HK takes a closer look at cyber insurance

Brokers like JLT work on base policy template, but they work to include tailor-made provisions based on a client’s specific risk exposure.

Watch the language used

Aon, another leading insurance broker, advised that companies should look to purchase a cyber insurance policy, which is robust and broad in its language.

“In negotiating amendments to policy workings on behalf of clients, one major challenge is ensuring the policy will respond to threat that does not currently exist in light of the changing nature of the threat (although noting that the losses largely arise out of more common attack means such as phishing),” Andrew Mahony, regional director, Financial Services & Professions Group, Aon Risk Solutions.

He also pointed out each policy has strengths and weaknesses, and he echoed the need companies to secure a tailor-made policy.

“Companies should certainly instruct brokers to secure a bespoke policy to the specific needs, vulnerabilities and capabilities of the insured company,” Mahony said.

Asked how much a cyber insurance costs, Mahony replied that it varies based on a range of factors.

“Some companies are unable to change easily due to industry, international exposure, quantity and nature of data held and loss history. Other companies can address – in order to avoid exorbitant premiums – audit and penetration/red team testing history and results; organizational approach to cybersecurity, and policies, plans, and protocols in place relating to data, systems and incident response.”

“Notwithstanding,” he added, “the potential variation in cost, premiums are generally 25%-50% cheaper than in other parts of the world, which correlates with the loss experience in Asia.”

Aon believes cyber risk exposure and the value of a cyber policy can be difficult to assess in a vacuum. These considerations benefit from a holistic response to cyber risk, including a clear understanding of associated loss quantum and a security assessment of existing symptoms.

“In order to perform such a risk quantification exercise, our actuarial specialists, in consultation with technical coverage experts, conduct a Probable Maximum Loss (PML) assessment, which quantifies exposure to cyber risk based on an in-depth understanding of company systems, protocols and threats as well as actuarial models developed from Aon’s cyber event data resource.  Aon then sets out its findings and recommendations for appropriate policy limits and retention,” Mahony said.


Like JLT, Aon sees the need for a strategic partnership with cybersecurity professionals. Indeed, Aon has acquired Stroz Friedberg to complement its existing expertise in cyber risk quantification and risk transfer.