The constantly evolving cyber threat landscape has affected the cyber insurance underwriting environment and will continue to do so, according to a panel of experts speaking at Advisen’s Cyber Risk Insights Conference, held this week in New York. However, those changes may make for a better, more accurate approach to pricing and underwriting.
Insurers and their clients face a different world now compared to three years ago, as digital threats grow more sophisticated, malicious, and hard to detect. According to Brad Gow, senior vice president of professional liability with Endurance, a new breed of hacker is on the scene with Russian gangs and the prevalence of Chinese military hackers. Risks now include the “systematic siphoning off of intellectual property” and businesses and individuals are now confronted not by the traditional image of a basement-dwelling loner wreaking havoc for fun and profit, but calculating criminals.
“These are not the occasional miscreant,” Gow said. “They’re 24/7, they’re patient … and they’re able to monetize the info they steal from these companies.”
He added, “It’s a far more dangerous neighborhood now, not only for the underwriters in the group, but for the companies holding on to information and very expensively developed intellectual property.”
Insurers, of course, must focus on underwriting and pricing the risk appropriately in expectation of claims. Unlike other risks, cyber incidents aren’t limited to a few high-cost events or many low-dollar claims. Matt Prevost, vice president of professional risk at ACE, commented that insurers are seeing a combination of frequency and severity.
“As we see these risks change, that’s really where the underwriting comes into play,” he stated. “We’re not basing it on frequency or severity, but on the technologies we’re underwriting.”
Paul Miskovich, senior vice president and global head of cyber for AXIS Insurance, described the process as making “data-driven decisions” on both underwriting and portfolio mix of business in order to get the right rate to remain competitive and solvent in the cyber insurance market.
“In the post-Target environment, we’re looking toward reinforcement of key information and the number of records [held by an insured],” he said.
Gow also noted that after Target’s data breach, many underwriting tenets that insurers thought were accurate for cyber have “gone out the window.”
Heightened Awareness
Mike Brown, managing director at Guy Carpenter and moderator of the panel, noted that high-profile cyber events have heightened awareness for consumers and the media of the risk. He asked the panel to comment on the effect of more publicity on the peril.
Steven Boughal, chief underwriting officer for The Hartford’s Hartford Financial Products unit, observed more businesses taking an enterprise risk management view toward cyber risks and that has insurers determining the best way to capitalize on that opportunity. Demand for coverage for data breach notification costs has risen, he added.
“You’re seeing companies looking at cyber liability across their portfolio,” said Boughal. “It’s in more spots than they originally thought.”
Endurance’s Gow agreed that cyber risk fits in with other exposures faced by businesses. He cited terrorism and business interruption.
Prevost explained that it’s becoming ever more frequent now for major corporations to discuss their approach to cyber risk on earnings calls, letting shareholders know where they stand in understanding the risk holistically. Underwriters face the same questions as risk managers in comprehending and explaining the field, he added.
With 12 months’ worth of high-profile data breaches, cyber is clearly in the public eye. The Advisen panel reported that broker understanding of the products available has increased – as well as the market capacity for coverage.
Before now, Gow said, “It was very evident that the single greatest barrier to cyber sales has been the very limited number of producers who were able to effectively articulate the coverage.”
He added, “You could put all those brokers on a short bus.” Of those truly in the know, their time was spent on Fortune 500 companies, leaving the rest of the business world “woefully underserved.”
Gow said that wholesale specialists have been a resource for smaller brokers, but there’s currently a “real opportunity for the producers and the underwriters – that great untapped market of small and middle-market businesses.”
Boughal commented that small and mid-sized companies are “just coming to grips with the exposure” and there is a need for brokers and agents to help educate them.
“The coverage limits really may not be there,” he said. “If and when that segment’s tested, we may see some unhappy buyers.”
Miskovich speculated that the cyber insurance market can expand further. “The industry … wants to be bigger. It’s just going to take more energy,” he said.
Prevost said that businesses are especially interested in benchmarking, knowing what their peers are doing from a risk perspective. Insurers can do more to provide data that is relevant to every size of client, he said. Risk management tools are also of interest to organizations; however, the technology services market has not caught up.
“We as a marketplace will eventually provide that,” said Prevost.
The bewildering variation in coverages, the application process, and the learning curve on cyber insurance are cited as the most frequent reasons businesses don’t pick up the coverage. Moderator Brown suggested that selling becomes a challenge when there is no real consistency. According to panelists, everything could be streamlined.
Boughal commented that for the “basic” policies, there really shouldn’t be much difference in coverage and insurers should be educating brokers and agents on “real tangible coverage” to address their clients’ concerns.
Gow noted that brokers always ask for expanded triggers and less stringent exclusions. With 60 viable markets in the U.S. alone for cyber, he added, “an environment like that really does not foster a stringent underwriting culture.”
“Brokers will gravitate toward more naïve capacity,” stated Gow. “The only question is, how long can that continue?”
Miskovich commented that the “marketing engine has gotten out in front of the forms.” Insurers are still in the early days of understanding the loss structure and policies may not cover what insureds think they do or want them to do.
“It’s creating this schizophrenia in the form,” he said.
ACE’s Prevost emphasized the need to gather data, citing a “push-pull” from the market on an application process that some say requires too much information and too many detailed questions.
“But that’s important data as we grow, from a market standpoint,” he said, adding that the number of questions tends to correlate to the amount of coverage an insurer is willing to provide.
According to Miskovich, the application provides a sense of how the applicant fits in with an insurers’ understanding of risk or its risk appetite.
Gow added that the application, “distilled to its essence, is used to determine where a company is in privacy and security awareness.”
“Seen in their totality, you can get a better sense of whether or not a company gets it,” he said. Underwriters look for accountability and baseline controls.
“It’s such a tough job for a CISO to keep a modern company secure,” Gow acknowledged.
Miskovich also said that firms that invest in improving their risk position hope that effort will eventually be rewarded with premium discounts. Other panelists noted that “discounts” per se aren’t likely to be as prevalent as fewer premium increases or filed credits.
Prevost said that the industry already recognizes businesses that take their time and know their cyber stuff.
“The ones that do, I think the market reacts and responds to,” he said.
Future Risks
While addressing the risks of today, insurance underwriters need to be aware of the threats still to come. Brown questioned, “Can the good guys keep up with the bad guys?”
In response, Gow stated, “You build a 12-foot wall and they’ll start making 13-foot ladders. There’s always going to be cracks in that egg.”
Gow and Prevost noted that the much-vaunted chip-and-pin technology for payment cards is already in use in several countries. By the time it arrives on a regular basis in the U.S., the bad actors could already understand how to crack it. The panel also agreed that future risks such require underwriters to be inquisitive and always thinking ahead.
“As unexpected as we think cyber risk is, there’s always something new that we don’t even think of,” said Prevost.
Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].
