Cyber insurance pricing in the small and middle market space is “no longer a black box,” according to ProWriters president Brian Thornton (pictured). As more carriers start to use technology like artificial intelligence (AI) and scanning tools to automate their underwriting of cyber risk, the policy rates and terms are becoming very dynamic. Not one market is always the best, the cheapest, or the broadest.
“There are a wide range of pricing methodologies when it comes to cyber insurance for small and middle market businesses,” said Thornton. “Each carrier has a slightly different loss experience or has seen individual claims that change their view on a certain class or size of business. In the past few years, we’ve seen that stretch into the use of technology. Many carriers have invested in cyber scanning tools that they can tweak in terms of [what potential cyber vulnerabilities] they’re looking for. That has resulted in a market where there’s no consistency in pricing.
“You might have two physician groups in the same jurisdiction, each with $5 million in revenue, but that doesn’t necessarily mean they’ll be offered the same rate from the same carrier - even if they answered some of the questions the same on their application. That’s because carriers are using scanning technology to determine certain things about a potential policyholder. Do they have Microsoft Office 365? Are they using default settings versus enhanced capabilities? Do they have a secure email gateway? Have they set up multi-factor authentication? Carriers can get these answers instantly from a scan and then rate on that criteria.”
Not only are these tools impacting pricing in the cyber insurance space; they’re also affecting limits and sub-limits. If a broker applies for higher limits, they might see very different increase limit factors from one account to another as a result of the data that’s uncovered in the scan.
“These scans happen in split seconds. They’re running lots of data points and making automated decisions,” Thornton told Insurance Business. “Alongside that, many carriers are moving towards API integration, where they can update pricing, coverage limits, and terms and conditions, instantly based upon their underwriting desire and claims experience. If a carrier is reviewing their results and they see a claim on a specific class of business, they can go in and instantly change the rate on that class of business, or they can change it to a referral, or even decline that class of business going forward.
“Often what we see is a change in the applicable endorsements that are attached to a risk. For example, a carrier might add sub-limits for certain coverages like social engineering or ransomware, and they can do that on the fly. Anyone who is using the API to connect with them will see that change instantly. So, a broker might get one quote with an appetizing rate one day, and the next morning, a similar risk might trigger a very different outcome. When you dig into the technology, you see the carrier has made a change overnight. That could be based on an individual risk having a bad cyber scan or undesirable answers on their application, but it can also be changing risk appetite.”
It’s hard for brokers and agents to navigate such a fluctuating marketplace and explain to end clients why pricing and coverage options might look so different on a daily basis. But this is a challenge today that’s going to become normality in the near future, according to Thornton. As carriers move towards more dynamic, AI-driven underwriting processes that use a lot of data, there are going to be a lot more variables in outcomes. One way for brokers to get around this is to grow comfortable with multiple markets and to embrace the notion of shopping around.
“I think there are a lot of positives to come out of some of these changes,” Thornton added. “Many carriers are using the results of these scans as a premise for proactive cyber risk management. We’ve seen clients that have put in an application, had a scan, and gotten a quote they weren’t happy with. What follows is a quick conversation of: ‘You got this offer based on your scan results. If you do the following three things - enable multi-factor authentication, put in a secure email gateway, and enforce dual sign-off on wire transfers – we’ll be able to give you a different quote.
“We see a lot of forward-thinking carriers saying: ‘We’ll help you. We’ll give you best practices. We’ll even make someone available to answer your questions as you try to figure out how to enable some of these things within your business.’ This is very positive for the small and middle market customer that might not have the full resources to implement best in class cyber risk management. We’ve also seen carriers who have identified a new vulnerability in the marketplace and have then scanned all their existing clientele for that specific vulnerability. That’s very proactive risk management services via insurance carriers that wasn’t really available a few years ago. I believe these are great new services that insureds should definitely be taking advantage of.”