In an article published by the Wall Street Journal on June 4 titled “The Ins and Outs of Cybersecurity Insurance,” one thing is clear: there’s a need to demystify cyber insurance and underwriting.
The insurance community needs to continue to be vocal and repetitive about the virtues of a cyber policy and perhaps provide more transparency around underwriting.
The WSJ is spot-on on a few aspects of underwriting and placing business:
- The insurance community takes the NIST framework and global regulations seriously, often using them to help inform their guidelines, applications, and risk selection practices.
- Malware, ransomware, and bad actors can be in systems a long time before a company understands what has happened.
- Your insurance carrier or broker might not be your first call in a crisis but they should be towards the top of your list.
- Pricing, indeed, is mostly based on revenue and industry class. Coverage and price are adjusted based on specific exposures like how much sensitive data is held, and on an assessment of security hygiene.
Now for some demystifying. The insurance industry’s purpose is to pay claims so customers (and the economy, frankly) can continue to operate their businesses, take risks, and innovate. While brokers and underwriters have much in common with salespeople, the product they’re selling is a path to resilience. In cyber insurance, part of the reason why the forms are not fully standardized and continue to evolve is precisely because the risk they’re insuring is so dynamic, hard to assess, and difficult to predict.
For example, once we figure out how the ‘bad guys’ exploited a Microsoft patch, another group is already testing new ransomware technology. While of course an insurance carrier may not want to write a poorly secured risk who, as I used to joke when I was an underwriter, bought a bunch of computers and went into business, the insurance industry does not expect every company to be the gold standard and never have a claim. The insurance business is about paying claims. Historically, they’re good at it. Insurance is one of the oldest continuing industries and has solved some of the biggest challenges facing consumers and businesses.
Where non-cyber-insurance folks tend to lose their way is in the exclusions, silent cyber, and some certain litigation currently pending in court. Yes, insurers expect the customer to follow best practices to the best of their ability to avoid a cyber event. However, this leads some to believe the insurance industry is looking for an excuse to deny a claim or blame the customer.
Additionally, most policies trigger coverage when a customer’s defenses fail. Here we are also still learning. Equifax’s cyber tower was triggered by their data breach and subsequent class actions may have a D&O impact. In very basic terms, they failed to properly test and configure specific systems leaving them vulnerable to a data breach. The courts have said that Equifax should have had better cybersecurity practices, whether that position will cause carriers to deny claims remains to be seen (and maybe a stretch). Also, the insurance payout for a breach this big is typically mostly spent on notification and credit monitoring to the consumer.
Mistakes happen, that’s partly why you buy insurance. If an employee loses a laptop it isn’t necessarily a cyber incident. If there’s protected data stored on it, then it can become an incident. The insurance industry should reframe the fear of a claim denial; think of it more like this: Insurance needs to invest in tools that influence better behavior prior to a claim. If the PII data or hard disk is encrypted, requires MFA to access, and the company has remote wipe enabled, the response to this breach is shorter, cheaper, simpler.
Reframing and repositioning an insurance policy as part of a larger risk management picture is a big, lofty goal the industry cannot be expected to accomplish alone. This is particularly crucial for a growing line like cyber. It presents a huge opportunity for cyber brokers, carriers, and MGAs to innovate cyber insurance as interest and understanding of the product grows, bolstered by global regulations which take on cyber and privacy.
So much more needs to happen before and during the insurance transaction. Partnership between the insurance and cybersecurity industries is critical. As a specialized firm, Resilience Insurance facilitates easy to navigate insurance transactions, provides risk analytics and near real-time assessment of a customer risk posture with the goal to automatically match risk to coverage.