Ian Birdsey of Pinsent Masons, the law firm behind Out-Law, was commenting after the Financial Times reported that insurers have been amending the cover offered by property insurance products to exclude technology-related risk from those policies.
The move comes after the UK's Prudential Regulation Authority (PRA) called on insurers to "do more to ensure the prudent management of cyber risk exposures", with the regulator outlining a need for insurers to "take action to manage the unintended exposure to non-affirmative cyber risk".
'Non-affirmative' cyber risk is cyber risk that insurers are exposed to in insurance policies that were not primarily designed to address such risk. That risk, often referred to as 'silent' cyber risk, is often difficult to quantify.
In a 'dear CEO' letter issued in January 2019, the PRA identified that many firms' assessments of the silent cyber risk they were exposed to was "not well-developed". However, it stated that firms with the most developed approaches "had conducted detailed analyses and established processes for capturing cyber exposures for all products by bringing together different parts of the organisation", such as staff in underwriting, risk, claims, IT and actuarial, and that some had reviewed "policy wordings and of the robustness of exclusions".
The regulator gave insurers until the end of June last year to develop an action plan "with clear milestones and dates by which action will be taken" to "reduce the unintended exposure to non-affirmative cyber risk".
Birdsey said: "The scale of liability facing insurers from their exposure to cyber risk was highlighted by the PRA – it said that some insurers believe the potential risk of loss from cyber events can be compared to losses they might expect to incur from underwriting the cost of major natural catastrophes. It is therefore unsurprising that there is a regulatory imperative to clarify the scope of cover their products provide."
"The growth we have seen in cyber-related data protection claims since the introduction of the General Data Protection Regulation (GDPR), combined with the fact that there is a 'soft' insurance market currently, is a further reason for insurers to push cyber risk to specialist cyber products, transfer risk to the more appropriate book of business and generate the extra revenue needed to underpin the current market model," he said.
According to Birdsey, cyber insurance policies are the appropriate products for addressing cyber and related technology risk, and it would be both "a natural and welcome development for the relatively nascent market for cyber insurance in the UK to grow and accommodate this".
Birdsey said: "It is likely that we will see the UK's cyber insurance market continue to mature. We might anticipate that, within 10 to 15 years, cyber-related products will be considered a standard product that all companies will purchase, with that development akin to how the directors and officers (D&O) insurance market has matured."