As demand and capacity for cyber insurance products grows, insurers need to properly assess their own risk from insuring cyber exposures, says Andrew Barratt, European managing director for Coalfire, a worldwide independent IT audit and compliance leadership company. Barratt works with the insurance industry on building cyber risk management programs and on how they can more adequately assess the risk from cyber threats that are introduced into their portfolios. In this Q&A and podcast with MyNewMarkets.com, Barratt discusses issues around potential clients not disclosing cyber risks during the underwriting process, as well as why risk management services have become so essential to cyber policies.
MyNewMarkets.com: What are some of the exposures that insurance companies face from cyber coverage?
Barratt: They seem to fall into a couple of the major breach categories. There’s a lot of exposure in the payment card space, particularly in the US, where you’ve seen a lot of large breaches recently in the news. There’s a number of large both underwriter and insurance firms that have been actively covering some of those types of insureds without necessarily having done as much diligence as they should, but many of them have started to improve that process. They’re trying to manage that exposure a bit better than they have in the past. There’s the classic privacy damage, which is now starting to have cyber implications…There’s a very big concern that a cyber attack could be a trigger for physical damage. One of the big consultants we’re working with at the moment is actually putting together a package to try and help mitigate that situation, building in enough professional advice or assessment processes into it that they can understand just how at risk the insured is.
MNM: Which segments or industries are presenting the greatest exposures to insurers? Do you see them avoiding those now or still entering full force into all these new segments?
Barratt: On the payment side, they’ve actively solicited some of those, mainly because there’s now a lot better awareness in the market. Whenever there’s a breach that calls a large payout, it in some ways can be good for the sector because it acts both as a wake‑up call for the underwriters and the broker networks in some cases, but can also stimulate demand for their product…
[When a large breach occurs] On the backend, the underwriters are then making sure that they’re properly assessing the risks and potentially are increasing the level of diligence that they do. Each of those has separate subsections. The ones where you see a lot of breaches then would probably be the hotel and retail space.
They’re also showing cover for political damage from the hacktivist groups, or potential physical damage with people targeting the energy sector and utility companies. With the US guidance for those sectors specifically, we’re likely to see insurance products that pop up entirely targeting those entities.
MNM: What is is non‑disclosure and why is it such an issue for insurers?
Barratt: Non‑disclosure’s a really big problem for [insurers] because if people are not disclosing the information correctly, one, the underwriters don’t get the opportunity to build up the right amount of data to help them long‑term.
As cyber becomes much more of a legacy product in the next, say, eight to 10 years, we’d expect underwriters to have vast amounts of data about the number of payouts they’ve made. But then on the front side, when you have an insured dealing with a broker, there’s sometimes a tendency perhaps not to disclose everything up front. The underwriters are concerned that if that then leads to a breach that it could lead to policies not being eligible, and then the loss mitigation doesn’t take place.
Barratt says it’s a real challenge to get people to be more up‑front about the level of cyber security control they have in place, and also whether they are taking the right kind of steps when they’ve been advised by their professional advisors or by the underwriting agencies themselves.
Barratt: There’s a culture of not disclosing certain types of information because it’s perceived to be poor from a security perspective. The underwriters over the next two years will be a much more regular part of a lot of security risk management, particularly in big corporates, where they’re transitioning quite a large risk to them.
MNM: Is that also why more insurers are offering cyber protection services and hiring outside firms to help work with the clients on managing their security exposures and there are more risk management policies coming about?
Barratt: That’s where we sit in the market. We end up being quite heavily engaged with the underwriters. One of the issues that originally cropped up was the broker networks are so keen to sell the policies that any kind of assessment work that was done either prior to buying or as a condition of the policy could potentially be a barrier for sale. I think that put off the broker network a little bit.
But what I’m expecting to see more of is the broker network being better‑educated and understanding the value to the insured of having this level of review done before they end up engaged in the cyber policy. The reason for that is quite simple. It forces a better disclosure of information to the underwriter.
MNM: Why is the pricing of coverage still so low considering the exposures? Do you think that’s going to change?
Barratt: I think that that’s going to change and is changing. Sometimes because the policies tend to get bandied around as just cyber or typically cyber liability cover, one of the challenges you’ve got is explaining to some types of broker networks, or even to the insureds, the policy they’re buying and what it actually covers.
MNM: What should insurers be doing to decrease their cyber insurance exposures as they push these products more and more into the market?
Barratt: The way we try and look at it with them is, one, try and balance the portfolios in a slightly different way than they have before…What I’m starting to see is, they’re really looking into the detail so that they understand what those risks look like. That has to be done proactively across the portfolio of risks. When you have an application process that is potentially quite generic, it becomes very difficult to do that. In order to reduce the risk, you do need to make sure that the binding process gets the right level of information.
I’d expect to see the information gathering up front change quite a lot over the next couple of years with people giving a lot more information up front, and then the underwriters actively managing the changes to the policy are potentially constantly reviewing the portfolio and then not offering certain cover to certain types of entities, just based on them having too many in their portfolio already, and then trying to split them by sector rather than just by geography.
MNM: What do you think agents and brokers should be doing to make sure their clients are getting the right amount of coverage but their carriers are getting all the information?
Barratt: …You’re probably never going to be able to stop someone miss-selling any kind of insurance product. The really important factor is to make sure that the training is put into the broker network so that they understand the differences between different types of cyber cover, and also the value to the customer.
Most brokers really want to be a valued advisor to their insureds. The best way for them to do that is to be able to pick the right product and not under‑ or oversell any of them. If you were a carrier and you have a specific product, you want to really put a lot of emphasis on making the brokers and the agents aware of its value.
To hear more from the interview with Barratt, including which risks carriers are really scrutinizing right now and how agents and brokers can address cynics of cyber coverage, click on the podcast above.