Demand for cyber-insurance products is set to escalate dramatically, insurers at an Advisen webcast said, but the underwriting process has erected some barriers.
The newness and complexity of the risk, though, make getting a handle on it harder than in other lines. 
Some 50 to 60 cyber insurance carriers are selling $1.1 billion in premiums today, mostly in the US, Advisen data show. Market penetration among companies with more than $5 billion in annual revenue is almost 27 percent, with smaller companies seeing as little as single-digit rates.
Most companies buy coverage limits of between $1 million and $30 million, but some seek coverage of $500 million.
“Clients want to get insurance at a quicker pace for higher limits, but they are encountering increased underwriting scrutiny, which can delay the process,” said Ryan Gibney, assistant vice president of Washington DC Series at Lockton Cos during Advisen’s webinar: “Cyber Insurance Underwriting: A High-Tech Evolving Discipline.”
Highly publicized data breaches, along with increased scrutiny of security procedures by the Securities and Exchange Commission and the release of a cybersecurity framework by the National Institute for Standards and Technologies (NIST) are now compressing the buying cycle to two to four months, he said.
While the NIST guide was designed for critical infrastructure, such as airports and hospitals, it has created a standard that can also be used by underwriters. For the most part, they must rely on client applications of up to 150 questions, depending on a company’s industry and size, as well as online assessments and third-party technologies.
“The application is the first time clients have seen some of these questions,” said Matt Prevost, vice president of the professional risk division at ACE Group. Completing them is a consultative and educational process that a company’s decision maker goes through to give underwriters a sense of their general cyber-risk profile.
“A lot of clients like the amount of questions,” Prevost said. “They like getting a sense of: ‘What’s my risk profile and how do I compare to my peers?’”
Care must be taken to avoid intrusiveness, though.
“For certain carriers, increased underwriter scrutiny and requests for additional information or security assessments does create somewhat of a barrier to entry,” Gibney said. This is especially true when another insurer is willing to offer terms without the same scrutiny.
“Balancing that is the key to underwriting,” Prevost said.
Ultimately, “we want to see not only insurance protection as a risk-transfer strategy, but implementation of pre-breach security services and education,” Gibney said.
It’s like fire insurance, Prevost said. “You start with the sprinklers.”
The way that cyber insurance differs is “the risk is not static. It can change radically during the term of a policy,” he said.
Multiple technologies and vendors can also be involved.
“Questionnaires don’t address the details behind software, upgrades and patches, because vulnerabilities change on a daily basis,” Prevost said. And, while an underwriter “may be comfortable knowing a client’s risk, what we can’t do is drill down into a vendor’s position.”
That’s where BitSight Security Ratings can help, by assessing not just the vulnerabilities of a company but its “vendor ecosystem,” said Ira Scharf, chief of strategy at BitSight.
“We’re looking across the entire Internet, at where malware is operating and how,” he said. “You can assess performance without involving a company. How often is it being breached?”
With publicly available information, BitSight rates and continuously tracks a company’s risk profile like a credit score.
“There is a need for greater objectivity” in the cyber underwriting process, Scharf said. “With other lines, those mature metrics are already in place.”
More historical claims data is also needed before underwriters will have the metrics available in property lines, for example.
When it comes to cyber, “can insurers suggest what technology spend should be, percentage-wise?” Prevost said. “We’re nowhere near that.”
