The cyber insurance market is in the midst of a reckoning after years of low premiums and inadequate loss control have led to increasing claims frequency and severity.
Executive Summary
Going beyond tactics like increasing the number of questions on their insurance applications, P/C insurers covering cyber risk can learn a great deal about their insureds’ cultures and the commitment of insured organizations to cybersecurity through behavioral analytics tracking complacency and cyber hygiene, writes TEKRisSQ Co-Founder Bill Haber.Now, demand for coverage is exploding―driven largely by a surge of ransomware attacks and social engineering incidents―while carriers tighten up their underwriting requirements and question if cyber can be underwritten profitably. Though it is a much more challenging segment today, if agents and carriers improve upfront due diligence to better mitigate cyber exposures, the answer is yes, the industry can be profitable in this segment.
But first, the industry must acknowledge it doesn’t fully understand this risk. Insurers need to find ways to better identify the true cyber risk profiles of their insureds, verify the level of cybersecurity resilience in place, and monitor the pace and culture with which these organizations drive resilience on a regular basis. This means more industry collaboration and investing in outside expertise and tools to ensure the long-term viability of the cyber market.
It’s important to find efficient ways to validate what is happening inside of an organization and to verify whether or not they meet the baseline requirements of insurability. Once that risk has been accepted, however, there is a great deal of additional insight to be obtained throughout the relationship to understand culture, commitment and the rate of progress within this partnership. Properly deployed technology solutions can generate an enormous amount of data, but getting to the right metrics and making them actionable is what it’s all about. Using behavioral data and tracking analytics can help with determining what risks are insurable and making more risks become insurable, thus improving carrier loss ratios and client resiliency. They can also track cybersecurity culture within an organization and track improvements over time through metrics that chart progress, or lack thereof.
Unfortunately, underwriters currently rely on lengthy applications that contain dozens of questions, yet often lack client accountability or guidance to improve the overall risk profile. This is not an effective way to stem losses or provide value to clients, as evidenced by the market’s growing claims severity.
Fitch Ratings’ recent “U.S. Cyber Insurance Market Update” found that cyber claims rose 100 percent annually over the past three years, driven largely by a surge of ransomware events. Claims closed with a payment were up 200 percent annually over the same period, Fitch said, noting 8,100 claims were paid in 2021 alone.
Unsurprisingly, the negative claims experience caused rates to “skyrocket” in 2021, Fitch said, “with prices increasing at a pace considerably higher than other commercial business lines.”
The truth is businesses need help becoming cyber resilient. Only 3 percent of the 650 global cyber risk leaders who participated in Marsh and Microsoft’s 2022 Cyber Risk Survey rate their company’s cyber hygiene as “excellent,” according to Marsh’s “The State of Cyber-Resilience” report released in May.
The insurance industry is perfectly situated to proactively work with their clients and potential clients in improving cyber resiliency, as noted by the global cyber leaders surveyed. Most respondents indicated that insurance is “an important part of cyber risk management strategy and influences the adoption of best practices and controls,” with 61 percent saying their company “buys some type of cyber insurance coverage.”
You Can Only Manage What You Can Measure
Carriers believe they are gaining the understanding they need to mitigate claims by increasing the number of questions on their applications. The cumbersome and impractical cyber applications currently used by the industry must be reinvented and streamlined to include actual client risk assessments that focus on building organizational resilience.
Cyber risk is constantly evolving and changing. Tools leveraging behavioral analytics offer insights into an organization’s cybersecurity culture, which is instructive of their cyber risk. The data can also be used by carriers to validate the information given by insureds during the application process and to determine measurable steps clients can take to improve their risk profile and maintain insurability year after year.
We break down behavioral analytics into the following categories:
Organizational complacency.
One of the biggest indicators of an organization’s cyber risk is complacency. Cybersecurity is personal to each organization and requires foundational controls that must be driven by leadership. Many companies claim to have cybersecurity measures in place but don’t enforce those measures or hold employees accountable. If the overall company culture doesn’t push the importance of cybersecurity, it’s at greater risk. We call this a culture of complacency.
At the organizational level, behavioral analytics measure:
- What cybersecurity actions has an organization adopted versus what is needed?
- How long does it take an organization to roll out needed cybersecurity solutions?
- How are companies educating employees about cybersecurity risks and protocols?
- Does the organization require employees to undergo cybersecurity awareness training, and how is that tracked?
Individual complacency
Behavioral analytics are also effective for understanding the risk of individual employees and what organizations can do to address those risks.
Individual behavioral analytics measure:
- How many employees are adopting required security measures, and how many are resistant?
- How many times was an employee reminded to act before doing so?
- How many employees completed awareness training classes, and how did they score? How many times did they have to retake the class?
Organizational cyber hygiene
Behavioral analytics look at what cybersecurity solutions an organization has in place to mitigate its risk, such as multifactor authorization, and to what degree these solutions are being used, as well as if they are being administratively enforced wherever possible.
Employee cyber hygiene
Behavioral analytics provide important information on each employee’s individual cyber hygiene, as well, by looking at their personal behaviors. This includes if employees use defensive systems, non-approved web apps or sites, or engage in phishing exercises.
Cyber Risk Is Personal
Organizations are often surprised by what behavioral analytics reveal about their cyber risk, but it is a very powerful motivator for change. Organizations that may have been hesitant to roll out new products and services to protect themselves are more likely to do so when they see their vulnerabilities.
It is a powerful motivator at the employee level, too. Once employees realize that an organization is taking cybersecurity seriously and there are potential consequences if risky behaviors are not addressed, they are less likely to resist new ways of doing things. It’s about understanding the personal and organizational impact.
Ultimately, it requires insurer leadership and strong collaboration to take a company from being vulnerable to a path of building resilience. Insurers’ have an important role to play in ensuring the long-term stability of the cyber insurance industry. It is no longer appropriate to do nothing.
Cybersecurity solutions are changing unbelievably fast, and it will be so much faster and easier in the future to effectively underwrite this risk. To truly drive value, it should be the goal of every insurer to help organizations become more cyber resilient using the tools available to do so.