Panelists at Insurance Journal’s March webinar, Raising the Bar on Cybersecurity, said a paradigm shift is happening in cyber insurance as carriers embrace technology, and those that don’t keep up will likely be left behind.
“We’ve really seen the rise of cutting-edge insurance carriers who are basing much of their underwriting now on technical scans, artificial intelligence, etc.,” said Jeff Dennis, partner at Newmeyer & Dillion. “These are some of the newer players to the cyber insurance market. They are also driving not only insureds but the entire industry, I think, to focus on technology as a key tool to underwrite and place policies.”
For most of cyber insurance’s history, being a successful carrier in the space meant simply staying ahead of the competition, said Tim Zeilman, global cyber product owner at Hartford Steam Boiler.
“The primary concern was expanding market share and making sure that you were equal to or better than your competitors in terms of price and coverage, breadth, things like that,” he said.
Now, the market is demanding something different.
“The current moment in the market demands, and also to some extent allows, us to focus more on the long-term viability of our products,” he said. “[This means] looking at coverage language top to bottom to make sure we have really strong products that cover the right things and exclude the right things to make sure pricing is constructed in the same way, and making sure sublimits, appetite, portfolio composition—all of those things—are well constructed so that your product is fortified so you can be there today, tomorrow and for the long term for your customers.”
As carriers think about the future and aim to become more sophisticated in how they use data in underwriting and portfolio management, Zeilman said their ability to utilize technological tools to increase efficiency is becoming increasingly important.
“I think that’s going to be something that’s going to be crucial,” he said. “It’s been fairly experimental until relatively recently, but I think that’s evolving.”
Tim Zeilman, Hartford Steam Boiler
One challenge with this approach, however, is that because cyber risk is an evolutionary threat, many carriers are continuously learning as they go, said Megan North, vice president and professional lines broker at AmWINS.
“It seems the threat actors are always one step ahead of the good guys,” she said.
Zeilman agreed that the difficulty with cyber underwriting is that no matter how efficient the process of analyzing data becomes due to technology, the data itself is changing all the time as threats evolve.
“When it comes to cyber pricing and underwriting, yesterday’s data is of limited value,” he said. “To quote that old saying from investments that past performance is not a guarantee of future results, that sort thing very much holds true in cyber insurance.”
In contrast, other lines of insurance—such as traditional property lines—don’t see much change in the risks over time, he said.
“Sure, storm profiles, things like that, change with climate change,” he said, “but relatively gradually.”
The trouble with cyber risk is that it shifts dramatically over short periods of time.
“You’re essentially playing against a human adversary on the other side,” he said. “Your very recent data is maybe of some use in predicting the near-term future, but I think there’s inherently a limitation on the value of historical data on site. Not that it’s not important—it’s often the best that we have—but it always needs to be tempered with a somewhat more speculative look toward the future and thinking about how the future might differ from the past, even the recent past.”
Megan North, AmWINS
With this in mind, another shift is happening within the cyber insurance space, and this time, it’s on the policyholder side, North said.
“I think one of the biggest changes I’ve seen most recently is that we’re really seeing a shift in responsibility,” she said. “I think carriers are placing a bigger onus on insureds to enact and utilize baseline network security measures. Whereas previously they may have taken on risk which had subpar controls, they’re simply not willing to do that anymore.”
She added that if insureds aren’t willing to put in the time, money and effort to protect themselves from cyber risks that are always changing, fewer carriers will be willing to step up and insure them.
“Underwriters are already so swamped with submissions,” she said. “So, when they see an account with subpar controls, unless you give them a story or some additional color as ammunition, many times the frontline underwriter is simply going to pass on the risk for one with more palatable risk profile.”
One step insureds can take to increase their cybersecurity posture and create a more favorable risk profile for insurers is to implement multi-factor authentication (MFA), Dennis said, which requires multiple methods of verification, such as passwords and fingerprint scans, to access a system.
“Three to four years ago, it was really nice to have if you were a policyholder,” he said. “Now, if you don’t have MFA, you’re not going to get cyber coverage. It’s just not going to happen. It’s one of those very basic baseline security requirements that you have to have in place, and there are more and more of those that are popping up as requirements.”
Jeff Dennis, Newmeyer & Dillion
In the face of a difficult environment, Dennis added that analyzing the risk and connecting with a security expert to provide practical guidance are also crucial steps for policyholders.
“Clients and companies have to realize that they are targets. It doesn’t matter your size, your shape, your industry. All of us are at risk,” he said. “[The threats] will only become more complex, and they’re going to continue to evolve at an incredibly rapid pace.”
For carriers seeking to leverage existing technology to assist insureds in this process, Dennis’ advice is to start by understanding each client’s unique needs.
“I think it’s important to not only utilize technology to develop foundational requirements but to make sure that those are really meaningful and targeted cybersecurity requirements for your insured,” he said. “Make sure that these are applicable to the company that you’re insuring and that they make sense, not that they’re just blanket requirements that may be overkill for some companies and not enough for others. I think it’s important to work together to really understand what risks are out there and what needs to be done to protect from those risks.”
Zeilman said that ultimately, if cyber insurance is going to prosper long-term, getting the partnership right between carriers, insureds and technology is crucial.
“Obviously, insurance is an incentive to improve your cyber risk to have better access to insurance capacity at better terms and rates,” he said. “I think part of the way to do that is to encourage policyholders to improve their own risk postures by providing them the tools that they need in order to understand what that looks like today and how they can improve in the future.”
He said the cutting-edge, long-term carriers in the marketplace are the ones taking advantage of current market conditions rather than simply trying to stay ahead of the competition.
“Being profitable today is not enough,” he said. “You’ve got to look forward. You’ve got to look at potential systemic risk. You’ve got to look at loss trends and things like that to make sure that you’re well positioned to be profitable tomorrow and provide a stable resource for the cyber insurance market.”
Carriers embracing the shift that is happening for insurers and policyholders alike and reacting accordingly will be the ones who rise above the many challenges in the space today, widening the gap between the successful and the underperformers, he added.
“In my opinion at least,” he said, “carriers that are doing those things, thinking about those things, thinking about the future and the future beyond even the next couple of years, are on one side of this divide, and others who are still thinking in that old way are on the other side of the divide.”