2022 is a defining moment for cyber insurance as we know it. We can expect the tightening of terms, pricing increases, the introduction of catastrophe-focused exclusions, and capacity reductions to continue. These rational, responsible, and achievable strategies respond to a challenging risk environment. However, zooming out from the day-to-day, transaction-focused corrections, opportunity becomes obvious. Following a string of vulnerabilities and supply chain attacks, reduced trust in technology drives clients to the insurance markets. Meanwhile, on the backs of the growing number of ransomware claims paid, the cyber insurance proposition has never been stronger. Simply put, demand is higher than ever before, and our product credibility is at an all-time high.
So the difficult question for the insurance industry shifts becomes: How do we, as an industry, secure a sustainable future for cyber insurance without sacrificing the demand opportunity?
The answer, I think, is in tackling one major issue: risk visibility.
An underwriter’s transaction-impacting view on risk is currently limited in both time and scope. While we have seen significant improvements by adopting web scanning technologies and risk signaling over the past two years, insurers remain blind to most inside-the-firewall risk information and almost all third-party risk. Additionally, as cyber risk evolves and changes, the static nature of the insurance policy (one underwriting every 12 months, typically) limits the risk view to the time of binding.
Unlocking risk data
Many insurance companies and insurtechs are slowly driving the integration of third-party Application Programming Interfaces (APIs) into their underwriting. This is a significant first step to tackling an obstacle that has existed in cyber insurance since day one: technology providers have better risk data but take on minimal risk (while also being creators of risk). The insurers then accept the transfer of risk for a premium based on their less informed underwriting process. So the question becomes one of motivation: How do we encourage customers willing to provide access? Taking a cue from motor insurers here is key. Today, with sensor technology deployed, better drivers pay lower premiums, receive more limits, and can amend their insurance to fit their needs as they change. I have personally seen one benefit. From driving less due to COVID-19 lockdowns, I’ve received return premium from my insurer. With cyber insurance, there are similar levers we can pull to incentivize clients—for example, increased limits offered on coverage for evidencing properly configured and enabled multi-factor authorization (MFA). Better information certainly leads to improved risk selection and opportunity for more tailored client engagements. However, higher-quality risk information only solves half the issue.
Breaking time-bound views
One insurer this past year publicly stated that they hope to write a client’s policy and never talk to them again – implying that the only other time to speak to a client is when a claim occurs or at renewal. I couldn’t disagree more. Incentivizing clients for enhanced visibility is essential during initial underwriting, but it is perhaps even more critical post binding. As an industry, we should be striving for continuous engagement to match the dynamic nature of cyber risk. Does this mean mid-term return premium? Perhaps eventually, but it certainly means smarter, smoother, and better-informed renewals. Regular communication with clients means they can better prepare for renewals; respond faster to changes in risk as viewed by their insurer; and get advance notice of concerns, including new vulnerabilities or threats. It also ensures the insurance continues to meet their changing needs, even absent any claim activity. And in the unfortunate event of an incident, the insurer’s improved knowledge means swifter response and claims resolution.
At Resilience, we are committed to tackling these issues for our client’s benefit and bringing solutions that move cyber insurance to a more sustainable future. Clients benefit from our proprietary risk assessments and third-party APIs throughout their relationship with Resilience. Whether primary or excess, regardless of premium size, Resilience clients have access to continuous monitoring and alert notification services, annual war gaming exercises, model response plans, vendor due diligence, and a talented team of on-call security engineers and analysts. Ultimately, this brings about a more consistent, predictable, and valuable relationship with their cyber insurer.
About the Author
Kyle Bryant is the International Chief Underwriting Officer at Resilience. Prior to joining Resilience in 2021, Bryant was responsible for Chubb’s Overseas General Insurance where he oversaw the strategy, development, and financial performance of the Cyber and Technology lines of business in international markets. He holds a JD from the University of Mississippi and a BS in Business Administration from Mississippi College.