Cyber Savvy Broker: Andrew Marvin
Technology is transforming the way small and medium-sized organisations do business, but it’s also increasing cyber risk. Brokers are now more critical than ever in the cyber insurance market, where their expertise and trusted relationships are helping businesses to tackle cyber risk management in addition to ensuring they are choosing the right cyber cover.
Our 'Cyber Savvy Broker' series highlights forward-thinking brokers with the knowledge and skills to help their clients navigate this digital transformation.
Andrew Marvin is Client Service Director and a cyber leader at global insurance broking and risk management firm, Gallagher. We chatted with him about his insurance career, his views on the UK market, and preparing clients for the ever-changing cyber risk landscape.
Tell us about your career so far.
I've always been in insurance, and at the same time I’ve worked for many years supporting swimming events with sports presentation, which is where you engage the audience in between the action. It’s a similar set of skills coming from a place of understanding the client — spectators shouldn’t just sit in the stands and wonder what’s happening: they need to be entertained and informed.
As a broker, you've got to be able to bring risk to life. So, knowledge and understanding of the risk is important in order to help your clients understand how they could be impacted.
I started to focus on cyber about four years ago. Gallagher recognised that the market was changing and cyber attacks were becoming a significant risk for businesses. Tom Draper and I had worked very closely on our cyber product launch. At the time, we knew that we needed to expand our own knowledge and, more importantly, the knowledge of our account executives to better educate our clients.
Then the hard market kicked in, which clearly brought challenges to us and our clients, followed by COVID-19 and working from home, which coincided with a significant increase in ransomware threats. The market then changed, and new controls were needed, and at that point, the education piece became really critical.
Today we are constantly working on identifying new threats and analysis, enabling businesses to make changes to their security controls.
What’s the key to being an effective cyber broker?
A famous politician once said, "Education, education, education." I would say the same thing — you've got to understand the risk; you’ve got to understand the loss, the pain that a cyber attack causes, and how threat actors operate.
A client may say, 'I’m a small business. I've got an IT manager. No one's going to come after me.' That’s when you’ve got to be able to bring the risk to life and work with an insurance partner that can help, understand and work with your clients as well.
As the Gallagher representative on the National BIBA Cyber Committee, I see lots of different sized brokers all with slightly different views. But I think we are all on the same page about the importance of knowing the risk and understanding how clients can manage it, so they know what the threat and impact could be.
Has understanding of cyber threats and of the available data changed a lot in the last four years?
Availability and understanding of the data has gotten a lot better. We've got the likes of IBM and KPMG reporting on cyber. We've got the indices from insurers such as Allianz and Aviva that surface the data. Insurers such as Pen Underwriting, CFC, and Coalition are consistently sharing a lot more information on the changing nature of cyber.
Threat actors aren't going away when there’s money to be made; they're not going to pack up their bags and say, 'Hey guys, let's find something else to do.' What we're seeing more of now is business email compromise (BEC). We're seeing fraudulent fund transfers, typically driven by BEC. And then you've also got the impact of third-party providers. LastPass and Solarwinds are prime examples. Companies have got to do the due diligence on their technology partners.
Is cybersecurity awareness and education the responsibility of the insurance industry?
If we're not talking about it, who is? You can have the most secure system in the world and spend eight figures on your cybersecurity, but avoiding cyber threats still relies on someone doing the right thing whether that be a third-party, a subcontractor, or one of their employees. So it's that mix between risk control, security and infrastructure knowledge, and risk transfer with the insurance mechanism.
What is becoming increasingly important is perimeter defence: MFA, EDR, backups, and recovery solutions. We also need to educate around employee training. It used to be something that the IT team did, but we're seeing an uptick in risk, and it's no longer the responsibility of just the IT team. It's a responsibility for all departments to understand cyber risk, and understand the nature of the risk in their individual role. So constant training, phishing tests, and ensuring employees understand what they’ve learned is important.
What does the insurance industry need to do to better?
I think people in the sector coming out and saying cyber is uninsurable isn't terribly helpful, because that’s often picked up in the press. Cyber is insurable. It's about the controls that you have in place to manage your risk.
No business would expect an insurer to cover a paper factory without having a fire protection system. No one would expect to have employers' liability cover and not train employees about health and safety in the workplace. I think most clients get that. They are seeing, almost daily, cyber having some impact on their lives or on the news. So they know there's a risk there. Then it's up to people like my colleagues and me to say, 'This is what your risk looks like, and this is where your premium terms are going to be.'
The market has also started to mature. Clients have gone through a couple of tough years, and we're coming out on the other side now. But the risk is still there. We shouldn't shut up about it. We need to keep on pressing that, because cyber is a top-five risk in every market indices you see.
What is the client expectation of what cyber insurance is and how it could help?
My job is to educate the client, and help them understand not only where the risk is, but also how I can transfer some of that risk. I have to explain what is and isn’t covered. The standard policy has expanded over a period of time, the cover has widened. Price is always going to be important to clients, but from a cyber perspective, breach response with really good, consistent 24/7 support is critical.
From a Gallagher perspective, we're taking that further. Clients want to know what they should do in the event of an attack, so we’re talking to them about building incident response plans.
I've read that businesses that have been hit by a successful cyber threat take 21 days to recover on average. When they have no business continuity or disaster recovery plan, that 21 days easily doubles or triples. So our focus is on risk control and how to plan for something you hope never happens.
Improve your cyber knowledge with Coalition
Cyber insurance is one of the fastest-growing insurance products and a massive opportunity for brokers to grow their book of business. Coalition's Cyber Savvy program equips you with the tools and knowledge to deepen your cyber risk expertise and advise (and protect!) your clients.
You can access more free Cyber Savvy Broker resources to continue your learning journey.