Improving Cyberinsurance Doesn’t Have to Be Hard
Cyberinsurance policies have become a sort of Frankenstein’s monster, with coverages pieced together to address a growing set of risks.
As both brokers and buyers know well, insurance historically has cycles of hard markets, soft markets, and conditions in between. One line of insurance, however, should behave differently: cyber. Cyberinsurance is unlike standard property and liability lines because the nature of cyber risk is different.
Traditionally, insurance underwriters react to loss events. Something happens that causes an adverse outcome, so underwriters respond by raising rates, tightening terms and conditions, increasing deductibles and retentions, and—if losses are worrisome enough—even reducing capacity. Property insurance often sees rates, terms, and conditions change based on singular events like a massive hurricane that strikes a densely populated area or a wildfire that destroys thousands of structures. Casualty insurance markets tend to contract following periods of high loss frequency and/or severity. Liability exposure is also driven, in part, by events—litigation following an act or omission, nuclear verdicts, adverse court rulings, and so on.
But terms such as “hard market” and “soft market” shouldn’t really apply to cyber because the cybersecurity risk is constant. Sure, there are notable large losses from individual cyberattacks, but generally cyberinsurance market conditions should be more risk-driven than event-driven.
Nevertheless, many insurers are currently treating cyber like a traditional line. They’ve raised rates, tightened terms, and some have even slashed the amount of capacity they offer. Here’s how that looks for some buyers: In years past, one organization with a large exposure but with a good loss history could buy a $30 million tower of cyber limits. In 2021, the most it could get was $15 million—and the cost for that amount of coverage was a lot more than the organization had paid before.
This scenario sends a message that insurers are more worried about the risk to their balance sheets than about helping solve their customers’ risks. It also makes small and midsize organizations skeptical of the value of cyber coverage. Buyers that wait on the sidelines because they see cyberinsurance as too expensive are, in fact, increasing their exposure to cyber losses. That’s not just bad news for brokers and insureds; it also makes cyberinsurance unsustainable. However, the industry can change.
Stop the tug-of-war.
If a hard insurance market seems to resemble a tug-of-war, that’s because it is. It’s a power struggle between two sides, and each side is trying to move the other as much as it can. But step back and look at this battle through a different lens. It’s a struggle of inches, without either side going anywhere that looks like progress.
Cyberinsurance shouldn’t be this way. Imagine if brokers and third-party service providers held a third rope. Now imagine if, instead of a tug-of-war, everyone pulled each other closer together, and in a direction that benefited everyone. Interests would align in a place where enhanced cybersecurity truly mitigates the risk—it doesn’t just put a policy in place—and insurance provides peace of mind because it aligns with the actual exposure. Everyone benefits.
Align coverage to cyber risk.
Cyberinsurance has evolved significantly over the past 15 years. What began as a specialty professional liability coverage for technology organizations has broadened to address data breaches and network disruptions for virtually every industry. As a result, cyber policies have become a sort of Frankenstein’s monster, with coverages pieced together to address a growing set of property and liability risks.
See also:
- The Number of Data Breaches Hit New Highs in 2021
- Is Cyberinsurance a Worthwhile Investment?
- Drop in Ransomware Payments Due to Better Preparedness by Companies
Even as the cyberinsurance premium volume has skyrocketed, many insurers still struggle to adequately assess cyber exposures—and, even worse, to provide effective mitigation. Cyberinsurers, by and large, focus on reacting to cyber losses. They can improve in multiple areas, including:
- Cyber risk assessment. Questionnaires and supplemental underwriting applications provide point-in-time snapshots of an organization’s perceived cyber exposure. Insurers need a clearer, ongoing view into an insured’s cyber exposures.
- Aligning coverage to actual exposures. Once an underwriter sees the full, high-resolution picture of cyber exposure, they can align coverage accordingly. This can eliminate coverage gaps, make specific coverage clearer, and reduce losses for the insurer and insured. It also builds trust because the buyer and broker can have confidence that the policy will respond.
- Loss prevention and mitigation. The most challenging, yet also valuable, part of a cyberinsurance relationship is preventing cyber losses in the first place. Cybersecurity is a highly specialized field that is constantly innovating to keep pace with the sophistication and complexities of cybercrime. Most insurers rely on third parties to provide cybersecurity services because those are not a core competency for the insurer. However, combining cybersecurity and cyberinsurance is a powerful way to mitigate cyber risk and make coverage better.
A secure approach is simply a better way to underwrite cyber risks. It avoids the cyclicality that makes brokers’ and insurance buyers’ lives more challenging, and it’s a path to sustainability and coverage certainty. Integrating the appropriate cybersecurity resources into the underwriting process is a natural next step.
Charles “CJ” Pruzinsky (cj@resilienceinsurance.com) is executive vice president and chief underwriting officer for North America at Resilience. Before joining Resilience, CJ led the Northeastern operations of cyber insurer Beazley Group, based in New York. Prior to Beazley, he held senior underwriting positions at American International Group, where his responsibilities included building out AIG’s Midwestern U.S. regional capabilities.
These opinions are the author’s own.
From: PropertyCasualty360