Risk managers are very concerned about the cyber risks facing their companies and are heavily investing in protection against cyber attacks with the blessings of their boards and CEOs, a major shift from even just 10 years ago when convincing a company to worry about cyber was a big challenge for risk managers.

However, the new challenges for them include getting the right coverage from the insurance market and ensuring their companies have enough coverage in the event of a major breach, three risk managers on a recent panel at Advisen's Cyber Risk Conference in San Francisco said.

Jimmy Kirtland, vice president of Voya Financial, said in the early 2000s, convincing CEOs or CIOs to consider cyber insurance or put proper cyber controls in place was a battle, but that is no longer the case.

"I have become our CIO's best friend because I am protecting what he is protecting," he said.

The cyber insurance buying process between risk managers and the industry has also improved as the cyber market has matured.

"The quality of the questions and the quality of the discussions between the insurers and the insured are much better," said Katherine Fithen, managing principal consultant for Secureworks. "We know better what to talk about; we know better how to articulate what our data is, where it is, and how it's protected."

Steep Learning Curve

But as the cyber market has evolved and more coverages and competition have developed, so have the threats to businesses. Companies that are newcomers to buying cyber insurance often face a steep learning curve in trying to figure out what coverages they need and how much they should buy.

David Little, senior vice president of Global Risk Management at the Las Vegas Sands Corp., said his company was a latecomer to the cyber market, buying its first cyber policy back in 2012. It wasn't until it had a significant loss a year later that the company realized the amount of coverage it had was considerably less than what it needed.

"That was a wake-up call for everyone… we realized we needed to get smart about this," Little said. "Since that time we've realized we didn't really understand this risk and how it applied to us. Now there's a lot more work done to understand that this is a big issue for us, and we need to do what we need to do to take care of that."

Little said part of that work includes visiting the London insurance market, which he did recently, to learn about the cyber coverages currently available, as well as what risks are on the horizon that the company should be preparing for.

He said the relationship with his broker and cyber underwriters has been critical.

"One of the most important things I did was that I interviewed a lot of brokers and I found someone that really matched my perspective of what I thought the future was going to be. That has made a tremendous amount of difference for us because they have been a partner with us in all of this also," he said.

Policy Differences

Christaan Durdaller, executive vice president and Cyber & Tech team lead for Atlanta-based INSUREtrust, and moderator of the Advisen risk manager panel, said there are more than 120 different players in the cyber market and that is a challenge for agents and brokers, and their customers.

"I think there's still a lot of difference in each policy form and what it is designed to cover. It's important to dig into the policy and understand what it covers," Durdaller said. "Each policy varies carrier by carrier and it's important buyers understand that."

He said with such a knowledge gap in the cyber market and misinformation about where coverage like business interruption responds, as well as emerging risks such as reputational threat, having a relationship with a knowledgeable cyber broker has become essential for risk managers.

Fithen said protecting her company from cyber risk is a team effort across the board – from the internal operations to its insurance underwriters – and that's the way it must be.

"It is a team effort now, I think we've really grown and learned to understand that," she said. "We're learning to talk to each other in languages that each company can understand so we can partner with each other and really get a handle on this."

The risk managers agreed that the insurance industry also plays a vital role in helping them determine what their cyber exposures are, including when it comes to outside risks like the vendors they work with.

Supply Chain Impact

Durdaller said many companies are unaware of the data a vendor they contract with could have access to – either related to the company or its customers – and the impact of a supply chain-related breach.

When asked about what future cyber concerns keep them up a night, Kirtland said vendors getting into the company network and "causing chaos" is one of his main concerns, along with the ever-changing nature of cyber risk.

"What keeps me up at night is the stuff we're not prepared for, that we don't even know is out there," he said.

Little said his biggest concern is the "incongruous nature" of cyber exposures and how it overlays with his company's cyber insurance programs.

"I'm just never sure I have the coverage that I need, that always concerns me," he said. "[And] with the advent of artificial intelligence, how it's being put into so many different things, I think there might be a loss that I just can't envision right now, and I'm really concerned and interested in how it evolves and affects our industry."

The risk managers' opinions differ on whether the insurance industry is offering the right cyber coverages and limits to respond to companies' needs, or if they are holding back for fear of large claims.

Kirtland said considering that every insurance company writing cyber is likely to get hit with a large claim at some point, he thinks the industry is doing a good job at keeping up with the risk and hitting their "sweet spot" in the cyber market.

But Little said he worries that many in the insurance industry don't understand the true risk, especially to the industry itself. He said there is a lot of room for improvement, particularly on the claims side, which he described as "horrific."

"I don't think they understand the aggregation, I don't think they understand the totality of the risk. I think there's a lot of just getting money and premium in the door," he said. "I'm disappointed, I think there's a lot of capital out there that's gonna get hit."

Durdaller said balancing new players in the market with those who have adequate cyber experience is a constant balance for brokers, but the good ones know which cyber markets to turn to.

"It's important that you highlight to your broker what's important to you. I think you just need to be having those conversations with your broker and addressing the market accordingly," he said.