In late September, the Financial Conduct Authority (FCA) published a “Dear CEO” letter warning providers of cyber insurance that uncertain policy wordings mean insurers may not be meeting their policyholders’ needs. Breaking down the main takeaways of the letter, Matthew Waller (pictured), head of underwriting at Corvus in the UK, highlighted the FCA’s concern over a “mismatch” between insureds’ expectations and policy outcomes.
The FCA has also told insurers to continue to improve their knowledge of cyber risks, including at board level, so that oversight of the product is appropriate, and it has threatened action against what it calls ‘outliers’ in the cyber market. Overall, he said, this is the FCA’s call for the market to move towards consistency and clarity for buyers, which is really important for the marketplace. They have rightly identified cyber insurance as a critical risk management and crisis recovery tool for businesses of all sizes.
“I thought it was an important letter at a pivotal moment in the cyber insurance market and timely for us based on what we are looking to do in the UK,” Waller said. “Offering consistency and clarity to the buyers is critical to the continued development of the cyber market and we very much support the FCA’s position.
“I see it as a significant step for a market that has evolved quite considerably in the almost 25 years since the first cyber insurance policy was written. To treat customers fairly and for the sustainability of the market, customers need to understand what they are buying, and we need to build transparency and stability in the market.”
A key challenge facing cyber insurance providers is walking the tightrope of providing adaptable cyber solutions that don’t sacrifice consistency. And that’s always going to be a tricky balance, Waller said. The cyber market has changed a lot in a brief period, and the marketplace has had to adapt to those dynamics.
He noted that the recent hard market, driven primarily by spikes in ransomware attacks, tested the insurance market for stability, but also helped reinforce the need for cyber insurance. After a reprieve in 2022, cyberattacks are rising again and threat actor activity, such as this year’s managed file transfer attacks, is constantly evolving.
“Feedback is going to be critically important to ensure that we as a market are going down the right path,” he said. “So, for the regulator that means constant engagement with the marketplace, speaking with Lloyd’s, and learning from insurers about the progress that is being made.”
Outlining how this ‘consistency vs adaptability’ balancing act is being impacted by the increased complexity posed by emerging technologies and new threat actors on the scene, Waller looked back to the origins of the market. Because, while the first policies were sold in Lloyd’s in 1999, he said, it is only in the last 10 years that take-up rates have really increased.
“Ransomware in 2020/2021 really moved the market in a number of ways,” he said. “Claims started to increase, and we saw more first-party losses. It’s always going to be important that the market has the ability to adapt and move with the risk environment because, unlike with a property policy where you know what the building is made of, with cyber, what the building is built of could change within a month, or three months, or six months because a new vulnerability comes to the fore.
“As a market, we have to be able to adapt to those things, and to appropriately price for those exposures. However, we also must be clear to the buyers about terms and conditions and what they are buying. The balance of adapting to the trends but also giving clarity to the buyers is critical, and I think the FCA’s comments will drive that forward.”
However, Waller emphasised that getting that balance right is not going to happen overnight because there are so many products out there. In terms of systemic losses, there needs to be a broader discussion involving public and private parties about how they want to address those key concerns. Lloyd’s has taken a number of steps, including with their LMA-approved war exclusions, he said, but the conversation needs to be an ongoing one.
For Corvus, it’s clear that technology is going to become increasingly critical to the underwriting of cyber, he said, and so technology is at the core of its underwriting and its ability to support the customer through risk mitigation.
“But our approach is two-pronged,” he said. “Alongside our technology, we employ a best-in-class, human underwriting talent pool focused on the middle market. We have found that a partnership-based approach combining personalised risk insights and advisory services enabled by an online dashboard is the most effective way to curb cyber risk. Our Corvus Signal risk prevention solution is the only product in the market known to have reduced loss frequency and costs by close to 20%.”
Assessing the importance of having more accessible and standardised wordings in cyber insurance in the context of the FCA’s warning, Waller noted that a lot of buyers are trying to grasp what a cyber policy is intended for. While the market is seeing increased penetration, he said, it’s still facing hurdles in terms of educating buyers about the product.
“So, if you can set a minimum in terms of wording, which gives more comfort to the buyer that they are getting a specific standard within the marketplace, they can then work with the broker to determine what any additional coverage needs might be,” he said. “It is important to keep in mind, too, that wording is one component of cyber insurance, but it is also about the service that is offered.
“The adaptability of the market to address those needs will also be critical for the evolution of cyber. Over time, it may be that wordings become consistent, but you will still have differences in broader service offerings in the marketplace, which will really help differentiate providers.”
For Waller, his message to insureds is clear – “cyber is not a policy that you can buy and put away”. You need to be engaged with your service provider on the technology side, he said, so that they can continue to update you about the threats. It is not just a ‘once and done’ policy that you look at during the renewal every year.
“Another key point, though I do think insureds are increasingly aware of this,” he said, “is that cyber is a proven product. It has paid claims. Making sure that all customers understand that will help market penetration and give us a bigger opportunity.”
What are your thoughts on this story? Feel free to share them in the comment box below.