The cyber liability segment promises endless business opportunities and premium dollars for the insurance industry. The annual premium volume for the U.S. cyber risk market is already an estimated $2 billion and expected to grow, according the Betterley Report’s 2014 “Cyber/Privacy Insurance Market Survey.”
Although the number of businesses actually buying cyber coverage is still relatively small, that number is growing and the untapped potential is considerable.
Helping these customers cover their risk is just one part of the cyber picture. While insurers have been eager to get premium from this segment on the books, especially considering the extremely soft market and a lack of other new business opportunities, have they adequately gauged risks this market presents to the insurance industry itself?
Prices for coverage for this segment have been low – very, very low, say experts, a situation that has also been a function of the capacity in the market.
“Even in the last five years the market for cyber has exploded, simply from a capacity point of view,” says Graeme Newman, marketing director for CFC Underwriting, an MGA based in London. “I remember 15 years ago when there were four or five markets writing this type of cover… Now there are over 60 carriers writing it. It’s a simple function of supply and demand. Demand has been growing but I think supply has outstripped that, and that has kept pressure on pricing and kept prices low.”
Then there was that cold day in December when news broke that a massive, record-breaking data breach had occurred to one of the world’s largest retailers, Target. Costly claims have been pouring in ever since. Newman says the $44 million in insurance recoveries reported by the retailer in the first quarter barely scrapes the surface, with multiple outstanding lawsuits still to settle.
Suddenly, this segment full of opportunity became a little bit scarier to the insurance industry.
Newman believes insurers have to start evaluating their cyber portfolios more closely, scrutinizing which risks they will write and pricing those risks appropriately.
“The one area where I don’t think that the insurance market has really got a handle on yet is aggregation and systemic risks. I think most insurers feel comfortable that they’re pricing risks at the right price for the normal, everyday part of exposure. But the ‘black swan’ events, the major systemic issues – a major hack that affects multiple insureds, maybe thousands of insureds across the world –that's the risk that most people are uncertain about. That's where most insurers are exposed,” he says.
Value-Added Cyber Services Not Just for Insureds
Insurance companies are increasingly turning to cyber security firms and cyber risk management companies to not only help insureds put the proper procedures in place to prevent breaches, but also help the carriers evaluate which insureds are good risks to take on.
This approach includes looking at all facets of an insured’s data systems – who their vendors are and how much customer data they have; what are the rules governing employees’ access to personal information; and how information is stored on and off the insured’s location, and much more.
“What happened with Target really opened up the dialogue about the risks between business suppliers and their partners. We can no longer ignore those services and those providing those services,” says Natalie Lehr, director of analytics for TSC Advantage, an enterprise risk consultancy that specializes in protecting sensitive information.
Lehr says her firm has worked with insurance carriers on managing their cyber insurance portfolio risks by providing broader and deeper insights into clients’ entire technology systems.
“Part of what we try to do with insurers and what our methodology incorporates is the posture of the insured is more than technology investments, it’s also personnel and security decisions that are made,” she says. “[Knowing this information] improves dialogue between the insured and insurers and provides for a strong discussion.”
Lehr says issues can arise when insureds want to keep their more sensitive data points secret, creating a conflict of interest with insurers that want to have the most comprehensive data to drive their decision on pricing. Insureds may also not understand or know their systems well enough to provide insurers with all the pertinent information to underwrite.
Coalfire Systems, a global independent IT audit and compliance firm, is tackling these issues, commonly referred to as “non-disclosure,” with the insurance industry.
Andrew Barratt, European managing director for Coalfire, says insureds not disclosing information about their security controls or technology usage either correctly or at all is a major problem for insurers, not only because clients’ policies may be underwritten improperly or policies are found to be ineligible if a breach occurs, but also because it hinders data collection about cyber losses and payouts.
“There's a real challenge getting people to be more upfront about the level of security control they have in place, and also whether they are taking the right kind of steps when they've been advised by their professional advisors or by the underwriting agencies themselves,” says Barratt. “I think you'll see the underwriters over the next two years be a much more regular part of a lot of security risk management, particularly in big corporates, where they're transitioning quite a large risk to them.”
Barratt says risk management companies like Coalfire are marketed as a value-added service to entice businesses to buy cyber policies, but they also help underwriters protect their cyber portfolios. He says they are quite “heavily engaged” with underwriters and also the broker networks on education on why these services are so important to the cyber policy selling process.
“Broker networks are so keen to sell the policies that any kind of assessment work that was done either prior to buying or as a condition of the policy could potentially be a barrier for a sale,” he says. “But what I am expecting to see more of is the broker network being better educated and understanding the value to the insured of having this level of review done before they end up engaged in the cyber policy…It forces a better disclosure of information to the underwriter.”
Newman says the way brokers sell cyber policies and the amount of information disclosed in the underwriting process really falls on the insurers and how they have set up their application process.
He says in order to have more accurate and useful information for underwriting, insurers need to devote the time to developing applications and products that address insured’s individual business risks.
“Insurers have typically created these very, very long application forms that ask a whole variety of questions about a client's systems and their security setup, many of which are actually totally irrelevant. As an insurance company, it's incumbent upon us to streamline the question set, to ask the right questions, and to help our brokers solicit that information from their clients,” he says. “I think it's much more about how the company approaches risk management, rather than what [their security] looks like at this point in time.”
Industry-Specific Products Protect Industry, Insureds
TSC Advantage is working on helping insurers gather the right information through its cyber risk assessment program Threat Vector Manager (TVM) for commercial organizations, critical infrastructure and the public sector.
The intelligence-based process identifies trends, patterns and areas of elevated risk through what TSC considers are the highest priority threat areas to an organization:
- Insider threat – Examines technical and non-technical precursors of risk from high-risk actors, events and behaviors from human beings throughout an enterprise ecosystem
- Physical security – Focuses on the potential for physical intrusion and unauthorized access to priority locations where sensitive information is stored and accessed
- Mobility – Explores vulnerability of data during foreign travel and from mobile devices
- Data security – Examines risks stemming from the use and defense of enterprise IT resources
- Internal business operations – Measures the effectiveness of initiatives that manage internal administrative vulnerabilities and critical assets resulting from personnel, organizational or business processes
- External business operations – Examines an organization’s security strategy, policies and procedures, and threat universe resulting from external engagements
TSC’s Lehr says these baseline six modules provide a comprehensive assessment and they also have more specific sector-focused modules as well, including for healthcare and the energy sectors, so the insurer and insured can see the risks in context.
She says insurers can no longer afford to treat all clients the same way.
“Insurers love data and they have a lot of data driven risk decisions and modules, but they need to take into account that not only is quantitative data important but qualitative data is too,” she says. “There are specific nuances [in each industry] and clients shouldn’t be punished when they don’t follow a certain model because it isn’t focused on their sector.”
Coalfire’s Barratt says having more suitable cyber products will help agents and brokers battle the non-disclosure issue and help educate them about the cyber segment.
“Most brokers really want to be a valued advisor to their insureds and the best way for them to do that is to be able to pick up the right product and not under or oversell them,” he says. “If you are a carrier that has a specific product, you want to really put a lot of emphasis on making brokers and agents aware of its value.”
Barratt acknowledges it is difficult for agents and brokers to be well-educated on all the cyber policies out there, especially when most of them are so broad and not industry-specific.
Working with risk management firms like Coalfire can help them to identify what the cyber security trends are, as well as the right questions to ask carriers, such as “Who are you targeting with this policy?” and “What does the typical insured you cover look like?”
CFC’s Newman says risk management is an important feature of the cyber insurance products currently offered, but if someone wants to get into a company’s systems, they will. He thinks the industry will be able to more suitably protect their cyber portfolios by developing industry-specific cyber products that offer education and training focused on that industry.
“We see a lot of the claims coming out of very, very simple breaches. It's not sophisticated attacks. It's the simple things: people printing out documents and leaving them on a train or in a coffee shop or in a restaurant; people in the healthcare industry taking prescriptions and putting them in the [garbage] outside,” he says. “It's just common human errors and human awareness. Even though there are lots of specific areas of risk management, the biggest threat to any business is their people. That's what is creating risk. We'd like to see more focus on education and training for people.”
He expects insurers will also see benefits in the form of premium dollars from tailoring their cyber products to individual industries, and not just a more secure portfolio.
“I think a lot of customers just don't understand what this product does for them, because it's so generic. They can't see how that translates to their particular industry…If you were a school, and you saw a product that talked about students and student data, rather than employees or customers, it immediately feels more relevant. If you're a healthcare organization and you see a product that's talking about covered entities and business associate agreements and the risk that comes through corrective actions, enforcement actions, it'll make much, much more sense to our customers about what we're trying to do,” he says. “I think that'll massively grow demand and help with understanding.”
Comments
Add Comment