The following is an opinion article written by Phil Rosace, solution manager, Cyence
There had been 312 data breaches just through mid-March in 2017, even before the WannaCry breach, and this even as cybersecurity investments are at a major high. Against this backdrop, cyber is moving from just an IT problem to a profound business risk. Businesses are quickly realizing that cyberattacks are the norm, rather than the exception, and cybersecurity technology defenses cannot guarantee protection against this ever-growing threat. When risk prevention and mitigation can only go so far, organizations begin to look for risk management and transfer. This is where insurance comes in.
However, finding a cyber insurance policy that provides ample protection for your organization and doesn’t cost a fortune can be a daunting task — as anyone who’s ever been through the process knows all too well. And as a former underwriter for Zurich
, I can assure you that things aren’t much rosier on the other side as it can be very difficult for insurers to understand the cost of goods sold until years after the transaction.
The good news, however, is that the insurance industry is starting to recognize the challenges that exist around writing cyber specific policies and, as a result, is working to bridge the gap using data analytics and economic modeling to gain a more accurate risk quantification. This is having a massive impact for not only how policies are written, but also who gets to benefit from them.
Here are three little-known ways the insurance industry is adapting to make cyber policies more robust, stable and accessible:
1. More scientific and holistic coverage.
a. Previously, brokers used a basic-level questionnaire to evaluate a company’s risk, an incredibly outdated way of assessing cyber risk when you look at what modern cybersecurity tools can do — such as peer group comparisons based on vast amounts of underlying data, behavioral patterns, etc. As an underwriter, it was always important that the customer/broker felt we understood the risk being taken because no-one wanted surprises at the time of a claim for either side.
b. Underwriters are currently writing policies based on highly qualitative questionnaires that don’t provide adequate information to differentiate between risks. Responses to these questions simply don’t give underwriters enough data to identify the leaders and laggards of a peer group with any certainty. We need to remove this ambiguity and start arming underwriters with tools that fuse economic modeling, data science and security for more efficient and accurate cyber risk quantification. Only then will cyber policies become more robust, stable, and accessible to companies of all types and sizes.
c. Typically, cyber rating tools only factor in technological, defensive tactics that are deployed to protect a company from a cyber event. The insurance industry is realizing that cyber risk envelops much more than just technology, so we need to take offensive strategies, human behaviors and motivating factors into consideration as well. We should take the various adversary perspectives into consideration when evaluating the risk of any company. For example, a company with a CEO who has strong and public political views may motivate adversaries with contrary beliefs. These adversaries could be external actors or internal employees/contractors with privileged levels of legitimate access to leak confidential data to hackers — current insurance underwriting methods don’t quantify these effects, but using a data model that goes beyond just checking for the latest firewall can pinpoint these risks.
2. Risk mitigation becomes a culture.
a. The insurance industry can drive this culture via the carrot and stick of policy terms (both coverage and price). As insurers gain a more nuanced and quantitative view of their customers, they will be able to reward positive trends in customer risk profiles with more attractive coverage and premiums. Conversely, carriers will also be in a position to restrict coverage and increase pricing for those whose risk postures fall to the wayside.
b. Cyber insurance has advanced past the policy. In 1866, Harford Steam Boiler coupled boiler insurance with maintenance, services, and expertise to ultimately reduce the total number of boiler explosions, which were happening at an increasingly alarming rate – sound familiar? Insurance carriers have been offering preferred rates on consulting services like tabletop exercises and incident response planning for insureds looking to prepare before a breach for quite some time now. The know-how of the carrier and its panel of service providers can position insureds to mitigate the negative effect of breaches as best as can be possible and improve their cyber risk posture.
c. As scalable solutions to evaluate cyber risk become more robust, insurers are now able to extend risk engineering service offerings to small businesses where cost was previously prohibitive. These initiatives will drive cyber risk awareness among smaller businesses which further drives the culture of risk mitigation.
3. Adequate coverage for everyone.
With improved cyber risk quantification, companies across verticals and sizes will have better access to affordable policies that adequately protect them in the wake of a cyberattack.
a. Large companies sometimes purchase hundreds of millions in coverage, which can require the entire market’s participation to fulfill the desired capacity of coverage. Marsh
’s Cyber Echo facility is an example where a group of Lloyds syndicates participate on excess coverage offering $100 million from one policy (this would typically take approximately seven-10 policies otherwise). This brings immediate efficiency to the process, allowing companies to purchase meaningful amounts of coverage with minimal hassle.
b. Small companies typically purchase insurance through an agent, getting the basic property and casualty coverages on BOP (Business Owner Policy) policies and other coverage forms that are geared towards small businesses. Carriers need scalable underwriting efficiency in this space as premiums are low, and policy volumes are high.
While historically a late-adopter, the insurance industry has a huge opportunity to tackle cyber risk head on and make policies cheaper and more robust for buyers while improving confidence for underwriters. As a former underwriter, I speak from experience when I say there are monumental changes happening in how cyber insurance is offered which will yield benefits to the brokers, the underwriters and the customers themselves.
The preceding article was an opinion piece written by Phil Rosace, solution manager, Cyence – the views expressed within the article do not necessarily reflect those of Insurance Business.
How one insurer managed the Wannacry global hack
Ransomware attack sheds light on drastically underinsured area