Insurance Qualifications: A Practical Guide

In our latest blog, Geoff Guerin, Chief Operations Officer at BHSF shares his experience of taking CII exams, and shares some practical guidance on navigating this process. 

After taking a more senior role within my business, I felt it was important for me to have a better understanding of the context I was working within and have a broader focus than just what my own business was doing.

I spent some time looking at the CII website and found that it was fairly easy to follow and work out what I needed to do to achieve the different levels. I wanted to start with the very basics and took the Foundation Test; I have to admit in retrospect that this wasn’t really necessary and I should have just gone straight in with IF1 (Insurance Legal and Regulatory) but at least I was up and running.

At the same time I knew that I would be able to get some exemptions for my degree and masters and applied to the CII to see if I could get any credits for these. If they grant you these credits, it means that you don’t necessarily need to take all the modules or they will give you some additional credits, which makes getting the qualification a bit easier. It was a bit more expensive than I had thought, and you do have to get your university to supply the relevant paperwork which is a bit of a faff, but to be honest less work than having to pass one of the modules!

After successfully navigating the Foundation Test, I was confident to move through the Certificate modules. I have to admit that I found the textbooks very easy to read and to work through. They are practical and straight forward and link directly back to what I am doing within my business. Even if I wasn’t going to take the exams at the end, just working through the textbooks gave me a lot of information that was informative and useful. However for the exams, you have to buy the revisionmate question packs. I knew that if I could work my way through these and pass, that I would be good to go for the exam and this strategy worked well for each of the exams I took on at the Certificate level. The exams were straight forward and providing you knew what was in the book and had been through the revisionmate questions, I can’t see too many issues in passing the modules. It was also good as I could come into central Birmingham to take the exams at an exam centre on a regular basis so you can be fairly flexible about when you want to take the exams.

After I very pleasingly had passed the Certificate modules, and having been given some exemptions for the Diploma level, I thought I would get moving with the Diploma and work through these modules. Unlike the Certificate I had selected modules that required coursework and the exams. I found the Diploma a bit more difficult; one of the challenges for me was that around my business, very few people had been through the CII exam process so there were fewer people to talk to so that I could get help. I found that my local institute put on revision courses on some of the key topics and this was really useful, especially on Insurance Law and the Finance modules. Also good were the lunchtime lectures that my local institute put on as this helped me use real examples in my answers.

Without question one of the hardest exams I had to prepare for was the Insurance Law exam; I can’t think of a time I have done more preparation in order to pass an exam but thankfully I scraped through! The other exams were straight forward but you can’t get the same revisionmate question packs from the CII, so you are more reliant on being clear you know the book, rather than being able to take a lot of tests to check your own understanding. I also picked off the Finance module and Underwriting and Claims modules; when finished I was pleased to have the Diploma and knew I was a little closer to my goal of achieving the ACII.

Finally I moved onto the ACII modules, and these were all coursework. You have to submit 3 assignments for each module and it was a bit tricky to understand how much they wanted from you when you were writing them; this was especially the case in terms of asking for wider reading. At university I had access to journal articles and you were expected to compare and contrast academic theory before reaching a conclusion. I had tried to go down this route but soon realised that this wasn’t what was being asked of me and then moved to online reading and my own examples which gave me enough academic background to successfully answer the questions. Some of the questions were also more technical and I had to spend more time talking to people in my business and gaining a much better understanding of some of the more detailed elements, which gave me more confidence when contributing to the strategic conversation within my business.

It all took me about two years and I would highly recommend it to any insurance professional. It is hard work but possible to fit around a busy work and family life and it gives you a practical and positive set of skills to progress your career.



Speech by Jonathan de Beer to the Birmingham CII Annual Conference 2018

Good morning. Thank you very much for that kind welcome and for the invitation to address your conference today.

I’m sure I don’t need to tell you, but we live in very uncertain times. Germany have failed to make it out of the group stage of the World Cup for the first time since 1938. The hottest place in the UK last week was in North Wales, with a sweltering 33 degrees. And most surprising of all would be if Dani Dyer and Jack Fincham don’t win Love Island.

Unfortunately, I’m not going to spend the next 20 minutes talking about the World Cup, the weather or Love Island. And before you all rush for the door…I am instead going to focus on the political and regulatory uncertainty that faces our industry, with a specific focus on Brexit.

But first I should probably say a little bit about the ABI and this industry we all work for. For those of you who don’t know the ABI is the voice of the UK’s world leading insurance and long-term savings sector. We have over 250 members, from household names to specialist providers. Our role is to get the right people together to help inform public policy debates and engage with politicians, policymakers and regulators at home and abroad. We are the public voice of the sector, promoting the value of its products and highlighting its importance to the wider economy. We help encourage consumer understanding of the sector’s products and practices. In short, we are here to support a competitive insurance industry.

The UK insurance and long-term savings industry is the largest in Europe and the fourth largest in the world. It plays an essential part in the UK’s economic strength, managing investments of £1.7 trillion and paying nearly £12bn in taxes to the Government. This industry employs over 300,000 individuals, two-thirds of whom are employed outside of London. UK insurers contribute around £35bn to the UK economy. Let’s look specifically at the significance of the Birmingham and West Midlands insurance industry. 13,000 people work in the insurance and long-term savings industry in the West Midlands, 7,800 of those jobs are in Birmingham alone. In Birmingham you contribute £850m a year to the economy. In the wider West Midlands that increases to £1.2bn. The insurance industry plays a big role in supporting West Midlands manufacturers. Especially through providing commercial covers like trade credit, professional indemnity and engineering insurance.

Let’s get back to talking about uncertainty. Uncertainty is part of everything we do in this industry. Insurance is all about taking the uncertainty away from people and businesses every day. We allow people to save safely towards their retirement, 15 million employees contributed to a workplace pension in 2015, a number which grows every year. We help put lives back together after a flood or car accident, £46m was paid out each day on  private motor and property claims. We allow businesses to invest and innovate safe in the knowledge that we have got their back if the worst happens. We operate in every part of the country, touching the lives of almost every family, every business, every day. I know it’s why I’m proud to work in the insurance industry and I’m sure you are too. I’ll now focus on everyone’s favourite subject, Brexit, and what it means for our industry.

There seems to be nothing more uncertain in the current political environment than the negotiations for the UK to leave the European Union. The outcomes of these negotiations matter greatly for our industry and it is why the ABI has been working non-stop for two years on key insurance concerns. I will dedicate the bulk of my remarks today to this challenging issue facing our industry.
What do we know? When the UK Government triggered article 50 of the Treaty on the Function of the European Union it set a deadline of March 2019 for the UK to formally leave the EU. The European Commission has also set a deadline of October 2018to have completed the negotiations. This will allow the EU enough time for the deal to be debated and voted on in the European Parliament and the UK parliament to have a meaningful vote on the deal too.

Since the day the UK government trigger Article 50 the UK and EU have been negotiating the arrangements for our withdrawal from the Union. They are not able to talk about our future arrangement between the UK and EU until a number of key areas are locked down. The most important issues identified by the negotiating teams are; the rights of UK and EU citizens, the special relationship between Ireland and Northern Ireland and the financial settlement (sometimes called the Exit Bill).

Good progress has been made on a number of these issues, but as you will have seen from endless news reports a solution for issues identified around Ireland and Northern Ireland has proved very challenging. In March 2018 there was a positive announcement from the negotiations in the form of a transitional agreement. This said that the UK would continue to enjoy the benefits of being a member of the EU and would follow its rules until December 2020. However, this agreement is still only political in nature and doesn’t yet have legal force and so companies must take a judgement about whether they can depend on it.

So, why does this all matter for us. You will have probably also heard the phrase “Nothing is agreed, until everything is agreed”. The Withdrawal Agreement between the UK and EU is a package. If one part fails, then every part fails. If no deal can be reached once the article 50 deadline expires then the UK leaves the Union and will be treated as a 3rd country with no rights or obligations.

This is the outcome that Governments and businesses have been most keen to avoid because of all the uncertainty it entails. It is why for most of the last 2 years businesses have been focusing on their contingency planning to ensure they are able to cope with a “no deal” or “cliff edge” scenario.

Insurance and Brexit
Brexit raises a number of direct issues for the insurance industry. What will the laws and regulations that govern our industry be the day after Brexit? What will happen to cross-border contracts sold before Brexit, how will those customers get paid. How will insurers continue to sell and service cross-border business after Brexit. How will cars be insured if the drive across a UK/EU27 border – an issue of vital importance not only to our customers on the Ireland and Northern Ireland border, but to freight transporters too. How will the European Health Insurance Card operate after Brexit and what impact will that have on travel insurance policies. And then there is data. Data is so vital to our industry and is involved in all parts of the insurance process. What will Brexit mean for the ability to transfer personal data between the UK and EU?

I believe that we start with a simple proposition – upon exiting the EU, insurers and long-term savings providers want to ensure that they can honour their existing obligations and continue to provide consumers with peace of mind.

The treatment of existing contracts, which have been written in or for a customer in a different EU member state, presents an urgent challenge. For example, a customer who has purchased their pension in the UK may have decided to live in Spain following their retirement. If the UK pension provider is not authorised to carry out insurance business in Spain after Brexit, then it may be illegal to pay the customer their pension or accept any further pension contributions.

The Bank of England estimates that there are 48 million policyholders affected by this problem. From the UK into the EU there are 38 million policyholders and £55 billion of liabilities. From the EU in the UK there are 10 million policyholders and £27 billion of liabilities.

The ABI welcomed the Government’s commitment, announced by the Chancellor on 20
December, to introduce UK legislation for a “temporary permission” regime for existing EEA insurance contracts in the UK. This will protect the contractual rights of the British customers of European firms.

However, the other side of the issue – the ability for UK insurers to continue servicing EU customers – remains unresolved. Insurers are implementing contingency plans to mitigate the extent of the problem, but private action is only a partial solution. We continue urge the government and the EU to continue pursuing a political agreement as part of the Article 50 negotiations to allow existing contracts to run for the duration of their term. This should be supported by ongoing supervisory co-operation between the UK and EU regulators. There is now a regulatory forum chaired by the Bank of England and European Central Bank which will discuss “cliff edge” issues. We hope that this will allow the challenges around existing insurance contracts to be addressed

We also need to preserve the UK as a centre of international insurance.

The UK hosts a significant volume of European and international business through inbound EU branches. This includes European insurers who service their retail and commercial clients through a UK branch. Once the UK leaves the EU, insurers need to have converted these into either a UK subsidiary or an international insurance branch.

On 20 December, the PRA also launched a consultation on its revised approach to the authorisation and supervision of international insurers. The ABI has welcomed the PRA’s pragmatic approach which assumes that current levels of co-operation between supervisors will continue and takes into account where the home EU member state’s regulatory regime is “broadly equivalent”. The PRA has also confirmed it has the power to grant forward looking authorisations to EU branches that need to be converted into new entities. This is welcome certainty for those insurance companies affected.

We need to understand how individuals will access European healthcare after Brexit
The European Health Insurance Card (EHIC) enables UK residents staying temporarily or visiting another EU country to access state-provided healthcare. 27 million EHIC cards are in circulation in the UK and 1% of those cards are claimed against. The UK spends significantly more, approximately £155 million annually, on reciprocal healthcare than it receives from EU citizens, reflecting the large number of Brits travelling and living in the EU.

If the Government do not find a suitable solution for continuing the EHIC, then consumers, particularly those with pre-existing medical conditions, may not be able to access affordable healthcare or emergency healthcare when travelling abroad.

This continues to be a big issue for travel insurers and we continue to work closely with the Government and the Department of Health and Social Care to help develop solutions.

What about the ability to drive across borders?
Currently travel within the EEA does not involve border checks, this is a result of the Motor Insurance Directive. When the UK leaves the EU, the UK will no longer be part the Motor Insurance Directive, which abolishes the need for consumers and hauliers to carry a physical “Green Card” to travel inside the EU. Furthermore, the current arrangements also guarantee that consumers have third party motor insurance when visiting other countries and provide victims of motor accidents in the EU with a route to compensation in their own country and language when a visiting motorist causes any damage.

If this issue is not addressed, smooth cross-border travel will not be possible and victims of a motoring accident abroad will have to pursue claims against a foreign body directly, potentially in a language which they are unfamiliar with and without the aid of an information centre to identify insurance details. Re-introduction of physical Green Cards would also create significant administrative and logistical hurdles for commercial  transport where motor insurance is on a fleet basis.

We are hopeful of a positive outcome in this area and the Department of Transport has committed to keep the UK part of the paperless Green Card regime post-Brexit.

Transferring personal data between the UK and EU
We know that the UK has fully implemented the General Data Protection Regulation, GDPR. Not least, because like you not a day goes by without an email from some organisation informing me that they comply with the new law.

Without any future agreement, upon Brexit the ability for companies to transfer personal data between the UK and the EU will cease. Just think about the impact for your company. If you were not able to use a customer’s personal data to price a product, underwrite a policy or pay a claim.
It is important that the UK and EU negotiate a Data Adequacy agreement that allows for data transfers to operate seamlessly and effectively after Brexit.
What will our laws be after Brexit?
The Government has now passed the EU Withdrawal Act. This is the legislation that
effectively transfers all existing EU law onto the UK statute books. This is important for our industry as many of the regulation that govern the conduct and prudential rules for insurers were made in Brussels and Frankfurt.

The next stage is for secondary legislation to be passed which will allow ministers and regulators to correct parts of the transferred law that are no longer compatible once we leave the EU and give new powers to regulators. The important point here is the need for clear and effective parliamentary scrutiny of the powers being transferred. These laws and regulations were scrutinised by Members of the European Parliament the first time round and should receive similar levels of scrutiny in the UK. Taking back control of laws and regulation should not result in an unaccountable transfer of power to the regulators.

Where does that leave us?
As I have outlined today the insurance industry faces a great level of uncertainty from Brexit. In fact, I think Danny Dyer Senior accurately described it last week as “this mad Brexit riddle”. The ABI has been helping firms to try and navigate this uncertainty and solve this riddle in the best way we can, through open and honest dialogue with politicians and regulators in the UK and the EU. Because as I have highlighted the stakes are very high if we don’t find acceptable solutions.

We have made good progress over the last two years but there is still a long way to go in the Brexit process. We need to continue to work hard so that:

• We keep our promise to our existing customers
• Travellers and motorists have effective cross-border insurance options
• There is a free flow of data between the UK and the EU
• There is adequate scrutiny of our laws and regulations
• The UK as an international centre of insurance is protected
This all needs to happen for there to be a sensible Brexit outcome for our industry and customers. So that some of the uncertainty becomes a little easier for the industry to
manage. And let’s be honest, so that we are able to get back to the World Cup, the weather and Love Island!
Thank you

Hello, Is there Anyone Out there?

Did you know approximately 44% of CII members don’t received any email updates from the CII and no notifications from their local Institute about CPD or networking events going on locally?

You have paid your membership fee and are entitled to receive this information but you haven’t ticked a box to opt in to receive information. As such you will miss out on being told about the events your local institute is running for your benefit such as valuable CPD and Networking Events.

To be informed all you need to do is log into the CII website and update your profile.

There are three boxes to tick for data protection purposes.

  1. Allows the CII to update you about what they are doing and email you electronic copies of the Journal and about updated Affinity Benefits amongst other things.
  2. This allows your local institute, who has part of your membership fee to spend on CPD events, to tell you about local CPD events like lectures, seminars and other networking and social events being organised (5 aside football; golf tournaments; quizzes etc.
  3. This allows the CII to share your information with your employer.

You can tick as many or as few of these boxes as you want. This part of the website page is pasted below.

Data protection and privacy

The CII will ensure that your personal data is processed in line with Data Protection legislation and the CII Data Protection and Privacy Statement (available at To process this request, I consent to the CII processing my data.

Privacy and electronic communications regulations

In order to keep you informed in a timely and cost-effective manner, the CII uses email as our principal method of communication. From time to time, we may wish to electronically draw your attention to other CII products and services which are likely to be of interest to you. Tick this box to consent to receiving marketing communications from the CII by email.

To opt out of postal marketing communications from the CII and your local institute please send a request to Customer Service at

Sharing your data with local institutes

CII local institutes provide access to a programme of services including CPD events, training and networking opportunities designed to support you and complement your CII membership. We will share your data with your local institute (UK, Channel Islands and Isle of Man based members only) so they may send you relevant email communications. Tick this box to consent to the CII sharing your data with your local institute.

Sharing information with your employer

The CII may receive a request from your employer to provide it with details of your assessment record and accreditation including all attempts and future entries, along with your CII permanent identity number. Tick this box to consent to the CII sharing this information with your employer.

A New Venue: Birmingham Insurance Institute Conference 2018

Following on from last year’s conference we have taken on board a number of suggestions from members to help improve this year’s conference.

The conference this year will be on Monday 2nd of July and it will be held at the ICC here in the centre of Birmingham.


The ICC offers a number of benefits to us, including the ability to hold both the conference itself and the breaks, including lunch, physically next door to each other. The venue is fully accessible to those with disabilities and with a light and airy exclusive reception area the rooms we use should ensure an easier flowing event. The more prestigious venue will also help attract speakers.

We will be running a single stream of talks this year with the intention of attracting both high quality and topical speakers all day. The conference this year will have a General Insurance theme.

Following feedback from members working in the financial services sector it is our intention to also run a half day conference (to be finished by 12PM followed by a networking lunch) aimed specifically at those working in the financial services sector with technical and informational talks rather than sales related topics.

We hope to be able to announce the key note speaker and additional speakers for the conference shortly.

If you have any suggestions for topics to be covered at either conference or speakers you would like to hear then please let either the BII office; Omar Khan or myself know, or reply to the various social media feeds this blog post has been listed on.

One final thing: Please save the date for Monday 2nd of July for our conference at the ICC. You won’t regret it.

Many thanks.

Ian Harris

Head of Finance & Management, Birmingham Insurance Institute.

Inspiring the Future: Diversity in Insurance

In this blog post Susan Sharp from The Children’s Society explores whether the insurance industry is doing enough to promote diversity, and  challenges our members to do more by engaging with the region’s young people via work experience placements. 


Susan Sharp
Susan Sharp

The session on diversity and equality at this year’s BII conference rang a chord with me, as diversity has been an important part of the last decade in my workplace.  I work for a national children’s charity – The Children’s Society – as their in-house insurance manager and this has been a topic that we have been addressing for a long time. It’s important for a charity to be authentic in its behaviour and many local authorities place particular importance on this when we want to work with them.  What I have learned is that being different is not ‘wrong’ – it’s just that, asking to do something differently isn’t disruptive, it’s thoughtful and changing attitudes is easier than you think.  I have spent over 30 years working in the insurance sector, but what does strike me when I go to a BII event or lunchtime lecture is how little the demographics of the local insurance community has changed from when I first started work in the early 1980’s, although the diversity of the immediate Birmingham and West Midlands conurbation is much different.

Insurance is a product that likes its consumers to fit a criteria – so in the not too distant past, life assurance was off limits for gay men, ‘spouse discounts’ were definitely for Mr and Mrs, inner city residents were regarded as ‘high risk’ for the crime of living in the wrong postcode. So when we don’t encourage these communities as consumers is it any wonder they wouldn’t feel welcome in the working environment? And it also unnecessarily allows prejudices to perpetuate.  But the insurance sector prides itself on its ability to evolve, to meet changing needs, ‘nothing is uninsurable’… so we need to apply that same can-do attitude.

My organisation has actively encouraged all its staff to enrol with ‘inspiring the future’ website as potential speakers to schools and through this I have undertaken a number of careers talks, with many of those in inner city schools in Birmingham. My charity works with some of the most disadvantaged children – they face multiple issues but poverty of opportunity is one of the saddest, and one that we could all do something to help on.

Of course, virtually all the youngsters that I speak to have no idea what insurance is about, nor do they realise the number of opportunities that could be open to them because it’s something that doesn’t appear on their radar – often they are first and second generation immigrants. We are a country where the financial services sector is dominant, but in many respects it remains closed off to youngsters, although we all need insurance…  I have to admit I was the same at their age, but I quickly learned that insurance as a career can be fulfilling –  there are many interesting strands underpinning much of everyone’s life.  One time I had to follow a surgeon on a careers talk and my opening remark was, ‘who picks up the pieces if he gets it wrong?’

So once again, have things changed that much in 30 years – do we still keep it under wraps as a career choice?  I’d like to ask all my peers – how did you get started in  insurance – did you know someone, did someone tell you about it, but more importantly did someone offer you a chance – a helping hand – even if you didn’t go to the best of schools, or get the best of results?  And do we share that goodwill in the same way and reach out and help some of our future generations?

What I would like to ask is if BII members could consider offering a work experience placement this year to a child from one of those inner city schools – both being authentic to diversity and equality goals and as a personal gesture of addressing the poverty of opportunity[1].

Perhaps there’s no better example of the ‘hidden’ talent on our doorsteps than this short story of a young Syrian girl, Maya[2], that my charity worked with in Birmingham. She was nominated for a Diana award and received this from Princes William and Harry for the work she did with us as an ambassador for The Children’s Society giving local talks. She also received a scholarship to study Engineering at Brunei University. Here is a clip from the Channel 4 feature:  .


[1] Schools need a pledge by Jan/Feb 2018 for the placement period in July.  St Albans School in Highgate Birmingham would dearly appreciate some responses.



Introducing Birmingham Mind & our puffing and panting President…

In our latest blog, the BII’s President, Nikki Southwick-Gough provides an insight into the reasons the Birmingham Insurance Institute are supporting Birmingham Mind during her Presidential year.  

A lot of wriggling, contortion, puffing and panting goes on in my house early every Saturday morning.  It’s because of Bertha.  Here she is – albeit inside out ‘apres swim’.Bertha

Much has been written about Mindfulness and this slinky lady is how I access my own version of this.  It was as much a surprise to me as anyone.  I started Open Water Swimming on Easter bank Holiday Monday 2017.  I was nervous as anything and luckily had my wonderful husband alongside me to stop me chickening out of giving it a go (which I would have done).

I’ll be honest, I was feeling overwhelmed.  My father had died 2 months earlier and I’d coped by working at an even faster pace than I normally do – which is really saying something.  It had begun to feel like I was in a car accelerating beyond my control.

Somehow, I knew I needed to access some blank space.  I used to swim well as a teenager but hadn’t really done so for years however it was the cold water and the thought of what that might be like which made me want to give it a try.  I struggled around a 360 metre lap in an untidy combo of breaststroke and just kicking my legs facing the sky whilst taking advantage of the buoyancy afforded by the borrowed wetsuit.  I was exhausted by the end of it, but laughing.  I instantly knew I wanted to do it again and I felt completely restored by the water.

Fast forward 3 months and that first endeavour has now turned into 3-4km a week over 1 or 2 sessions.  Always at least an hour at a time of rhythmic, metronomic motion, controlled breathing and moving through the cold, cold water and without fail at 20 minutes in – I find Nirvana.

The reason I’m sharing this little personal insight with you is because it will give you an insight into why it is that I chose Birmingham Mind to be my chosen charity for my Presidential year at the BII.

The fact that 1 in 4 people will experience a mental health problem at some point in their lives isn’t news any more.  Positively, this is now receiving focus at Parliamentary level and significant work seems like it will be done to switch the focus from treating mental illness to enabling mental wellness going forwards.

There are First Aiders in every office in Birmingham.  Employers rightly fund their staff to be appropriately trained to cope with accidents and illness and know the next steps to take.  I wonder how many employers would send someone from their organisation to attend a Mental Health First Aid Course that would help an organisation who might otherwise be unsure how to respond to someone who appears to be experiencing a mental health problem and give someone the skills, knowledge and confidence to respond helpfully and support their employee’s recovery?

MHFA courses are just one thing that Birmingham Mind offers in its menu of services and in conjunction with the Birmingham Insurance Institute, an introductory session on this topic as part of the inaugural Birmingham ‘Dive In Festival’ taking place 26-28 September this year.

Birmingham Mind is the largest independent mental health charity providing services in and beyond the City of Birmingham’s boundaries promoting wellbeing and recovery services by providing high quality support and challenging the stigma of mental distress.

During my Presidential year, we can make a real difference by raising vital funds for Birmingham Mind and changing people’s lives for the better.  All monies received will be carefully applied to benefit those in the community of Birmingham who are experiencing mental distress.

The BII Birmingham 10K and 5K Run is just one event taking place this year planned to raise money for this great charity.

You can register here

You can also expect to hear details of wetsuit based personal challenge from yours truly soon!

Thanks for reading


Nikki Southwick-Gough

President, Birmingham Insurance Institute

How to be better prepared for a global ransomware event

The ‘WannaCry’ ransomware attack earlier in May was a timely reminder of the cyber attacks facing all businesses, whether large or small.  The attack reportedly infected 230,000 computers in 150 countries, with big names such as the NHS, FedEx and Telefonica affected.  In this guest blog, JLT Specialty’s Josephine Tam considers how cyber insurance can assist companies in managing such risks. 

The global ransomware event of the last few weeks, called WCry, WannaCry or WannaCrypt, underscores the potentially widespread impact of a single cyber vulnerability. There are a number of ways that the aggregation of cyber risk can manifest itself in the insurance market, but perhaps this is the “cyber hurricane” that cyber insurers have been worrying about?

Well, yes and no. It’s certainly highlighted the speed at which a cyber attack can propagate itself, but will it actually be that expensive for the insurance market? We probably won’t ever know the total cost of the incident, but even a reasonable estimate will be difficult. The components of financial impact to infected organisations will include elements of incident response (internal and external), ransoms paid, increased cost of working or attempting to work while the systems were impacted, lost income due to the interruptions caused by the incident (everything from ATM fees to the cost of stopping production lines), and the potential for lawsuits or regulatory investigations that may be yet to come. The less quantifiable harms from the incident include patients waiting indefinitely to be released or treated in hospitals as test and x-ray results were unavailable.

When contemplating cost of the incident and insurance, issues will include incident response handled internally vs. externally (is the overtime of having your IT staff work 24 hours covered?), betterment (if you failed to patch and now must do so, is the cost betterment?), and which policy should respond (do you have elements of cyber extortion cover in your kidnap and ransom (K&R) and have you purchased a cyber insurance policy yet?). A properly constructed K&R policy will provide your organisation cover for the cost of dealing with a cyber-triggered extortion demand (including paying the ransom and related expert crisis management).

The largest component of financial loss from this incident, however, is likely to be the resulting business interruption arising from the incident, something that K&R insurers currently cover on a ground up basis. We have noted that, over the past 18 months, K&R insurers have increasingly realised that this leaves them heavily exposed to a systemic cyber business interruption loss. Given that fact and the scope of this incident, it will be telling to see how the market responds. Buyers currently benefit from the way the K&R market provides this element of coverage with no deductibles and unlimited response expense outside the policy aggregate. While we believe the cyber market can and should address these exposures, it’s critically important that the insurance market as a whole behaves responsibly and buyers aren’t left without protection.

This incident is politically fraught for a number of reasons, in this unique case, the ransomware perpetrators incorporated vulnerabilities called ETERNALBLUE, stolen from the USA National Security Agency (NSA) by a cyber crime group known as the Shadow Brokers. However, Microsoft patched the vulnerability on 14 March 2017, prior to the Shadow Brokers leak which included this and other vulnerabilities stolen from the NSA.

Saying that companies should “just patch” and avoid this sort of incident is perhaps overly simplistic. There are myriad reasons, particularly industries reliant on legacy systems and internally developed software, that simply applying a patch isn’t feasible. However this underlines the importance of taking mitigating steps when a patch can’t be applied, for example in this case disabling the feature where the vulnerability lies.

So what?

Companies with cyber insurance

If you’ve been affected by the incident and you have cyber insurance and/or K&R insurance, report it immediately. If your renewal is imminent, be prepared for insurers to focus in greater detail on your patching process, any remaining instances of Windows XP (not directly related but likely to come up in any case), and if you currently have any systems with this SMB vulnerability. Run this scenario through your existing insurance portfolio including your cyber insurance:

  • Does the business interruption coverage trigger if you’ve voluntarily shut down your systems to prevent a known?
  • Do you know who to call to assist with a ransomware incident?
  • Is there coverage with a lower deductible under other insurance policies like K&R?

Make sure your K&R and cyber insurance policies are properly coordinated to give you maximum coverage. K&R insurance can be structured as a deductible in-fill to a more comprehensive cyber program, so make sure that your cyber deductible will be eroded by the K&R.

Companies without cyber insurance

First, if your company has been impacted by the ransomware, check your K&R policy as well as other insurance policies to see if you already have slices of coverage. If there’s a possibility, best practice would be to report it immediately. K&R policies will provide help with incident response, and if you don’t have one in place now is a good time to consider – it’s a relatively painless process. Second, buy cyber insurance. It’s really time.

Considerations for insurers

There are a number of considerations for insurers in cyber and traditional lines, and many are deep in the process of understanding their embedded cyber risk in non-cyber lines of business. Incidents like this one do underline the potential for cyber extensions in other lines of business to be widely triggered.

It’s important to ask the right questions, and while asking clients to describe how they deploy patches isn’t new, this new incident will most certainly trigger more discussion. The answers may not always be straightforward, and our hope is that insurers will not take a reactive position and simply decline risks who have exceptions to their patch deployment policy or worse, attempt to reintroduce restrictive “failure to patch” exclusions.

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on

Josephine will also be joining a panel discussion on cyber risks at the Birmingham 2017 Insurance and Financial Services Conference at the Birmingham Rep on the 12th of July. Book your place at: