November 15, 2021
The Maturity of Cyber Underwriting
Gavin Reed joined Resilience in 2021 as EVP Western Region, spending ten years in the London market in various broking and underwriting roles across all financial lines. He began his insurance career at Marsh as a broker before joining Hiscox and then CNA in London.
Cyber Underwriters Combat Evolving Cyber Threats With New Tools and Approaches
Todays underwriters are positioned to help make companies safer through a multipronged strategy based on continuous improvement and technology-supported insights in the pursuit of an effective defense.
The complicated, evolving world of cyber attacks seems to get scarier and more dire all the time. Increased remote working, the spread of ransomware-as-a-service, and the evolution of cryptocurrency in the last year have helped fuel an explosive rise in debilitating ransomware attacks that caught organizations off guard and increased anxiety in boardrooms everywhere.
Thousands of government, education, and business organizations are being targeted by cyber criminals who hold their data and networks hostage in exchange for big payouts. Relatively uncommon a few years agoor at least less widespread and less severesuch attacks have reached epidemic proportions, increasing by 485 percent in 2020 over the previous year, according to the 2020 Consumer Threat Landscape Report by Bitdefender. Estimated payouts surged by more than 300 percent in 2020 to $350 million, according to Combating Ransomware by the Ransomware Task Force (RTF).
Attacks can be catastrophic by threatening finances, operations, safety, and reputation, and can also make organizations subject to lawsuits and penalties under compliance regulations.
The ransomware threat continues to worsen by the day, and the consequences of waiting to respond could be disastrous, the RTF report warns.
Cyber crooks used to aim their attacks at the largest companies, but nowadays they target small and mid-size organizations as well. No one is immune. The bad news is its incredibly lucrative and easy to target large numbers of companies, and collectively, the bad guys have the upper hand.
As organizations have increased their reliance on data and web-based strategies, the growing complexity and online exposure have created opportunities for attackers through new vulnerabilities.
The resulting higher risk exposures have caused an abrupt tightening of the cyber insurance market in recent months, with premiums rising significantly, sub-limits and co-insurance being applied to ransomware incidents, and even denials of applicants considered higher risk due to poor controls or system vulnerabilities.
In the face of a challenging and shifting market, the good news is that it is possible for organizations to defend themselves and manage risk by adopting a thoughtful strategy that includes robust security controls and partnering with knowledgeable advisors, including cyber insurance providers.
To obtain insurance, companies these days must have security features in place, such as multi-factor authentication, network segmentation, regular data backups that are also stored offline, security awareness training for employees, and endpoint detection and response.
In the game of whack-a-mole that has characterized the response to shifting cyber threats, cyber insurance underwriting has lately seen a dramatic transformation in the capability to keep pace with the threat. The best cyber insurance providers have integrated security expertise and incident responders into the risk equationassessment, engineering, and transfer. They are armed with the knowledge and tools to understand and respond to these changing threats, and the client views them as a long-term, cyber wellness partner.
Part of the improvement is technological, and part is in overall sophistication of the partnership approach. These providers not only assess risk and write policies, but also serve as cyber security advisors, providing ongoing support during the life of the policy.
Cyber insurance has been around for about 20 yearsstill in its adolescence compared to traditional types of insurance, such as property, life, casualty, and health. Compared to these more established areas, cyber insurance is an area of fast innovation and continuous development.
To insure automobiles or homes, for example, insurers have access to large amounts of historical data that enable them to quantify risk accurately and spread costs across their collective client base.
The challenge with cyber insurance is the threat is new and constantly changing, and without a way to measure consistent trends over time, the risks are difficult to quantify.
The answer is continuous innovation and a multifaceted approach. Since the early 2000s, cyber insurers have used a combination of risk assessment through client questionnaires, supplemented by personal interviews with risk management leaders and CISOs, to understand the organizations risk exposure and maturity of cyber security capabilities.
With the availability of powerful new technologies, the best cyber insurers have incorporated advanced tools, such as security scans of clients external networks to look for vulnerabilities. Some even employ techniques such as intelligent automation and analytics to monitor traffic on the dark web for chatter, patterns, and trends that may provide insight to new threats.
This more advanced capability has enabled good underwriters to move up the maturity curve by improving risk assessment and risk engineering. The more risk-specific data can be added to the underwriting model, the better the underwriting becomes.
While technology adds significant muscle through vastly improved visibility and insights that could not be achieved by humans, a workable solution is only possible when combined with a custom, hands-on understanding of the organization, its controls, and its security protocols.
The addition of this deeper dimension of insight enables a better view of risks, with benefits for both insurer and insured.
Four things brokers and clients should consider when seeking insurers:
- Without basic cyber defense protocols, you may be declined insurance. These days, to be eligible for insurance you will need strong security controls, such as multi-factor authentication, endpoint detection and response tools, regular software-patching procedures, training of staff to spot phishing attempts, and a comprehensive back-up strategy that includes offline backups.
- Set your budgeting expectations. Rising demand for insurance and tightening supply are causing premiums to rise, dramatically in some cases.
- Look for underwriters that apply a multilayered approach. A risk assessment should include a detailed application, personal interview with CISO and CRMO, and automated security scans of external networks to identify vulnerabilities such as open ports.
- Choose a partner. Companies should seek insurers that provide not just financial protection, but knowledgeable specialists who can provide continuous cyber security advice during the life of the policy, as well as robust incident response capability.
News Type
PLUS Blog
Business Line
Cyber Liability
Topic
Professional Liability (PL) Insurance
Contribute to
PLUS Blog
Contribute your thoughts to the PLUS Membership consisting of 38,000+ Professional Liability Practitioners.
Related Podcasts
Demystifying AI: Episode 1
Welcome to Demystifying AI, your go-to podcast series dedicated to demystifying the…
Related Articles
Cyber University: Remarkable Event Rewind
Last week, PLUS celebrated another successful Cyber University program. This three-day virtual…
The Challenges and Opportunities of Insuring Artificial Intelligence Webinar Recap
This webinar, held on September 10th, explored how the risks posed by…
The Coverage Impacts of Recent Developments in Cyber Security Regulation for Financial Services
Insurers and their insureds continue to face a growing patchwork of laws…