How Marsh sees the broker role evolving around cyber insurance

Brokers are finding they have to educate themselves more on the legal and technical side of cyber rather than on the cyber insurance policy itself, a speaker said recently at Insurance Bureau of Canada’s Commercial Insurance Symposium.

“What we’ve noticed is we’ve really had to take on more of an advisory and consulting role around cyber insurance specifically,” said Jonathan Weekes, vice president of the cyber practice at Marsh Canada. “What you’ll see is a lot of brokers are retooling and reeducating themselves – not on insurance because most brokers have a pretty good grasp of insurance policies, how to navigate them and how to interpret coverage – but more so on the more technical side of things in terms of cyber.

“What we’ve also had to do now is equip ourselves with more technology and privacy-related designations and courses.”

For example, brokers may decide to pursue a certified information privacy professional (CIPP) designation. Weekes himself says he has a certification related to information risk.

Weekes was responding to a question from moderator David Yeatman of Chubb about the evolution of the broker role in accounting for emerging issues.

Taking on more of a claims advocacy role is part of the evolution, Weekes said. He noted that some cyber and property casualty policies contain language that makes it “somewhat unclear” as to what is covered and not covered. “Brokers have really had to take the steps internally to educate ourselves around silent cyber – what is and what is not covered outside the cyber policy – and then ensure from a claims advocacy standpoint that we have equipped our clients with an understanding of which of their policies should be responding in the event of a cyber incident.”

As an organization, Marsh is seeing a lot more frequency around ransomware and cyber extortion attempts on organizations, with two or three claims on a weekly basis, Weekes reported. From a severity standpoint, the commercial brokerage is seeing “some pretty big claims” around damage to data and the resulting business interruption and potential liability associated with it.

While traditional cyber policies revolved around privacy, Marsh is seeing more and more claims associated with the transfer of malicious code from one organization to another, resulting in liability form that standpoint. “Ransomware is also triggering all the other aspects of the policy as well.”

With the hardening market, it can be difficult to explain to clients why it’s happening and how it’s going to impact them. “On lines where they are not seeing more difficult times, it’s becoming lot more challenging to sell that to them as new business,” Weekes reported. “If I go into a room and try to sell them cyber after we’ve just spoken about their D&O and premiums are going up 100%, they’re going to tell me to get out and probably never invite me back again, or at least until it’s more feasible for them to purchase that coverage.”

Weekes is concerned that as more carriers push cyber coverage out of their property and liability policies, the expectation is going to be that “brokers, and insurers, find somewhere to put it.

“What we’ve seen is more and more has been pushed into the cyber policy in the past three or four years. I’m somewhat concerned about how long that will be sustainable before it starts to get pushed back out or it’s considered uninsurable.”