
Full transparency with any insurance product, and this one’s no different, there are things that wouldn’t fall into the social engineering realm. The most common one is something we call an advanced fee scam. Kind of the pay me $1000 today for $100,000 tomorrow type scams, where someone’s money is locked up. We’re not seeking to cover ill-gotten gains or bad investment choices, but more so any time you’ve been deceived in lost money as a result.
Number three on the list, cyber bullying covers first and foremost what we always say here is that this is a first party coverage. The design here is to cover the victim of cyber bullying, not necessarily the bully or any allegations of bullying. But in the even that cyber bullying is taking place, this coverage steps in to provide indemnification for the financial loss for professional counselling, temporary relocation, private tutoring costs, and tuition expense. By tuition expense, we’re talking about the actual cost associated with switching school and the tuition itself, so if you go from a public school to a private school and the associated cost with that.
I think as we talk about this and some of the stats we looked at earlier, cyber bullying is important to think about because one, it’s providing families time to budget and prepare for large and unexpected costs, but also most parents didn’t grow up in the threat landscape of cyber bullying, but children are seeing it at very high rates. 43% of teens in the UK admit to being bullied online and 25% are saying that they’ve had multiple instances of online bullying. So we think being able to provide financial resources to that, but also kind of drive home a little bit of education and awareness to these topics is really important for families today.
Number four, identity theft. This solution covers the indirect costs, like lost wages, childcare, elder care, while an insured has to take time off to handle an identity theft issue, but more importantly it really provides the service and case management to help you restore and reclaim your identity, kind of walk you through the process and have an expert dealing with the details to get you up and running again.
Number five, system compromise. This is a data recovery and system restoration cost coverage. Really, what all that means and the easiest way to think about it it is it’s the fees to fix your computer. If your computer has been corrupted, it has malware and unauthorized access, whatever it may be, seek out your local IT help, whoever it is, the big box store, the local IT repair, get the documentation showing the malware, submit your receipt and be paid back.
Number six, internet clean-up. This one is a little more unique and newly developing to a certain extent in the marketplace but it’s coverage for either legal expense or reputation management firms to help you deal with factually untrue written statements about you on the internet. We’re looking at things like blogs, local news sites, that may have reported things inaccurately and you need the help or guidance to best deal with these instances on the internet, and it’s really providing the ability to find that and take care of it in the most efficient way possible.
Then lastly, breach costs. In the event of a breach of your home computer system, this would provide the cost to notify and then provide monitoring to those affected by the breach. So if you do volunteer work, help your neighbour with whatever it may be and you have their personal information, we think that being able to provide that additional monitoring service, that proactive coverage to make sure that their information hasn’t been compromised and also stay current in this ever-changing landscape of privacy law, it’s an important and positive thing to be able to provide.
Jumping one more ahead, I think we have another polling question, and just before we do that, I apologize, I know it’s a very fast run-through but just being cognizant of time here. Please feel free to reach out at any time to Michael or myself if you want to get more in-depth on these specific coverages, and we can provide any detail needed. But jumping forward the poll question. Do you feel you have in-house cyber insurance expertise?
Excellent. So, again, it’s good to see everyone’s pretty comfortable with cyber so far and hopefully having a positive experience with their portfolio. I’m going to pass it over to Michael now to discuss the commercial cyber offerings.
Michael Born:
Thanks, Jeff. That was a great summary on the personal lines and the family cyber, and I think we’re going to be hearing more and more about that as we go into the future because it’s going to way beyond just identity theft detection, which was sort of the original idea. So let’s talk a little bit about commercial exposures. I can’t be left out of the statistics and numbers game, so I have a few in here for you. We can fill pages and pages with statistics about the cyber exposures and the cyber threats. But I just put in a few here that I think might be particularly relevant to get us thinking about those exposures and those risks and why we need solutions for all sizes and types of companies.
Obviously security breaches in general have increased 67% since 2014. So it has become the crime of choice for a lot of these computer hackers. Then these charts at the top right, to me are just staggering. The fact that in 2019 we had almost 7100 reported breaches exposing more than 15 billion records. A 284% increase over 2018.
Information is the new currency and the bad guys know how to get it, so we have to be more vigilant than ever and protect ourselves as much as we can, including transferring that risk via insurance products. Then we’ve got, in the bottom of the slide, we’ve got a couple of different statistics from the NetDiligence claims study, that talk about how expensive these breaches can be even for smaller companies. So these two charts both focus on small to mid-sized enterprises, and it talks about an average… you can see how the costs associated with just a ransomware attack have gone up in the last couple of years.
Then of course just your overall cyber claims costs. So the average overall cyber claim cost among all the different types of claims that you might get for small to medium enterprises has also gone up obviously over time. And you can see, $100,000 doesn’t seem maybe like a whole lot but when you’re talking about a small business, that could be the difference between staying in business or not. So all of these statistics you’re going to see are increasing the costs, the number of attacks, the ways that the bad guys are trying to get to this data and this information and get to your systems.
We can’t expect the regulatory landscape as well. So even if you don’t have a lot of actual costs associated with a breach, which I can guarantee you almost always will, we’ve got the regulatory bodies passing new legislation all the time, new laws and regulations all the time around privacy and data security. These regulations will lead to exposures to your clients and your policyholders.
Obviously you’ve all heard of the GDPR. It’s now officially begun its third year of being in effect. It went into effect on May 25th of 2018. There have been an estimated €114 million in fines that have been issued based on GDPR regulations. There have been over 160,000 data breach notifications reported across Europe through the GDPR.
Remember now that the GDPR requires that breach notification be conducted and that measures be taken to mitigate the adverse effects of a breach. So we now have legislation telling you that you must do some things to respond to a data breach that are going to cost money. That’s the long and the short of it. So even if the fine or penalty isn’t significant, which some of them really are, just the cost to respond according to the regulation are going to be significant in many cases.
So what is available now in the insurance world as far as commercial cyber insurance, cyber insurance for the business to transfer some of the risks of the cyber exposures that are out there? Well, first of all you’ve got the liability coverages or what we call the third party coverages. Those are on the left hand side. On the side you’ll see the top if privacy liability, so that’s if you lose confidential information, if that information is exposed in some way, whether it’s accidental or intentional, whether it’s the bad guy or just a mistake, if those records are exposed and that causes harm to an individual or anybody whose confidential information, the release of which would cause them harm or damages and they make a claim against you, that’s the privacy liability piece of the coverage.
Next is network security liability. They seem very similar but there is an important distinction. Network security liability doesn’t require that confidential information be exposed, it only requires that your network be breached, and that that breach somehow causes a third party harm or damages. Whether that be that the bad guys got access to your data… Not your data, the third party systems through this network security breach of the original party. Much like we saw on the Target case where the HVAC vendor was the access point for the bad guys. That HVAC vendor could have had a network security liability exposure to Target, even though HVAC’s data wasn’t breached.
Then finally we talked already a little bit about regulatory. We put that in the third party bucket, even though that’s sort of a quasi-third party because obviously the regulator isn’t claiming that they were damaged but they can issue fines or penalties. It is a claim and an investigation in a way, there are going to be costs associated with responding to a regulatory investigation, and there could be damages in the form of fines and penalties that are issued.
Remember, these coverages are unique in that generally speaking fines and penalties aren’t covered by a liability policy but cyber policies are designed to cover them where they can be covered by law. Then you’ve got the first party coverages, which as I indicated are often the most expensive or the most significant expenses, even if no third party is damaged or at least they don’t have a claim against you that they were damaged, those direct costs associated with responding to a breach can be significant. More so than the third party liability claims.
So you’ve got the privacy breach response. As I indicated, the GDPR requires that you send out a notification under certain circumstances. So that privacy breach response, the legal work to draft the notification, the notification itself. All of the call center that you might want to set up. If you want to offer credit monitoring or identity monitoring to the folks that were impacted by the breach, all of that is an expense that can be covered by that privacy breach response.
Then you’ve got system compromise, this is when the system is breached and affected in some way that needs to be repaired, whether that’s data that has been corrupted or destroyed or the software that has been affected or if the system itself was simply taken down. In that instance, you’re going to have costs associated with investigating that attack and remediating it so that your systems get back up and running.
Then you’ve got cyber extortion. We’ve all heard about ransomware attacks. That’s one form of cyber extortion, there are others, but it’s any time you have a data or network security breach that the bad guy then demands ransom to either fix or to not expose data. Those ransomware attacks, other cyber extortion attacks, the costs of paying the extortion if it’s reasonable and the cost of responding to the demand, that’s all covered under the cyber extortion piece.
Then you’ve got business interruption. Business interruption is just what it sounds like, it’s just like the business interruption coverage in your property policy, just the perils are different. So, again, if you have a data breach, network security breach that affects your operations, causes you to lose income or to have extra expenses to work around any outage of your system or any compromise of your data, that’s going to be covered by this business interruption piece.
Then you’ve got some miscellaneous coverages that we’re seeing pop up, and there are a bunch of them. Two that I just wanted to mention that have been very popular and in the news these days. One is funds transfer fraud, sometimes called social engineering, although that’s a bit of a misnomer because social engineering is actually just a way in which bad guys get access to your systems or data.
But the funds transfer fraud is fraudulent communications that actually get the company to transfer funds to the bad guys. Whether that be a fraudulent invoice, an email purporting to be from the CFO, or what have you. And any kind of fraud that gets you to transfer money to the bad guys is funds transfer fraud. That can now be covered under a cyber policy. It can also sometimes be covered under a prime policy, but cyber policies have developed coverage for that.
Then finally if the business conducts transactions through credit cards, there is a contractual obligation to keep that credit card data safe and if you violate those payment card industry data security standards, PCIDSS, there can be investigation of whether or not you complied with their standards, and if you didn’t comply with their standards there can be penalties assessed. That is a separate coverage out of the policy because it’s not an official regulatory body, it’s all contractual in nature. So that’s another potential coverage in these cyber policies. So that’s basically what you can get in a cyber policy, from a commercial standpoint.
Next we have another polling question we’d like to give to you. If you are currently offering cyber insurance, we’re curious about how you developed your cyber program. So did you develop it in-house and are offering it all with in-house resources, have you used a third party or a custom turnkey solution to help offer that cyber coverage, or perhaps you’re not sure about that? I’ll give you a little bit of time to answer that.
All right, let’s see how we did. Looks like a fair amount of you have in-house capabilities that you developed, you have used some custom turnkey solutions, and a few of you don’t know, which is probably why partly you’re here on this webinar to see what is available out there and how things are working. So let’s go on.
So we’ve talked a little bit about family, we’ve talked a little bit about commercial. Hit the next slide… maybe Mike you can advance that for me, for some reason it doesn’t seem to be advancing. So now we’re going to talk a little bit about farm, I’m going to turn it back over to Jeff, and he’s going to talk a little bit about why farm is kind of its own unique animal even though it incorporates some of both of the kinds of cyber that we’ve talked about before.
Jeff Cron:
Great, thanks Michael. So the big question, farm cyber, are farms at risk for cyber-attacks? We’ve got a big long slide, it gives a whole lot of information. But to sum it up quickly, the answer’s yes, right? Farms are at risk for cyber-attack. The advancements in farming, data collection, and the value of that information has really put farms in the crosshairs for cyber-attack. These risk are ranging from ransomware on the information or on to actual farming machines, to cyber sabotage aiming to disrupt the food supply or general theft, and the breach requirements that come along with that.
How is all of this taking place is the big question, but really the advancements in precision agriculture have led to increased efficiency in farming, but also as we touched on before with the IoT, increased vulnerabilities for farmers. This increased IoT usage across farming is unique because of how heavy it is on data capture and the recording of that data. So we’re talking about things like geo tagging, soil analysis, seed distribution patterns. All of these technological advancements, data recordings are touchpoints and vulnerabilities for the farmer.
As we put this together and look at the farms, one thing that I found real interesting and pretty shocking is the estimate of IoT currently in use for farming. We’re talking about 75 million devices in place right now with an expected growth rate of 20% per year. So not only is that highlighting the value and the benefit that these devices are bringing, but also the need for farmers to protect themselves and also protect the data they have from disruption. I think we talked about before, but not all these IoT devices were built for security as most of them are just consumable products.
As we jump ahead here, here’s the outline of farm cyber. We’ve talked about commercial cyber, we’ve talked about family cyber, and as we’ve kind of somewhat indicated that farm cyber is a combination of the two. Due to the range in farming, you can talk about the small gentleman family owned farm, up to small commercial and even agro business farms, there’s a big spread there. So far, what we’re seeing in this realm, as I talk about this combination product is that the vast majority of farms, maybe 80% or so, are a little bit more geared toward personalized. The traditional farm owner’s policy, more family owned, small business type farm.
It skews personal lines with business components, rather than just being a pure commercial farm. But really, the key here is to build in accordance with your portfolio and in accordance with your partner. Not all farm risks are the same and what’s most important is to capture the risk appropriately to whatever your portfolio may be, this is certainly not a one size fits all product. Michael talked about some of those unique coverages that come with commercial, we saw earlier some of the unique coverages that come with personal.
Then also it’s the what do you want to build together to hit those unique coverages for farm? Some of that stuff we talk about relates directly to this smart equipment. You’ve got your big combines, tractors, whatever it may be. If they are encrypted with ransomware and they’re stuck, you have to get it to the service place, you have to then have it unlocked and fixed. So those are all additional costs.
Towing might not be considered a traditional cyber expense, but maybe it is for the farm cyber, so that way farm owners are not crippled by the expense of just towing their encrypted machine to the service center to have it repaired. And all of those things should be looked at in conjunction with your partner or your in-house team as you build a cyber program for your farm.
So again, just leave it with the idea that farm is developing, it’s not an off the shelf product, certainly not one size fits all, and something we’re happy to build with anyone for each and every single portfolio. Which I think is a great time to pass back to Michael, really to discuss partnerships in this reinsurance marketplace, in this turnkey marketplace as we build programs together, be that commercial, family, or farm.
Michael Born:
Thanks, Jeff. I think that’s a great transition into talking a little bit about partnership cyber programs and how those work. So for those of you that don’t have any experience with this, a partnership program in cyber takes an insurance company that is familiar with cyber and that understands it, has underwritten it, has priced it as policy forums, has guidelines, all of that stuff. And they partner with an insurance company that may not have that. So by doing so it allows you to launch any particular type of cyber program that you’re interested or you think your clients might be interested in, without having to develop that expertise in house, without having to worry a lot about the exposure, depending on what you want to do.
These are white labelled quota share reinsurance programs. So it will all look like your product. It will be… the top of the policy form will have your name on it. Marketing materials will have your name on it. And then it’s reinsured on the backend anywhere from 100% to 50% depending on how much risk you want to retain.
For instance, we have… the vast majority of our clients cede 100% of the risk to us. Like hey we want to offer this coverage to our clients, they’re asking for it, we’d really like it to be part of our portfolio, but we don’t understand it enough to be able to take the risk, to be able to have our actuaries the likelihood of loss for this particular risk. So we want you to take 100% of the risk and then we’ll just sell the product to our insurance.
The partners also, your turnkey reinsurance partner’s also going to provide rates, forms, underwriting, claims, and launch and marketing assistance. There’s usually a commission that you get in order to sell this product through your platform. Then with regard to implementation, your reinsurance partner is going to help you with claims trading, marketing, any kind of collateral you need, training, educating your brokers or agents, or your insurance itself. And of course, the implementation plan is going to have all these functional areas and all the topics you might think you would need to launch programs such as this, including by the way usually some risk management and breach response services.
Many of you might have been on the recent ICMIF webinar with CyberScout. CyberScout is one of our partners that we use as well, to help with both breach response and some pre-breach risk management services. This is one of the most valuable things that you can give to your clients, because most of these businesses don’t know the first thing about responding to a breach and by having this insurance and having these response partners, they can turn to their insurance company and to these breach response partners to help them walk through a breach when it happens so that they don’t have to do it alone or figure it out themselves. So this is how these turnkey partnerships work.
But, what would be better? Let’s see what we have as our next slide. Oh, just a quick note that these programs can be very flexible. They can be customized for the needs of your clients and your book of business. So you can talk about the different coverages that we’ve talked about today and decide which ones are most relevant for your clients and your policyholders. You can have individualized distribution plans, you can choose the appropriate deductible or retention, which limits, how much limits you want to be able to offer out of the gate and whether you want options with higher limits if some companies want those. And you can have single aggregate limits or sub-limits associated with those. So they are ultimately flexible programs. And can be designed specifically to fit the needs of your customers or clients.
But you don’t have to take my word for it. That’s why we invited Anders to come along and tell you a little bit about the implementation that he had with his company. I promised Anders that I was not going to try to pronounce the name of his company. We affectionately refer to them as LF in Sweden, and they’ve been a fantastic partner of ours and we thought we’d bring Anders along to tell you a little bit about what happened with their implementation here.
Anders Nises:
Absolutely. Thank you for inviting me to this webinar, and as you can see my name is Anders Nises. If we don’t want to pronounce it as LF, it’s Länsförsäkringar, so there’s a lot of Swedish letters in that one. That can be a bit of a challenge for the English speaking audience, but LF is just fine.
We started our cyber project back in 2016, and we started it off with a market survey on our SMEs. So our ambition was to offer it to our commercial clients, and in that survey it was clear that cyber was a growing concern for our SMEs, and since then it has really escalated by the reasons explained by Michael and Jeff, but also triggered by GDPR and the increased amount of breaches.
But back in 2016, it was evident that the offerings on the market were created for larger companies with other needs than our SMEs with, say, 10-20 employees or even less, maybe even three or four. We decided to create a cyber product that was tailored for our SMEs, and early on we realized just the challenges that Michael was describing before handing it over to me, we had problems actually forming a proper wording, setting the right rates or even having the right underwriting guidelines.
So we, early on, decided to do this together with an experienced player in the cyber arena. We had a tender process where we invited a dozen player on this market, and Berkeley and CyberScout as a team came out as the clear winners in that tender process. After that process, and when we had decided to work with Berkeley and CyberScout, we had an extensive implementation project with the ambition to add the cyber element to the majority of our existing PNC policies.
LF is the clear market leader in Sweden in property insurance. We have about 30% of the market share, and we had a great partnership with Berkeley where they helped us with the wordings and rating matrices, and it was really invaluable for us when we started this in the autumn of 2018 when the first policies were added with this element.
Since then it’s been a huge success. Nowadays we have a portfolio exceeding 100,000 policies, and we have very few cancellations. It’s been rolled out on an opt-out basis, and the standard cover is a low limit one that gives our commercial clients a basic cover which Michael described, and last but not least I cannot praise the service element more. For these kind of companies, many of them they don’t even have their own IT departments, and even less they don’t really have any plan whatsoever to actually do a breach response if they have to do something to comply with the GDPR.
That’s been really invaluable, and we have a lot of cases that actually don’t end up in an insured loss, it’s just a service loss, but still, our clients are very happy with the product, so it’s been very, very useful. And for the future we are looking in to maybe doing something on the agricultural side and also on the private lines, and also it’s really important for us that the policy stays relevant in the ever-changing cyber risk arena. That’s also where Berkeley really comes with the cyber expertise we need in order to stay on top of things. We would not be where we are today without these partnerships. Berkeley have been really flexible.
It is a turnkey solution, but it’s also tailored to our needs and our clients’ needs, and if you were to ask any of our clients, nobody would have any idea whatsoever that this was not something created just by us. It’s an LF policy, it’s an add-on to the standard PNC policy, and it’s all serviced in Swedish and with our logo on. Sometimes these kind of solutions can be marketed as a white label solution, and this really is because this is LF powered by Berkeley without our clients actually knowing it. We just get the benefits from it. Thank you.
Michael Born:
Great. Thanks, Anders. That’s fantastic. And I’m sure folks out there may have some additional questions for you about that implementation and how it went. In fact, we’re almost at the question and answer period, but we have one more question I think for you guys, if I remember correctly we have one more polling question. And there it is. If you don’t currently offer cyber insurance, which best describes what you’re thinking about right now? Have you started developing a program with plans to launch it already? Do you want to offer one but you haven’t started developing it? And you’re interested but haven’t yet decided to develop it, or at this point, we would hope this was not the case, but if you clicked on the wrong link and you didn’t know you were going to be talking about cyber today, please let us know so we can be a little more clear with our communications next time.
All right, how did we do? Oh, there we go. So at least the folks that are still watching, you’re definitely interested in developing something and just haven’t decided yet. I’m happy to see that nobody is here by accident, clicked on the wrong link. So now we’re going to move forward into the question and answer session. We are happy to answer any questions that you might have, if you want to type them in the chat, we’ll pull them off of there or we’ve also got… I think we had some questions that have come along the way.
Mike Ashurst:
Great. Well, thank you Michael and Jeff, that was a really great presentation, and thank you to Anders for giving us a taste of what it’s like as an ICMIF member to provide cyber insurance. We have had a few questions, so I’ll try and get through a few of these. So the first one, unfortunately we can never keep COVID-19 out of this but here we go. So have you seen any claims come through yet as a direct result of COVID-19 related scams? That could be to any of you.
Michael Born:
I’ll let Anders answer first since he’s got direct experience there in the EU he can talk about.
Anders Nises:
I would say we haven’t had any scams really related to COVID-19. But we have seen an uptick in losses during the first half year of this year. It could be a corona effective, but also it could be, we have discussed with the Berkeley Re guys, it could also be where the stage of the portfolio is, because for the first year a lot of our policyholders, they didn’t even realize that they had the cover. So I think it’s a combination of our clients getting more familiar with the cover, and also of course there’s a lot more cybercrime actually going on during this crisis. But we haven’t really seen any fraud in direct relation to COVID-19 as of yet. It’s maybe triggering because it’s more connected, but not really a fraud.
Michael Born:
And from a commercial side it’s sort of similar. We have actually seen some claims come in that were launched using COVID-19 as part of a phishing scheme to try to get somebody to click on something and give them access. So we have seen a couple of those claims, no question about it. I truly believe that there are more instances out there that have occurred and they just haven’t been reported yet. Remember that one of the additional exposures from working from home, now that we’re all working remotely and working through our own systems is the inability to detect a breach as quickly as we might be able to if we were only using our commercial systems, if we were only using the systems at the office.
So if your home computer is breached because of a phishing scheme, and that gives the bad guys access to your business data because you’re doing business at home, you might not even know that or you might not know it for a while. So I think that there’s going to be a bit of a delay, a bit of a lag. I think we will see even more of those types of claims come in. And Jeff, I don’t know if you’ve seen anything like that on the family side.
Jeff Cron:
No, I don’t think we’ve seen an increase in claim activity. I think you’re spot on about claims that could be out there and not reported yet as everyone’s still learning this new reality. One thing we try to do, especially one the family side, is really increase our education. One, we’ve got the benefit of the regular news cycle giving everyone increased tips and things to be aware of with COVID and scams that are out there, but we also work with our partners to provide a lot of additional educational material that they can get to their policyholders, just as we’re hearing and seeing things. So more as risk management focused as we can be just to help be a little bit more preventative in new scams.
Mike Ashurst:
Right. Actually, you’ve just at the end there answered the next question which I was going to ask you about risk prevention. Because that was one of the questions somebody said, ICMIF members talk a lot about risk reduction, so do your products include an element of education to help people to prepare for those risks? So I think you’ve just answered that one.
Jeff Cron:
Yeah. So at least on the family side, there’s a lot. And we talk about this from an education perspective, just giving information and more alerts to everybody, but also we handle things on a proactive and reactive basis. So we do have a service partnership on the family lines or on the personal lines, cyber, which gives some proactive things upfront. Dark web searching, password protectors, things to just keep you more secure and more aware of if you’re information could be exposed. Then again, the reactive side in the event something does happen. There’s kind of a ransomware coach or expert out there to help you, the breach response system to deal with that and also provide the notification and monitoring. So we certainly believe that risk management is a critical component of any solution.
Michael Born:
Yeah, and the same is true on the commercial side. You heard us talk about CyberScout a little bit. There are other vendors out there, but CyberScout is both our breach response vendor and they provide some educational and pre-breach risk management services along with those. And I’m actually curious, I was going to ask Anders, do you know how many of your insureds, if there are a significant number of your policyholders that are taking advantage of some of that information that CyberScout has for them?
Anders Nises:
Absolutely. We implemented a lot of the intelligence, both from you guys and then from CyberScout on how to actually cyber secure your business, that’s shared on our webpage. We did not opt for… we were offered cyber website. That was really easy if you don’t have a platform where you want to describe the white label solution but we implemented it on our website with the intelligence we got from you guys and CyberScout, and that’s been used quite a lot. So people are reading some examples on how you can do and looking at checklists on how to go about IT securing your operations.
And also we have several clients calling in asking, “We have this new system, how should we set it up to be more safe?” And also sometimes they call them. It’s not a big problem at all with people calling them too often, we really urge them to do that, but that’s also what I tried to say during my piece earlier here, that we have some cases with clients calling in, getting support, and they actually sort the problem out in that call. So it’s not an insured loss for either us or Berkeley, it’s just an expert from CyberScout helping our client out. The client is happy because they solved the problem, they might not have an IT department so CyberScout really helped them out. Then for us and Berkeley, we didn’t have to pay anything, so for us we have a happy customer but we didn’t have a loss. It’s hard to achieve that in the other insurance product, I would imagine.
Michael Born:
Right. We can almost think of it like loss control for cyber because it benefits both the policyholder and the insurance company.
Mike Ashurst:
Right. Just got time very quickly for one or two more. So this one is for Michael and Jeff, so as reinsurers, how do you manage your own aggregate cyber liabilities in such a young line of business?
Michael Born:
That’s a fantastic question, and not an easy one to answer. We actually go through exercises every quarter where we look at potential catastrophic loss based on aggregation. This is on the commercial side, and I’ll let Jeff answer also on the family side. But we have quarterly exercises where we look at various different cat models. They’re not terribly mature right now because the market is changing so much and it’s relatively new, but we do our best, and it’s always an issue.
Michael Born:
And if we see that we think we have a large catastrophic exposure to a particular type of loss or one of our particular business segments, we might also reinsure our exposure. That’s how we do it, we look at it, we run cat models, and if we see an exposure we’ll reinsure, just like anybody else.
Jeff Cron:
Yeah, I think Michael, that’s spot on, the personal line side particularly is new and the modeling that’s in the market doesn’t even necessarily reflect. So we have taken that in-house and developed our own cat model for the personal side of cyber exposure. So again, arguably untested but we feel comfortable with what we’re doing, and to a certain extent the personal lines covers are less correlated with each other.
So one, there’s an element of limit control, there is lower limits typically in the personal lines space, but also a social engineering loss isn’t necessarily connected to anything else, and each and ever loss may be a little more contained within its own piece rather than spreading and becoming bigger and bigger. So it’s modelling, it’s limit management and really working with our partners to make sure we’re all on the same page with what we’re trying to accomplish at the end of the day.
Michael Born:
And Anders, I know you guys are keeping some of the risk on the cyber book that you write. Is there something special that you do?
Anders Nises:
At this point I think we are really… we have a basic cover, it’s not huge limits we’re offering. So we think we can handle that risk. We go about doing some stress testing on the book but then also making sure to mitigate the risk through the policy wording where we look at how do we deal with mass attacks. So it’s kind of a combination about looking at the risk and also on the product, on the exposure.
So, we have been more and more comfortable as you always are. We started with this project four years ago, didn’t know anything, learned a lot from you guys. Now we have a larger book, we have more risk in that sense but we’re more comfortable with it. But of course we will look at this for the future if the risk arena changes, then we might have to look on how to actually protect the risk we keep in our books. But for the moment we are looking at it similar to what you guys are.
Michael Born:
Yeah. And that’s an excellent point about the policy wording, I forgot to mention that on our end as well, that we do try to put some policy wording in to limit some of those really large catastrophic losses, which this type of cover for this type of program is really not designed to cover.
Anders Nises:
Maybe not take the word out of your mouth but if our clients actually update their firewalls and their antivirus covers and everything, they are fine more or less because then they would only be suffering from a targeted attack and then the policy would give them the cover. So that’s more or less, instead of having a very complicated product, saying that this is not covered, this is not, we just urged them to have everything updated and then the policy will perform in an expected way, more or less.
Mike Ashurst:
Okay, great. Well I think that’s all we have time for. If anyone does have any more questions, you can send them through to me and I’ll pass them on to the guys and hopefully they’ll be able to get to reply to you. But I’d just to say thanks ago Michael, Jeff, and to Anders for taking the time to talk to us today. It’s much appreciated. A reminder that all the recordings of all our past ICMIF webinars are available on this private webpage, which is exclusive for ICMIF members.
So, thanks for joining us today and we look forward to seeing you all again in the future. Stay safe and goodbye everyone.
The above text has been produced by machine transcription from the webinar recording. ICMIF has made every effort to ensure that transcriptions are as accurate as possible, however, in some cases some text may be incomplete or inaccurate due to inaudible passages or transcription errors. Listening to or watching the webinar recording will allow you to hear the full text as delivered during the webinar but this is available in English only. Our transcriptions are provided to enable members to select the language of their choosing using the dropdown menu above.
