Cyber insurance not a risk management tool, say banks

Lengthy payout mechanism of cyber policies makes it ineffectual against large losses, dealers argue

cyber protection
Cyber policies have grown in availability and sophistication, but broad coverage appears to be low

Insurance is not an effective tool for managing the potentially vast exposure banks and financial services face from cyber attacks, according to senior industry practitioners.

Speaking at the Op Risk Europe conference in London on June 13, three senior operational risk experts argued that the lengthy claims and payout mechanism associated with most cyber insurance policies made it an ineffectual form of defence against large losses.

“Insurance isn’t a bad thing in itself, but I think [for] anyone thinking about insurance from the perspective of risk management, it is a complete waste of time,” said Sam Lee, head of operational risk for Europe, Middle East and Africa (Emea) at Sumitomo Mitsui. “If something goes wrong, you can get some of the money back in a couple of years’ time, [but] that’s not really helping you on the risk management side.”

Gilles Mawas, senior expert in cyber, IT and third-party risk at BNP Paribas, also expressed scepticism. “Our main concern is systemic risk, and of course, being reimbursed after you’re dead is irrelevant. If you lose €3 billion–€5 billion ($3.4 billion–$5.6 billion) and two years later you get back 50%, what’s the point? For systemic risks, I don’t really believe in insurance: it isn’t on top of my priorities,” he said. The comments come despite buoyant growth in the UK cyber insurance market, centred on Lloyd’s of London; the number of cyber insurance premiums written in London is rising at a rate of about 75% per year, according to a recent report from insurance industry trade body the London Market Group, with some $700 million of premiums written in 2015.

Cyber policies have grown in both availability and sophistication from the industry’s early days, helped by the increasing volume of loss data available to underwriters.

If you lose €3-5 billion ($3.4-5.6 billion) and two years later you get back 50%, what’s the point?
Gilles Mawas, BNP Paribas

There is evidence that broad coverage remains low, however. According to a June cyber risk report by Airmic, a UK-based association that represents corporate risk managers and insurance buyers, practitioners’ confidence in their ability to effectively manage cyber risk remains low. According to the report, less than a third of the trade association’s members are satisfied with their organisations’ preparedness to withstand cyber attacks.

There remain good reasons why senior practitioners on the buy- and sell side are in no rush to embrace this tool in their pursuit of a sound cyber resilience strategy, said Chris Lovett, head of technology risk management for Emea and Asia-Pacific at BlackRock, speaking on the same panel. “I think cyber insurance is useful as a financial protection, but it doesn’t affect our operational risk, and profile, what we do and think about,” he said.

“I think it depends on the industry you’re in. I work in asset management, so we don’t have a huge retail presence – most of our business is institutional. If you did have a very large retail presence, I think it would have its value in place. Most products I’ve seen tend to kick in around payment and credit monitoring and that kind of stuff, which can be incredibly expensive, so I think it’s useful as a financial tool. As an operational risk tool, it doesn’t influence what we do on a day-to-day basis.”

  • LinkedIn  
  • Save this article
  • Print this page  

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact [email protected] or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact [email protected] to find out more.

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: