With the ever-evolving nature of cyber threats, it is important for the insurance industry to keep up to prevent huge losses stemming from unforeseen exposures.
According to one expert, the insurance industry has a need for sufficient data to help underwrite cyber risks, which are present in almost every aspect of this increasingly interconnected world.
“It’s important for insurers to understand exposure by leveraging as much information and data as possible in order to underwrite their clients carefully,” said Samit Shah (pictured), insurance solutions manager at BitSight, a US-based data analytics and cybersecurity ratings provider.
“Applications provide a source of data, but it can be limited and subjective,” he said. “Many carriers are finding that alternative data sets (including security ratings) are useful tools in providing a broader scope of the risk and security performance. Insurers can also actively engage with insureds to help them understand their own cyber risk during the lifetime of their relationship.”
Shah stressed that insurers should not just think of loss control as something to be done at binding or renewal. Instead, engagement should be ongoing.
A supplement to underwriting methods
According to Shah, there is a growing interest from insurance carriers around the world, including Asia, to supplement their current approach to underwriting cyber risk with objective ratings information. This is especially true here where there are many emerging markets and insurtech is exploring spaces that traditional insurers were not able to reach.
“Many new insurers are leapfrogging some of the issues caused by relying on information collected from traditional application forms by integrating robust objective security information,” he said.
“The Asian insurers BitSight is speaking with are also very motivated to engage their clients directly to improve their security performance with objective security information. They realise that the value that they provide goes beyond an insurance policy and is further differentiated by giving customers visibility into their own security posture.”
Due to cyber risk being a fairly new threat, Shah believes that the insurance industry must first succeed in quantifying the risk in order to insure it.
“Insurers should work with organisations that can bring new insights into quantifying cyber risk through both internal and external sources of data,” he said, “Organisations may also consider coming together as an industry at a global scale to collaborate to organise, structure and share data to help reduce risk across the entire industry.”
Lack of data and failure to understand is, unfortunately, a common error among many underwriters of cyber risk.
“A common mistake I see is the underwriter failing to fully understand the insured’s exposure, including exposure to third-party or vendor risk,” Shah said. “As a result, the business may fail to understand the concentration and aggregation risk affecting the portfolio, which could result in serious loss to the balance sheet in the event of an industry or sector-wide incident.”
Brokers and intermediaries play an important role in ensuring the client’s cybersecurity is adequate, Shah said.
“In general, brokers are trying to help their customers buy the right types of insurance and negotiate better rates with carriers,” he said, adding that the data BitSight provides can be an important input into the carrier/broker conversation.
Shah explained that brokers and intermediaries are looking at how to make their existing clients better insureds (i.e. less risky, more efficient, more productive, etc.). For new customers, brokers are looking at how to better identify and assess their risk to position them in the best way.
“Tying security performance and improvement in a measurable way – not to mention communicating the value of a robust vendor risk management program as part of a holistic cyber risk exposure picture in light of GDPR and NYDFS – is becoming more common,” he said.
“Many [brokers and intermediaries] are building their own analytic offerings for customers and are looking to integrate BitSight data to help power the modelling task.
“As our data is objective and actionable, it lends credibility to customers who can actually take action to make improvements to their security posture, improving the modelled result instead of relying on generalisations that are size- or sector-driven, that a customer can’t really change about itself. Insurers who have integrated BitSight’s technology are working closely with brokers and intermediaries to educate them on the value of our technology.”