<p><strong>Speaker 0</strong>: <span>Hello and welcome to this insure TV mask class with me. Mark Colgate. We are looking at innovation in the cyber market to discuss that I'm joined here in the studio by Stephen Ridley. He is head of cyber at Aviva and by Tom Draper, head of Insurance UK at Coalition.</span></p> <p><strong>Speaker 0</strong>: <span>Those are our panellists. Let's get things straight under way. We're about innovation. Why is that so important in the cyber market? Particularly from Aviva's perspective? So I</span></p> <p><strong>Speaker 1</strong>: <span>think there's probably no other market where innovation is as important as in the cyber market because we're not dealing with a stable risk. It's a risk that is constantly evolving and in large part because it's a man made risk. There's people on the other end of this, and what we tend to find</span></p> <p><strong>Speaker 1</strong>: <span>in this space is that criminals are the main innovators and early adopters of new technology and ways of doing things. So we always need to make sure that we're keeping pace with that. We can't rest on our laws and just treat this risk in the same way that we have done for the last 5, 10, 20 years. There's a need to constantly be pushing what we're doing, making sure that not just the product itself and the policy wording standpoint evolve.</span></p> <p><strong>Speaker 1</strong>: <span>But the way that we underwrite the claim response that we provide within that the value add that we provide to customers within this always needs to keep pace. We've seen over the last few years as Ransomware has evolved from being a stack it high, sell it cheap model, try and hit as many people as possible criminals, then pivot and evolve and innovate and start extracting data which adds extra leverage. And</span></p> <p><strong>Speaker 1</strong>: <span>that was a real big game changer for the insurance market and has led to the market conditions that we've seen over the last couple of years and has led the market to handle things in a very different way to what it did previously. And that's something that we can't just think. OK, we've been through that round of innovation. We can sit back and relax. Now there will be another innovation. There will be another step forward. We're going to have to</span></p> <p><strong>Speaker 1</strong>: <span>react and adjust accordingly. And that's something that we need to be constantly mindful of and is certainly how Aviva I'm considering things and making sure that we're set up, not just for now, but for the next thing that happens. Thank you,</span></p> <p><strong>Speaker 0</strong>: <span>Tom. Tell us a little bit about how you're seeing things from Coalition's perspective. I think from our perspective, the cyber market and insurance policies have existed since 1997 1998.</span></p> <p><strong>Speaker 0</strong>: <span>I think when it comes to innovation, it's about how we help brokers sell what for them is probably a new product for many of the teams in the UK It's a new solution they've yet to present to clients, but also for many clients. They're viewing this risk as an insurable risk for the first time. So when it comes to innovation, we have to rethink actually, how we help brokers support the clients, how we explain the solution but also adapt around the concerns that get raised by both the broker and the client. What is a new purchase</span></p> <p><strong>Speaker 0</strong>: <span>and how much of this Thom is because we all trust the Internet. I'm old enough to remember back in the day where people said I'll never put my credit card details into that. You've no idea what's going on behind the scenes about the point everybody says we feel completely comfortable putting our data on is about the time. Suddenly, people start to say, Hang on a second. Bad faith actors, I think yes, very much so. Our comfort levels with the Internet, but also our comfort levels with technology. We've seen a large change in the last three years of the ability for firms to work remotely via</span></p> <p><strong>Speaker 0</strong>: <span>large scale networks to support their customer base, and as a consequence, that's also changed the risk. So while we've got more comfortable with it in our own personal life, also become aware from a business perspective how much we rely on our systems, our access to our cyber exposed assets. Stephen, you're talking about this innovation, particularly from the being driven by bad faith actors, if you like. So what happens if I've got an Aviva policy and a whole new, different type of risk? Appears six months into my policy and I get hit as a result of it. I'm the victim of innovation over a quite short time period.</span></p> <p><strong>Speaker 0</strong>: <span>Are you likely to pay out on that? You haven't done anything wrong. I just want to get a sense of how comfortable you are buying a policy and then you know when you need it, it's not there to help you in the small</span></p> <p><strong>Speaker 1</strong>: <span>print. Yes, absolutely. I would expect that to be covered by the policy, obviously subject to all the full terms and conditions and everything. But where we've put a</span></p> <p><strong>Speaker 1</strong>: <span>lot of focus and emphasis on making sure that the policy is set up in such a way that it can cater for that additional innovation that might come not being too prescriptive about what we're providing under under the policy itself, so that it only covers what we're seeing now, making sure that those terms are written in such a broad manner that they can deal with that next step. That next iteration, that next innovation</span></p> <p><strong>Speaker 1</strong>: <span>that people can come up with, and with our incident response partners with the people who are on the ground handling the claims, we're constantly keeping an eye on what is going on. How might we need to adjust our claims handling response? What are we starting to see</span></p> <p><strong>Speaker 1</strong>: <span>happen? So we're now considering things such as five G, which we're not necessarily seeing at the moment being a big pressing issue, but it is a next logical step that might become an issue down the track. So how do we make sure that we have the right bits and pieces in place so that we're not scrambling around at the point at which there is an issue? We already have some of that leg work done ahead of time. We're trying to pre innovate almost</span></p> <p><strong>Speaker 0</strong>: <span>on that. Would you agree that perhaps a bit of fuzziness in terms and conditions is there to protect the policyholder rather than to give the insurance provider a get out of jail free card? I think there's very much a focus on outcome based in our policies, which is very much what is the consequence of the business, not necessarily what causes it. What's the impact of the business? You've had data compromised. You can't access your systems. You've lost information now being investigated by a regulator. However, that's caused on the front end.</span></p> <p><strong>Speaker 0</strong>: <span>That's really for US insurers to mitigate price and underwrite effectively. Actually, from a customer perspective, we need to support them, no matter what. The cause is just in the round. Before we really get into dig into the detail of this How big would you say the protection gap is in the UK today? Tom, Is there a figure you can put on that? Then I'll bring Stephen in. I think it's very interesting Coalition. We apply our own metrics to every single client and prospect that we see.</span></p> <p><strong>Speaker 0</strong>: <span>We are definitely seeing a difference between the maturity levels in the US for SMEs compared to the UK I think that's driven by two factors. One, the US There's more of established cyber insurance market who've been pushing higher standards for a number of years, but also the way the US government has supported SMEs compared to the UK. So that's something that we'll be definitely releasing more information on, as we think the key changes they can make for the UK.</span></p> <p><strong>Speaker 0</strong>: <span>OK, thanks. So without putting a number on it behind the UK, feels behind on the US Stephen. I</span></p> <p><strong>Speaker 1</strong>: <span>think it's huge is the short answer to that. The volume of customers that are buying a specific cyber insurance policy is just tiny,</span></p> <p><strong>Speaker 1</strong>: <span>and I think there's always a massive overestimation by customers as well about what cover they do have. I was at the Bieber conference last week and almost every conversation that I had with brokers. I was asking them exactly this point. How many of your customers buy a cyber policy? Not one of them said more than 10 per cent when we're talking about that, So that's 90 per cent of companies not buying cover at all.</span></p> <p><strong>Speaker 1</strong>: <span>And then of those that do. There's likely to be a protection gap in terms of are they buying a limit that is sufficient for their needs.</span></p> <p><strong>Speaker 1</strong>: <span>But what we see in a lot of the government surveys and things such as that is that number of companies that say they're buying cover is more like 20 to 40 per cent. So we've potentially got 20 to 30 per cent of companies that think they have some form of cover where they may, well, not. And they're kind of existing in this belief that they have protection, whether that's within other existing non cyber policies that they buy, whether it's their managed service provider,</span></p> <p><strong>Speaker 1</strong>: <span>that's providing some kind of element of cover. We see all of these different myths out there or mis beliefs that people might have, so there's a real need on the insurance industry as insurers and brokers to be better educating businesses about what the risks are to them, but also how they can best protect themselves against those risks. What are the limitations of those</span></p> <p><strong>Speaker 1</strong>: <span>non specific policies that they're buying? And what is the true value of a full, specific cyber policy, which is an immense value?</span></p> <p><strong>Speaker 0</strong>: <span>How do you overcome that? Because just going back to something we were saying a bit earlier, Thom was saying is data on the Internet is everywhere, and therefore I can see why somebody's first reaction will be Well,</span></p> <p><strong>Speaker 0</strong>: <span>yes, but I'm sure it's covered by something else because, you know, I've led all the other insurance policies and every other aspect of my business. I've just moved some of it online. It's covered by that,</span></p> <p><strong>Speaker 1</strong>: <span>and I think education is then back to the key around that I think it's a word that we've both used already today and for me is the most critical part of what we need to do</span></p> <p><strong>Speaker 1</strong>: <span>around this. It is providing that education that assistance both to start with from our standpoint to Aviva's brokers and then helping them to educate their customers as well. On the back of that as to how is the best way of protecting against this risk?</span></p> <p><strong>Speaker 0</strong>: <span>Tom, when you look at cyber, what are the pros and cons As a provider of targeting large firms, which I you know, I guess we all see in the headlines when something goes wrong versus this huge range of SME s that are out there. I mean, is it efficient to do it?</span></p> <p><strong>Speaker 0</strong>: <span>I I think from our perspective, we've been focused on writing SME s since we started back in 2017. Um, our belief there was very much that was an area that wasn't supported by predominantly governments and also the security enterprise firms at the time. So we were fulfilling a need that need to be supported. I think especially all size companies have the same problems. They all have a resource challenge. They all view cyber as you've raised earlier, as a bit of a tough risk to get their hands around.</span></p> <p><strong>Speaker 0</strong>: <span>I think the difference for SME s is they just don't have the bandwidth, and that's why they're looking for more support.</span></p> <p><strong>Speaker 0</strong>: <span>And on that particular point, if you go to, can you talk through anyone? You've seen a broker who's got a successful policy of being able to sell into, because from what you've both said, it sounds like a policy that needs to be sold rather than one that comes off the</span></p> <p><strong>Speaker 0</strong>: <span>flies off the shelf by itself. So what are some of the successful tactics you've seen brokers use to explain what the risks are and why it makes sense for a client to use it. Certainly, I think the start point is for a broker to realise they don't need to be a cyber specialist. They don't need to be an it tech or a security firm. They're operating as a risk advisor because then it becomes a risk discussion. It's not about what tech do I have. What are you doing with your business? What protects you, what concerns you?</span></p> <p><strong>Speaker 0</strong>: <span>And then that's where we as insurers can then support brokers. Here's the data that we have here the concerns that we see here's the risks that your clients are impacted by. You're talking about it from that perspective. More can help their business operate less of a transactional perspective. And what's the point that someone like yourself as coalition would get involved because I can see explain risks in terms of what you've got around you in your business every day. But at some point</span></p> <p><strong>Speaker 0</strong>: <span>you have to have a conversation about what those things are that can come through if you like the very real doors and walls in your building. And that's very much our role. So coalition. We provide brokers with the information that they need to have a conversation about a client. They see the risks the client face from a security perspective. The concerns that we've seen</span></p> <p><strong>Speaker 0</strong>: <span>hear the exposures. Here's what we think a loss would look like unique to that individual client. More importantly, here support around you to get yourself better. So I think it's very much translating it into focus on that specific client. What concerns them</span></p> <p><strong>Speaker 1</strong>: <span>at the risk of being very, very boring. I completely agree with most of what Tom said there, where</span></p> <p><strong>Speaker 1</strong>: <span>it's all about making this a risk based thing, and I think one of the challenges of the barriers that I find brokers coming up against is just trying to sell a cyber policy and saying that having a piece of paper and trying to sell the customer that without bringing to life, what is the challenge that that business might face that that policy is helping to solve?</span></p> <p><strong>Speaker 1</strong>: <span>And for me, it's about dialling it back to what are the consequences that a business is most concerned about? What are the things that are going to cause them the most amount of pain? And in a world where we are now incredibly reliant on digital technologies, as we've already spoken about is that access to computer equipment that access to networking for most businesses now that is going to be the most critical risk that they face.</span></p> <p><strong>Speaker 1</strong>: <span>Loss of that connectivity is going to cause them a bigger issue than their building, having a fire or being burgled. So if you can flip it around to be, what are those main risks to your business, and how can we go about best protecting against those risks? That's when the value of a cyber policy really comes to life. And that, to Tom's point again, is where</span></p> <p><strong>Speaker 1</strong>: <span>we as insurers can come in and provide some of that supporting material around. This is what that can look like when it goes, so it's</span></p> <p><strong>Speaker 0</strong>: <span>more of what happens if your CRM system disappeared or your entire payroll. What would</span></p> <p><strong>Speaker 1</strong>: <span>you do? You get to your office on a Monday morning. None of the computers turn on.</span></p> <p><strong>Speaker 1</strong>: <span>Get next.</span></p> <p><strong>Speaker 0</strong>: <span>OK? Are there any other? I mean again? You both stressed that risk is evolving all the time. But within SMEs Are there particular put in those very concrete day to day terms. You've talked about things like the RM payroll. Computers don't turn on. Are there other kind of key things that make people think? Oh, my goodness, that definitely could happen to me. Well, I think you touched on it there. Which is reliance on key vendor partners.</span></p> <p><strong>Speaker 0</strong>: <span>So for many large enterprises, many large risks there are. Actually there are many different vendors. They use many different it providers they use challenge most small businesses. Face is if their main it provider has a problem, that's their business. They've rightly turned around to that provider and trusted them with their security, their information, their data. But that's a key reliance for them. And again, I don't think many firms think about it in the same way that they would. We don't have access to this building, but if you have access to that system, That is a key problem. And that's one of the key reasons for purchase of the cyber policy. OK,</span></p> <p><strong>Speaker 0</strong>: <span>is to what extent do you want to sell cyber policies in the S space as stand alone policies? And to what extent can you wrap that into other existing business? So, Stephen, I'm sure a Viva you're a big brand. You must do a lot of insurance with small, medium sized enterprises around the UK.</span></p> <p><strong>Speaker 1</strong>: <span>Yes, indeed we do. So we've been with the largest general insurer in the UK, so naturally, we have a large base of existing customers in that space. So I think it's incumbent on us then as having that leading position across all other lines of business to take a leading position in supporting around cyber risk. And we can provide our cover as a stand alone policy in its own right. But equally we can provide exactly the same cover as part</span></p> <p><strong>Speaker 1</strong>: <span>part of our wider commercial combined or other packaged insurance policies. And one of the ways that we've innovated over the last couple of years is actually looking at. How can we make that process a bit quicker, a bit slicker, a bit easier for our brokers. So where we're writing these other insurance policies, we already have a vast amount of information on those businesses. So we take that data, we supplement it with some other external data and apply some</span></p> <p><strong>Speaker 1</strong>: <span>other kind of factors to that. And we're then able to automatically generate cyber quotes on the back of that so that we can pre arm our brokers with something as a conversation starter with their customers, where it's not just a faces off to that question of how much is it going to cost me straight away? We can give them a bit of ammo to</span></p> <p><strong>Speaker 1</strong>: <span>support that conversation.</span></p> <p><strong>Speaker 0</strong>: <span>So essentially you if I say my language, not your cyber eye your existing insurance and say for another £200 a month, you'd be covered for all of these other risks, or you'd be properly covered for these risks.</span></p> <p><strong>Speaker 1</strong>: <span>That's based based on the information that we have, we can provide you subject to getting just clarification of final couple of points. We can provide cover for X amount</span></p> <p><strong>Speaker 0</strong>: <span>and Tom, how does coalition go about? I guess you haven't quite got the same footprint as an Aviva. Are you a specialist that likes to bolt on to the side of what other existing insurance covers from other providers? It always comes down with what's the easiest way for the distribution partner? What's easiest way for the broker to talk to the client?</span></p> <p><strong>Speaker 0</strong>: <span>I think the view we've always had is that a small amount of good cover is better than no cover. So, actually, how can we assist Companies do that? Our limits start at £25,000. We've got a £10 million. We provide Bolt on Solutions, Stand alone solutions. It's really what works to help the conversation. What is an easier part of the process? The</span></p> <p><strong>Speaker 0</strong>: <span>worker to transfer that risk And once somebody has taken out cyber cover, whether it's with you or someone else. But once they're in the habit of doing it, what tends to happen in the journey do they start off with not enough cover? And they say that worked and keep being under insured for years and years and years. Do they</span></p> <p><strong>Speaker 0</strong>: <span>suddenly start to get quite into what the nooks and crowns and what could go wrong and actually build So you know, when you look at it, you think actually, over time it's a four year journey to being fully insured. What are some of the things? Very much. So. I think that's why it's actually a very, very attractive proposition for brokers. It's very much a product that once a client has, they realise the value in</span></p> <p><strong>Speaker 0</strong>: <span>they're able to experience it, see what would be covered. They see the applicability to their business. More importantly, the broker is able to have that conversation again at renewal. His claims that we're seeing his challenges that we're seeing. Therefore we should look to increase the limits being purchased. So we very often see very low limits purchased year one initial, turn the water and then with the advice that we provide the data we provide. Brokers are far more confident to talk about actual real limits, more transferable risk at renewal.</span></p> <p><strong>Speaker 1</strong>: <span>And it's definitely something that we see as well, and particularly as the</span></p> <p><strong>Speaker 1</strong>: <span>risk evolves and that changes. So what is? Even if the limit that was purchased two or three years ago was sufficient at the time, there's a risk that it might not be now so having that constant process of reviewing and considering what the risk is and how can we buy the right limit to match up to that, I think, is a process that we see happening quite frequently, especially now that we're kind of getting through the back end of the hard market and starting to see slightly more favourable</span></p> <p><strong>Speaker 1</strong>: <span>conditions, particularly around excess layers. We're seeing more and more companies extending the limits that they're buying.</span></p> <p><strong>Speaker 0</strong>: <span>When you look at your book of business,</span></p> <p><strong>Speaker 0</strong>: <span>there's lots of pretty small niche tech companies out there. Do they tend to be pretty good at buying cyber cover in the realm they understand the risks? Or do they think we're geniuses in this space?</span></p> <p><strong>Speaker 1</strong>: <span>So you tend to get a mix of polar ends of the spectrum? You get those companies that really understand the risks that are really concerned about it, so by the cover, and then you do get those that think, Oh yeah, I know it all. So I'm</span></p> <p><strong>Speaker 1</strong>: <span>I'm immune to this, so I don't need to worry. But what we tend to see is that technology companies are the sector that buys cover most frequently. There's the highest penetration into that sector,</span></p> <p><strong>Speaker 1</strong>: <span>largely due to contractual requirements, I imagine, rather than necessarily them seeing the risk better than other companies. But there is that element to it as well.</span></p> <p><strong>Speaker 0</strong>: <span>And we're talking. Our headline is innovation. But a lot of what you've been talking about is actually tells me you're both describing a story that's much more gradual and much more evolution than revolution innovation,</span></p> <p><strong>Speaker 0</strong>: <span>putting thoughts into your head there. I think that's accurate. As I said, the cyber market started writing policies in 1997. It is always going be a continual evolution compared to the threats that we're facing, but also how clients respond to that. See how the market will develop. I think the biggest changes we've seen in the last 23 years has been the speed of the evolution, and that's definitely something that a coalition we're pushing reaction to, threats, how we can evolve around that, how we can support our clients.</span></p> <p><strong>Speaker 0</strong>: <span>But certainly the moment we hear a lot about cost of living crisis, not just for individuals, but for firms as well. I think you alluded to that a little earlier, Tom. So what can you</span></p> <p><strong>Speaker 0</strong>: <span>do as insurers to help brokers make the argument for you, said, I won't call it a new type of insurance. But what might publicly be seen as another blinking policy to buy at a time when inflation is taking a real bite into the real value of what firms are earning, how much money they've got to play with?</span></p> <p><strong>Speaker 0</strong>: <span>I think it's a very good time for brokers to be talking about clients about why they're buying any of their insurance policies, actually need a deep thought about what's their risk approach to risk, how they want to transfer it. And actually, the realisation over the last three years they have moved to a far more online remote based organisation means their digital risk has increased. So now is the moment. Where is your biggest asset or threat your physical belongings that you have your buildings, those type of assets? Or is it actually more of your cyber exposures?</span></p> <p><strong>Speaker 0</strong>: <span>And in terms of bringing costs down, I mean, are there any obvious things that you can do as an SME that reduces your risk and therefore means you get better terms from Aviva or coalition or anyone else just because you closed off you shut the obvious gates.</span></p> <p><strong>Speaker 1</strong>: <span>The cyber insurance market has, um, has evolved, has matured a lot over the last couple of years, And that's not a maturity just from a</span></p> <p><strong>Speaker 1</strong>: <span>pushing the rates up and kind of taking a closer look at things from an underwriting perspective. There's actually now a lot more data supporting what represents a good risk. What represents not such a good risk. And actually, there are more favourable terms available for businesses who are able to able to evidence that they have a good, strong security posture, particularly around particular</span></p> <p><strong>Speaker 1</strong>: <span>elements of that risk. So whether that's things such as having multi factor authentication in place, having a good back up process in place, having completed something like cyber essentials, I know we give a discount to businesses that have gone through that process. I know many of our peers do</span></p> <p><strong>Speaker 1</strong>: <span>as well, So going through that process is not only going to make you a better risk, but also make the insurance slightly more affordable for you as well. Thank</span></p> <p><strong>Speaker 0</strong>: <span>you. What are your thoughts on? I suppose preventative strategies, which I'm sure you would want to align with somebody having a policy. But</span></p> <p><strong>Speaker 0</strong>: <span>what are some of the things you can do? Very much so, And that's very much how we approach our clients. We approach look at clients, same way the Attackers do. Therefore, if the clients more resilient, they get a better price. A really good example for SMEs encryption of portal media devices that has a 15 per cent load for us. If you don't do that, which means for any client we can turn around and say by doing this and many free solutions to this you say 15 per cent. So please do so.</span></p> <p><strong>Speaker 0</strong>: <span>The other aspect, then, is actually looking at what specific technologies they are using, and we're able to recommend which ones are more effective from a return on investment perspective.</span></p> <p><strong>Speaker 0</strong>: <span>And are there any good rule of thumb ratios for every pound you spend on cyber security? Or you're going to save £50 on a three year view? Whatever it happens to be, are there any good rules of thumbs that you found brokers are able to use with clients? I wouldn't have suggested so because actually this is a risk that is not necessarily by the most expensive piece of kit and fix the problem. A lot of this is far more behaviour. It's about making sure the basic things right.</span></p> <p><strong>Speaker 0</strong>: <span>Steven mentioned cyber essentials, for example. That's a really good starting point from the from the UK government in terms of basic steps of SME can take to improve their posture. And how do you make sure if if one of the weak point is people, which it always sounds like On the whole, it sounds like it often is with technology. What what can you do to make sure everyone's up to speed? I mean, every day off every six months. What's the?</span></p> <p><strong>Speaker 1</strong>: <span>Invariably people are the weakest link in this, whether that is someone making an error in clicking on an email that they shouldn't, whether it's someone mis configuring a system when it's being installed. That is more often than not the headline cause of claims to one extent or another.</span></p> <p><strong>Speaker 1</strong>: <span>Training is really key as part of that from a user awareness standpoint, making sure that people are aware of fishing emails which are getting more and more sophisticated, and I think that's where we're probably going to see one of the next bits of innovation to pull it back to that. With the likes of chat, GPT and other equivalents coming to the fore, those fishing emails are going to get</span></p> <p><strong>Speaker 1</strong>: <span>trickier and trickier to spots and making sure that people are really aware of not just avoiding the things. That would be evident to most people, such as promises of millions from relatives that you haven't seen in or have never come across, but those that are far more sophisticated than that and much more targeted.</span></p> <p><strong>Speaker 1</strong>: <span>And then it's around the governance processes that business puts in place as well around those for larger organisations around. How do they go around assessing and assuring their systems? Not just at the point of them being installed, but on an ongoing basis as well.</span></p> <p><strong>Speaker 0</strong>: <span>I want to come on to a chat gpt in a second, But before I do Tom, you were talking about people working from home, and one</span></p> <p><strong>Speaker 0</strong>: <span>thing I've seen as a result of that is the idea of what's your work computer and what's the home? One has got blended over time. I'm sure we've all the number of times all had some say I can join you on that call, but my work computer won't let us do Google chat. So I'll use my home one or whatever it happens to be. How much of a danger is there of that blending of work work, hardware and software and home hardware?</span></p> <p><strong>Speaker 0</strong>: <span>So I think it's a really good example of why there's not a technological solution to cyber as a risk and actually why insurance policies are needed. Because actually, you know your workforce will be, to an extent, actively working around some of the controls we put in place. You know, Steven mentioned, you know, fishing emails increasing</span></p> <p><strong>Speaker 0</strong>: <span>76% of our incidents last year came out of fishing emails. So despite team members being educated being highlighted, this issues, they're still clicking on these links. So yeah, the moment you increase your tax surface, you enable employees to access for other devices. It's going to increase the risk.</span></p> <p><strong>Speaker 0</strong>: <span>Stephen, you mentioned chat GP T. So what? What happens when I guess risks and the speed of risk can be</span></p> <p><strong>Speaker 0</strong>: <span>souped up basically as a result of this new technology</span></p> <p><strong>Speaker 1</strong>: <span>is a challenge and a danger, and I think we're only yet to really see the full impact of what that could look like and how it will be harnessed by the criminal fraternity, and it inevitably will be. I said. I think fishing emails are going to be the starting point to that where you can get them to run the script and produce something that is</span></p> <p><strong>Speaker 1</strong>: <span>very compelling and much more likely to be clicked upon. But I think we'll then start to see it being used in other ways as well. And they'll find other use cases for deploying that, which can just make the whole process much slier quicker, easier, cheaper for them to run, which then will widen their potential attack</span></p> <p><strong>Speaker 1</strong>: <span>victims as well.</span></p> <p><strong>Speaker 0</strong>: <span>And top presumably you can. I mean, I'm sure you can do it manually, but you can scrape quite a lot of data off the Internet about people and create a very convincing, sort of digital avatar of somebody that you know</span></p> <p><strong>Speaker 0</strong>: <span>when it's presented to. You think yes, that completely stacks up. I go with that exactly. I think that's it is weaponizing and scaling up already a concern, social engineered attacks. It's making it more applicable. What I would say, however, there's also a benefit to using large language models. And we announced a this year that our platform is using a large</span></p> <p><strong>Speaker 0</strong>: <span>model to help companies understand their cyber exposure and understand their security risk. So when a CEO logs in and sees as a vulnerability, they're able to talk to a bot that explains it in more simple language, actually, what they're being impacted by. So it does scale the Attackers. It causes concerns there. But it does enable actually insurers to actually talk to companies in a far more logical way than perhaps we would.</span></p> <p><strong>Speaker 0</strong>: <span>And whether it's boots on the ground or language learning programmes, you're obviously both or your organisations are both sort of scanning for what these threats are all the time. So what happens if you spot one in? I don't know, a small a small company in Westmoreland. Do you tell all your policyholders in Cornwall?</span></p> <p><strong>Speaker 0</strong>: <span>Same time? I mean, how much you running a service, not just the insurance. It's also a look out warning system. I think our record at the moment is five hours between when we've spotted a compromise available on the wild Internet and then notified the policyholders impacted by that vulnerability. So If, for example, you had your SME in Cornwall that had a problem exhibited, an attack was attacked. In a certain way,</span></p> <p><strong>Speaker 0</strong>: <span>our R and D team would understand it, look at it and then notify the policy holders who exhibited the same behaviour. I think from our perspective, that's key. You know, just because everyone's running in a Windows machine doesn't mean they're all exposed to the same risk. Just because everyone's in Amazon Web services doesn't mean they're all exposed to the same risk as well.</span></p> <p><strong>Speaker 0</strong>: <span>You got in that space, too.</span></p> <p><strong>Speaker 1</strong>: <span>Fairly similar, I would say, but perhaps focusing more on at the end where it's more likely to lead to a catastrophic loss across multiple customers. So one of my big things I don't want to run the risk of being boy cries wolf with anything that we do and wanting to have some kind of element of materiality or potential materiality to what we do when alerting our customers. But we're definitely keeping tabs on the risks that could have</span></p> <p><strong>Speaker 1</strong>: <span>have that big, potentially aggregating exposure, such as the Microsoft Exchange vulnerabilities that happened a couple of years ago. Solar winds log four j those types of incidents, making sure that we can spot those as quickly as possible and proactively contact the customers that are impacted by them and</span></p> <p><strong>Speaker 0</strong>: <span>looking at the world of threats. Tom, your coalition, I think you said, started in the States. But are there how geographically specific threats do you see a sort of world where you think, Well, if it's in Alabama now, it will be in.</span></p> <p><strong>Speaker 0</strong>: <span>It'll be in Scotland in three months. I'm just thinking about how you keep an eye on where threats develop and how very much so I'd say the bulk of the English speaking Western world are probably under a similar threat environment, because if you're a cyber criminal looking to attack as many entities as you want, you get to speak English. You write the email. Once it goes out to all the teams. They're also generally reliant on similar infrastructure, very similar maturity levels. So it's very straightforward</span></p> <p><strong>Speaker 0</strong>: <span>proposition from their perspective. But we definitely do see our claims team operate 24 7. Follow the sun. We have a claim notified in the UK we'll start to see claims be notified of the East Coast and as teams wake up and that vulnerability has been exploited. It will start to happen around the world. Is there anything that very round terms? The British are more likely. I hope the British are more likely to attach themselves to, but the Canadians don't. I mean, there must be</span></p> <p><strong>Speaker 0</strong>: <span>so definitely, but I think it comes to maturity levels. So, for example, you will have seen a big increase in Australian attacks recently in the news, the last definitely in April. And that was being driven by a real focus by a number of specific threat actors on Australia as a market where there's opportunity,</span></p> <p><strong>Speaker 1</strong>: <span>there are some geopolitical things that come into play with it, but also there are technological things as well. So I mentioned the Microsoft Exchange vulnerability from a couple of years ago, just a moment ago, and we actually found companies in Germany to be far more affected by that than elsewhere, because in Germany they were still running on premise email servers far more frequently than</span></p> <p><strong>Speaker 1</strong>: <span>than their counterparts in other territories were who had migrated to the cloud in much greater extent. So those are other types of issues that come to play with this</span></p> <p><strong>Speaker 0</strong>: <span>we've got a few minutes left. We've talked a lot around the general environment for cyber SMEs and some of the things you can do. Preventative things you can do on the basis prevention is better than cure. But if something were to go wrong, what are some of the post event support that you can provide? What are some of the main things? And,</span></p> <p><strong>Speaker 0</strong>: <span>I suppose, given SMEs are such a broad range of businesses, do you find with different SMEs It's a very different service. You'd have to offer one from the other, or there are some elements that are all pretty much everybody's got in common,</span></p> <p><strong>Speaker 1</strong>: <span>so there's a certain element of consistency across it all. But every single attack is very different, the both in the terms of how it was actually manifested but also the impact on the end customer. So everyone does need a slight tweak to that kind of main model.</span></p> <p><strong>Speaker 1</strong>: <span>But generally the main things that we're talking about are the support with incident response. It forensics, legal partner support PR support to deal with both the internal and external communications around it, and then various other service providers</span></p> <p><strong>Speaker 1</strong>: <span>might need to be plugged in after that. But one of the ones that often gets overlooked is the emotional support element to it as well, particularly for SMEs. It can quite often be a very traumatising time for them. So everything is set up to make sure that that there is an eye on that aspect to it as well, and that things are treated sensitively in that respect as well.</span></p> <p><strong>Speaker 0</strong>: <span>Tom, what's your thoughts on that? I think that is the key reason you buy the policy, especially for SMEs, is they don't have the resource. They don't have the number to dial. So anything we can do to solve the claim, not just handle it. We handle it in house with our teams. It speeds up our feedback loops. We can see what went wrong, what we should improve, but also point Stephen made. This is the worst time for this client, especially for an S. It's their personal business. It's their personal assets. We need to solve this. We need to get the money back. If it's been stolen, we need to get them back up and running.</span></p> <p><strong>Speaker 0</strong>: <span>That's an area that we've had a lot of success in as being, especially the return of funds. So clawback proposition of theft, of crime losses, for example. So yesterday we had $4.8 million returned to a small business they'd lost through a business email compromise, transferred the wrong amount of money, and our team was able to get that back from the banking system. So that's real, value added and money back to their bottom line.</span></p> <p><strong>Speaker 1</strong>: <span>And cyber is one of those areas as well, where</span></p> <p><strong>Speaker 1</strong>: <span>to draw the parallels back to the physical world again, if someone turns up to their building and it's on fire, you know, to call the Fire brigade without a cyber insurance policy, I imagine people rock up and find that similar type of damage to their IT environment, just not really knowing who to call. And then that can lead to a lot more of a frantic response as well.</span></p> <p><strong>Speaker 1</strong>: <span>We actually had a customer a couple of weeks ago that had this type of incident. They hadn't bought a policy in the process of getting a quote at the time but hadn't actually bought it.</span></p> <p><strong>Speaker 1</strong>: <span>They were quite a key partner for us on some of the other lines of business were able to still support them through the process and give them some guidance around how it worked. But their comment was that they would have just been completely lost if they were trying to navigate their way through that without people who had that wherewithal and knowledge of how to handle these.</span></p> <p><strong>Speaker 0</strong>: <span>So to what extent is the amount of business you can underwrite, not down to underwriting limits and how much risk you want. But how much resource You've got to help people in these circumstances to what extent might say underwriting perspective hundreds and hundreds of millions of pounds of this stuff. But I've only got 50 people who know what they're doing. And until I've got 60 I'm not comfortable writing more policy.</span></p> <p><strong>Speaker 0</strong>: <span>So I think the volume</span></p> <p><strong>Speaker 1</strong>: <span>of this resource isn't an issue for us at the moment, and I don't think it will be in the short term and for the industry at large, both in terms of the underwriting stuff. But more importantly, the fulfilment of the claims where the challenge might come is if there is a big bang incident where you've got thousands of companies</span></p> <p><strong>Speaker 1</strong>: <span>is potentially affected at once, and that's that's not a Viva issue. That is a market issue where there are relatively small number of service providers that operate in that kind of space. And if it is into the several thousands of companies, that's going to be really tested for everyone.</span></p> <p><strong>Speaker 0</strong>: <span>Tom, what are your thoughts? And is there a danger that providers think this is quite good? I can</span></p> <p><strong>Speaker 0</strong>: <span>cut corners and where I used to employ people, I've got a computer programme that will cover 90 per cent of. I think scalability is a concern for sure. But again that then comes down to How can you service a wider spectrum? What can you do up front, the vulnerability assessments that we do? How can you stop the claims happening in the first place? But I think it also comes down to recruitment, and that's something that as an industry, we're all very much focused on how we can recruit the best talent, cyber, secure experience, talent.</span></p> <p><strong>Speaker 0</strong>: <span>It's near that we've got great bent strength. Most of our risk engineers, the teams, they come from a security background, not insurance professionals. About cent of our colleagues are from a tech world, so There's definitely a large expansion there that the market can take advantage of. How do you How can you make sure that you aren't recruiting somebody who's really good at this stuff? But one reason they're really good is they've been on the other side of this fence and what do you do to keep tabs on people after they've left to make sure you haven't been a perfect training ground for them to go off and then do something</span></p> <p><strong>Speaker 0</strong>: <span>absolutely horrible that then you know, falls back on an SME somewhere else? That's a really good question. I think from our perspective, most of the areas we're recruiting from are generally the intelligence agencies that GCHQ or the NSA. I think there's a certain level of due diligence that we'd expect of them</span></p> <p><strong>Speaker 0</strong>: <span>when it actually comes where they move on from us. I think we got quite a good retention rate of our staff, but also it does become a discussion actually, one of the biggest concerns Anyone should have the threats that brokers have, considering they hold policy information on all their clients. It's a risk to brokers. That's why they're</span></p> <p><strong>Speaker 0</strong>: <span>potential. Target is a threat to insurers is why we need to make sure that our security is top notch to make sure that we know we're demonstrating to clients. We're doing everything we can to protect them on that point. Steve, what percentage of the brokers do you deal with who don't have cyber insurance? Just just as</span></p> <p><strong>Speaker 1</strong>: <span>a question, I couldn't tell you, I guess, off the top of my head. But I would say there's still a fair proportion that don't carry cover themselves. We do provide</span></p> <p><strong>Speaker 1</strong>: <span>cover to a decent number of brokers ourselves. But, yeah, I wouldn't have any idea as to the</span></p> <p><strong>Speaker 0</strong>: <span>no. I was just assuming that you probably wouldn't go out and sell cyber insurance unless you had some yourself. Unless you think it's worthwhile for you, you probably less likely to</span></p> <p><strong>Speaker 0</strong>: <span>try and pass it on to your clients</span></p> <p><strong>Speaker 1</strong>: <span>potentially. Yeah,</span></p> <p><strong>Speaker 0</strong>: <span>we're almost out of time. But one thing I do want to mention GDP. We're coming fifth anniversary of GDP, and I know when we've done cyber master classes in the past, that's been quite a big topic. So as a final thought, just get a sense from each of you. What the main consequences of GDP have been when it comes to cyberspace and innovation. Steve, can I start with you and then let's bring.</span></p> <p><strong>Speaker 1</strong>: <span>So it's a bit of a slow burn, I think certainly far slower than people thought it was going</span></p> <p><strong>Speaker 1</strong>: <span>going to be in that two year implementation period in the run up to it going live. There was all this chat about all of a sudden you were going to see these whopping great fines being handed out, left, right and centre. But the reality is that there's still been very, very few fines actually issued out under GDP. There's been far more under peer, the communications regulation around, sending spam texts and the like and things like that,</span></p> <p><strong>Speaker 1</strong>: <span>but actually far fewer coming about because of data breaches or companies having been hacked. What it has changed from the insurance industry is the impact on claim cost. And that's what we saw in part led into the hard market conditions that we've seen over the last couple of years</span></p> <p><strong>Speaker 1</strong>: <span>as we've seen data breaches occurring, even things just like Ransomware data being encrypted technically under GPR, that constitutes a data breach that needs to be reported to the ICO which in turn requires much more in the way of investigation costs, preparation costs to lead to that.</span></p> <p><strong>Speaker 1</strong>: <span>And on the back of those notifications to the ICO, we've then seen much more in the way of litigation being attempted against companies that have had issues. Not a huge amount of it has been successful litigation, but still the process of defending</span></p> <p><strong>Speaker 1</strong>: <span>that or at times making small settlements to people led to this inflation of costs, which would historically and historically in the five year horizon term just being a fix. The system pay a business interruption loss, and then that's it. Having this liability element to the claim is something new that did add an exponential element onto the cost.</span></p> <p><strong>Speaker 0</strong>: <span>Tom, would you go along with that? Very much so, and especially the litigation side, The liability aspect is probably the biggest game changer out of GDP. Effectively, we gave a huge number of law firms who were previously chasing personal injury or PPI loans the ability to expand that to include</span></p> <p><strong>Speaker 0</strong>: <span>data breach. So we saw immediately after British Airways immediately after easyJet. If you're on social media, you would have seen an advert for Would you like £2000. Were you impacted by the easyJet breach were impacted by the British Airways breach, and those don't get litigated. They get settled pretty early, but it's still a cost that clients are still now having to incur and defend from.</span></p> <p><strong>Speaker 0</strong>: <span>Well, we are out of time. We pretty much have to leave it there. But I want to get a final thought from each one key message You'd want to leave when it comes to cyber innovation</span></p> <p><strong>Speaker 0</strong>: <span>under insurance. Cyber Market What would that be, Tom, Let's start with you. I think the key message that the takeaway we've had from Bieber and other events recently has been brokers are really a key part of explaining to clients their cyber risk, their cyber exposure and transferring that risk. And that's what we're seeing. Going forward. Thank you, Stephen.</span></p> <p><strong>Speaker 1</strong>: <span>We can't underestimate the amount of education that is still needed in this space for everyone. And that's my number one priority for this year. A Viva is how do we really ramp up that education for our customers, our brokers, to help close that protection gap to nudge up that 10 per cent of companies that are buying cover at the minute and get that up to a much more reasonable level.</span></p> <p><strong>Speaker 0</strong>: <span>We have to leave it there. Steven Ridley. Tom Draper. Thank you very much. Thank you.</span></p>