The fable of Sisyphus & the importance of cyber insurance

Written by Jack Durrant - BA (Hons) FCII.

When approaching ‘the cyber issue’, I of course first consider my own perspective as a cyber insurance broker. After all, to many brokers, this does feel similar to the plight of Sisyphus; condemned to the underworld to repeatedly, yet unsuccessfully, roll the boulder up the hill for eternity. Each year (or maybe even more frequently than that), many brokers will roll out their recommendations to their diligent clients. Firstly, that age-old risk – the buildings, stock, and contents. Secondly – legal obligations like employers’ liability and fleet. Then eventually, when all sorts of exposures have been evidenced to the client, the footnote must read something like:

“You use lots of technology in your business, I  think it’s about time you consider buying  cyber cover, it really is critical” – Excellent broker

Meanwhile, the client will sit and nod, staring at what is undoubtedly a premium pay-out they could think of at least 10 better uses for in their business. After all, many businesses don’t anticipate claims and have never suffered  before. And until a claim situation does arise, business leaders often imagine a risk-free utopia; deploying that premium into extra staff, a new machine, or some additional marketing. But then those doubts creep in: “What if this is the year though? What if I have spent all of that time, money, and energy and then just when I let the policies lapse, something happens?”…

The seed of doubt on insurance is already there, and hence, the premium over the last 10 years suddenly seems worth it, just in case you suffer a loss, in which any other year would have been paid! In business psychology this would be cognitive bias, when it’s probably more like the status quo bias. Sunk cost, versus continuing down the same  well-trodden path. Usually, it's not quite that stark, no-one simply switches off their insurance policies, but the same thought process could be considered for smaller portions of your risk…Is gap cover worth it for our business? Computers are getting a lot cheaper, maybe we don’t need them on the policy?

Do I need cyber insurance?

If your business stores customer data, relies on digital systems, or could suffer financial loss from a cyberattack, you’ll likely need cyber insurance. 

The reality is that, as business operators, to be effective in our insurance spend, we should really look at data and the impact such a loss would cause to our business. Today, services make up 81% of total economic output and 83% of employment in the UK, and this trend is expected to continue. Many more businesses now than 20 years ago are working in the service and professional sector. A trend which is likely to continue.

So, in our new analogy, Sisyphus is the client. Yes, let’s turn it around.

There have been many times where I’ve sat in with clients, and the ebbing feeling in my mind is – this director would happily buy a couple more working hours in the day and prefer  not see me at all. Plenty of the people I talk to seem to wear four hats; one for HR, one for Marketing, another for their technical expertise…and then I ask them to dig out their risk and insurance hat from the bottom of the box a few times a year when I turn up. Time to roll the old boulder to the top of the hill for insurance again!

How much cyber insurance do I need?

The amount of cover a client needs depends on various factors like their business size, industry and risk exposure. But while business leaders are accustomed to being the problem-solvers in their own industry, the reality is, as a buyer of insurance, these clients often want to delegate much of the insurance decision-making to their broker. 

They want to be spoon-fed considerations for key risk in their business, but then ultimately, what they’ve been buying for years from their insurance broker has led them to this point. They’re in business, they’ve  survived COVID-19, they’ve got past Brexit, and the financial crises. Why change what isn’t broken? 

They have a heap of emails, the pressure is unrelenting, and the more effective they are at dealing with all this and the queries from those multiple hats, the more ‘other priorities’ jump into their daily routine. It’s not that as business leaders, entrepreneurs, MDs, and CEOs they’re condemned to the same endless punishment as Sisyphus, but sometimes when business leaders are in the trenches battling with an insurance broker over risk priorities, it can feel like it. 

Building your cyber policy

Struggling with the annual battle over whether or not to buy certain elements of cover which your broker is suggesting amongst a hundred other emails, is simply something you may not get to in time, or it might feel like a bridge too far (or boulder too heavy). Which ends up as: “Just give me what I’ve always had, for as cheap as you can possibly make it, Jack”.

Unfortunately, you can’t buy more time to understand and research – in most cases, a good broker will present you with the statistics to inform your insurance programme. You can order your priorities or even try to defer some more decisions to your broker about what, statistically speaking, are your hardest working policies when it comes to insurance and risk management. There is no doubt in my mind that right now, there is no better way to spend your money than on cyber insurance cover.

What about real-life cyber examples?

Co-op, Jaguar Land Rover (JLR), M&S, McDonald's and thousands of other businesses faced the same predicament and will be scrutinised for their decisions on cyber cover following major cyber-breaches. Some bought it, some didn’t. Those who didn’t and  must sorely and surely wish they did, while those who did, can face the future with relief.

These larger businesses, especially ones like M&S, will be particularly grateful to have invested or redeployed their premium in cyber cover. I am certain that their premium will have already repaid its cost in damages hundreds if not thousands of times over.

Their risk and resilience team will look at the data and know that their insurance spend needs to encompass more robust cyber cover – their judgement isn’t clouded by cognitive or status quo bias – and this will protect the business now. After all, many of that team might come and go over any significant period but the sound logic for their decisions for their insurance premium spend need to stand up for now and into the future.

What about smaller businesses?

Perhaps smaller businesses can learn something from this in order to overcome some of this cognitive bias. You may well have spent more money on other policies while it was necessary or even advisable to do so, but it's worth shaking down and interrogating your spend annually – and I would consider cyber cover to be the very first thing you consider.

Is cyber risk getting better or worse?

Cyber risk is getting worse. The more technology we develop and adopt, the more opportunity for cyber criminals. The increasing reliance on staying protected with cyber insurance is more prominent than ever. 

While I think it's important for business leaders to understand the risk and cost of buying cover vs not buying cover, one thing is certain. The volume of businesses affected by a cyber-attack is ever-increasing, while many other risks are falling. There appears to be no limit on the type of businesses hit, and the ease with which a single threat actor might attempt to affect dozens or even hundreds at any one time. This is a new risk by which cognitive bias cannot be measured, because previously the risk simply didn’t exist in the same magnitude.

Conclusion

If you take one thing away from this article, don’t battle with prior conceptions or misconceptions about how effective your insurance programme is. Look at the risk climate today and what is coming for the next year, and take a clear view on how you want to spend your money, making sure your business is protected from modern perils.

In your business, you might feel a little bit like Sisyphus; never quite reaching the pinnacle of a clear inbox, understanding your risks, tackling that HR issue, etc. Consider the other side though. Brokers really are trying to do what’s best for you, and they’re already pushing the right boulders in an upward direction for their clients – minus the repeat roll downs. Speak to a member of our team today to discuss how we can push the cyber boulder to the top of the hill for you – and keep it there.