Why cyber insurance is having its 'seatbelt moment'
Daniel Trueman, head of global cyber and technology at AXIS Insurance, is one of the leading voices on cyber in the insurance market. In this exclusive interview he explains how the market has developed, why it is going through a 'seatbelt moment', how the sector can improve its approach to cyber, and how brokers can help their clients to mitigate their risk to keep premiums affordable.
To view full transcript, please click here
Paul: [00:00:12] Hello everyone and welcome to the latest edition of Insurance Business TV, A Future of Cyber Insurance Special. Yes, when it comes to cyber, your eyes, it seems, can never be focused on the present. You always have to focus on what's ahead, because just as quickly as you may resolve one cybersecurity issue, another one emerges. The cybercriminals do not stand still. And it's vital insurance, which is playing an increasingly crucial role in not just picking up the pieces after a cyber event, but in helping to mitigate them in the first place. Keeps pace. But who can offer us insights into the future of such a fast paced industry? Thankfully, we have someone with true cyber vision to call on. He is the head of global cyber and technology at Axis Insurance, Dan Trueman. Dan, welcome to IBTV.
Dan: [00:01:02] Thanks, Paul, and thanks for having me on. It's really a great opportunity.
Paul: [00:01:06] Well, let's set the scene a little bit here. Talk to us about how the cyber insurance market has developed over the last 12 months because there's been a lot of change.
Dan: [00:01:16] I think that's very fair. It certainly has been. It's a it's an endlessly dynamic market. And as you say, you know, in your intro there, there's a good reason for that. You know, quite often what happened yesterday isn't necessarily going to teach us what's going to happen tomorrow. And trying to do that and react to that in a market like this creates its challenges. And certainly the last 12 months, I think the markets reacted very dynamically. And very interestingly and importantly, really, we've seen two, two dynamics. One, maybe the more classic insurance dynamic, prices of right have risen, you know, fundamentally because there's been a greater understanding of some of the dynamics on the risk environment. And maybe we can unpack that a bit later. But, you know, we've certainly seen that price rise. But we've also seen, and I think really importantly, a whole new way that the market is starting to adapt, develop and look at what it sees as the minimum standards around risk. And I think that's that's really important. And it sort of sets a new baseline really for us going forward.
Paul: [00:02:21] And you Dan as well. You've labeled this a seat belt moment for the cyber insurance industry. I love the term personally. Tell us a little bit about what you mean by that.
Dan: [00:02:31] Yeah, it is something we've referred to that that moment, this seatbelt moment. We really believe. We think this is analogous with where historically the insurance industry has really contributed to safety in things like automobile incidents, those sort of sort of events and actually said, right, not only will we not insure all cars that don't have seat belts in them, but we're going to increase premiums if people aren't willing to put them on. This is a very similar moment for what the insurance industry is doing within cyber. We are really saying, okay, it's taken a lot of time. I say we talk about this dynamic market. I'm very fortunate enough to be in it since, you know, sort of Y2K was the thing instead of seeing the development of the cyber insurance market. And I think there's a pernicious myth within cyber insurance that there isn't enough data. The challenge is, I mean, there's more than enough data we have insured so that have three and one half billion attempts to attack them a day. If you add all the sort of spray and paste sort of events that they're going through. So it's not about a lack of data. It's about a lack of sort of time, energy and ability really to start processing and turning that data into information, that information into insight and that insight to action. And I think we've got to the point now where the market started to be able to look at action. And that's what we call the seat belt moment. What is good look like with all we know? What could organizations do that would prevent them suffering from what are sometimes sort of very basic, very simple attacks on their their systems, their infrastructure? And can the insurance industry support organizations by saying, right, actually, I know this sounds harsh, but unless you do these three basic things and you do them well, we shouldn't be insuring you because actually we believe that basic enough that it's in everyone's interest to do them. And I think that's how we define this as a seat belt moment. Really.
Paul: [00:04:24] Yeah. And you touched on the fact that you've been in this market since since Y2K, as you put it. With that in mind, how well do you think the insurance industry is doing in terms of adapting to this, this current environment? And how could it improve?
Dan: [00:04:38] I think cyber insurance has a bit of a challenge. It's got a 20 year lifespan to this point, and I think it's adapted really fast and really well. And I think it's sometimes it's part of the market that puts itself under a lot of pressure to innovate, to improve. And and again, with in your introduction, you talked about how fast paced the environment is, how dynamic the bad guys can be, for want of a better phrase, and fundamentally how necessary it is for their organizations to be very dynamic and their response to to that, that process. And I think because we talk about human risk here quite often and not just sort of broader elements of the fortuitous risk spectrum, we've got to be very careful about how we build the right things and talk to the what are sometimes very basic organizations or sometimes organizations that have very basic knowledge about the risks they're facing and really, frankly, need to get on with their day jobs. And how can we as an insurance industry support them in that and take away some of that risk? And I think so. Has the insurance industry adapted well to that? I think, yes, reasonably well. But by basically saying to the to our insurers at this point, we really believe you should have multifactor authentication. You know, we've seen it you've seen it pop up on those wonderful hand-held supercomputers we carry around every day, you know, our phones. And suddenly that the ubiquity of multifactor authentication, whether that's for a transaction or to log into something, that's part of this response. We then said, okay, if you're going to log on remotely and we all know since you're in this current environment, remote logging on is becoming increasingly important. You're going to need to do that through some form of secure layer, you know, probably a VPN. And then lastly, at least if you're going to, you need to back up your systems and you need to make sure those backups are secure and at least versions of them are held in different places, particularly offline, because what you don't want is the bad guys not only to get into your system, but to get into your backups of your system because that makes the backups, makes them meaningless or pointless in the first place. And so looking at those, has it well, I think just identifying those three factors as has changed some of the challenges we're facing. And I think that's really important. How could it improve? I think as an industry, we've got to get better at explaining some of this technical side of things. And I you know, I probably make similar mistakes. I mean, we are talking a very technical subject at times. And breaking that down into its components that make it digestible and effective, I think is is really important. And then I think the next side of things is really how do we work better in a broader environment we work within? The cyber insurance is only one element of the challenge here. It's really about identifying what good security. It's like good investment and that security looks like. And how do we work within and around that broad environment to make sure this works for our clients?
Paul: [00:07:30] It makes a lot of sense and it's very clear just from from listening to you talk as well, you know, investment in cybersecurity really has to be sort of top of mind right now. But I'd love to get some tips from you from the broker perspective, if you don't mind. I mean, do you have any sort of strategies that you think brokers should be employing with their clients? I do.
Dan: [00:07:49] I think the brokers increasingly a I think needs to to up their education. And I think many of them are I think that that's not an inherent criticism. But I think now is the time to make sure they're capable of having these conversations that are reasonably technical level and asking the right person for the right information. I sometimes feel a fairly blank, nameless, faceless application form is not always the way forward. You know, this is a it's a dynamic technical subject. So the broker needs to understand what you say yes to this. What you really mean, I think, is a useful thing to be able to ask the client. So I think that that's really key. And I think then it's the ability, a willingness to ask the client's difficult questions. And to point out, I think actually what the underwriters are now needing is a greater level of transparency. And actually that greater level of transparency doesn't always result in more expensive premiums. What it should result in is actually cheaper premiums because what underwriters are looking for is a delta or a difference in reality between good risk and not so good risk. And we want to be able to price good risk well and competitively. And I think if the the brokers are willing to to engage on that level, I think we're going to end up with a market that is much better at transferring this risk, that is much more appropriately priced and is actually a level that everyone knows is sustainable, not just in the short term, but for the longer term as well.
Paul: [00:09:12] And I want to ask you as well Dan and I'm very conscious of hyperbole here, but do you think insurance perhaps as a as a larger role to play a societal role of sorts, if you want, in terms of kind of growing awareness of these risks and helping to mitigate them.
Dan: [00:09:27] I think it's a really fair question and equally hyperbole or sort of forgive me, the polemic that we get into, but I genuinely believe and agree that I think there's a social value in insurance full stop. And I certainly remember as a in my early my underwriting journey, you know, opening the paper and realizing that almost every single angle, every single news story had an insurance angle or insurance element to it. And I think we've all been through that particular journey. So I think, sure, insurance full stop has an important societal role to play. And I think in this element it really does. We are at this point where we are seeing enough data and we are thus having enough information. We have more insight than we've ever had before. How can we share that more effectively with organizations, whether they want to buy cyber insurance or they just want to transfer their risk better or understand their risk better or accept and retain that risk? I don't think I think all of these things are relevant. I think the important thing is we are willing to share that what we think good looks like. And I think at this point we've got enough that we should be doing that. And as an industry we should be louder about that concept. And I think now's the time.
Paul: [00:10:39] Just described how I how I try to entice any new journalists to join us. In fact, every news story does have an insurance angle. I agree with you 100%. But I'm going to throw one last question at you, if you don't mind. And I'm going to keep it very, very simple here. Where does the cyber insurance market go next?
Dan: [00:10:59] I think the market has gone through a really interesting point here. So the reason rates changed in the last year due to sort of two fundamental factors. One, we've seen over the last few years an increase in frequency and severity within particularly the ransomware element of the loss we're doing. We as insurers can probably deal with one of those at once. And that's you know, that's the game we're in. But both is a challenge. When you see both frequency and severity change, then we need a shift in the pricing curve and a shift in the approach. And that's where where we've come from and that's what we've had. So I think that's really important. On the second side, though, we also increasingly understanding the systemic exposure within the cyber insurance market. Aggregation management is Insurance 101, and we've always been very effective at looking at it, but not very effective at really understanding what that's going to be and the impact that can have. And so that's obviously an element of price as well. And I think what we're going to need to do is maybe look at how do we approach that systemic risk better, both understanding it, getting better information at it, and potentially this is my sort of, you know, the sort of 1000 question answer is, I do think I wonder whether the cyber insurance market will bifurcate at some point and have a sort of catastrophic element, systemic risk only, and then sort of attritional risk only in the future. And I think it's going to be an interesting moment for the market and I can see it coming.
Paul: [00:12:27] Yeah. You're leaving us with plenty of food for thought there. Dan, great to have you with us. And huge thanks to Axis Insurance. Clearly, the cyber insurance market is going to keep evolving. So I'm sure we'll have you back with us soon. And of course, for the latest, not just on cyber insurance, but on the entire insurance marketplace. And make sure you keep your focus here on Insurance Business TV.