Solution Partner Views
Better Underwriting in the Age of Hacking
Fueled by high-profile hacks of government and private databases across the globe, cyber risk has emerged as one of the fastest-growing segments of the insurance market. Given the dynamic and largely unpredictable nature of the risk, significant challenges remain for many insurers, risk managers, and IT personnel attempting to better manage cyber threats. Due in part to its rapid evolution, cyber has also become a space open to innovative products and cutting-edge expertise.
Underwriting for cyber risks has changed dramatically in scope and context from some of the earliest policy products of just a decade ago. Yet the shifting landscape for cyber insurance may be suppressing some promising potential insurance solutions. Through coordinated efforts on the part of insurance carriers and their policyholders, both parties likely face an opportunity to better address this 21st-century risk.
Think of cyber as the risk of financial and other losses resulting from a compromise of information systems. Such a compromise could occur intentionally or unintentionally, by internal or external actors. Many of the earliest forms of cyber insurance primarily addressed data and privacy breaches as well as liability and technology errors. But as recent global hacks have shown, business disruption and ransomware are becoming greater threats than before. Many forward-thinking businesses are finding they can`t take an “it won`t happen to us” approach any longer.
A case in point is the fast-spreading “WannaCry” ransomware that has affected Windows computers in more than 100 countries. Ransomware is a type of malicious software that blocks access to data on a victim`s computers or devices until a ransom is paid. Typically, this figure is requested in a cryptocurrency such as bitcoins. While in some cases the actual ransom collected by the hackers has amounted to $50,000, it`s estimated that business disruption losses could be in the hundreds of millions of dollars globally.
Even small businesses can be victims. The insurance industry overall hasn`t adapted nearly as fast to meet the needs of small and medium-sized enterprises. Much of cyber risk underwriting and solutions is still a case of the haves versus the have-nots, and most coverage products continue to be designed to address large commercial businesses with deeper pockets. As it happens, those often are also the companies that can more likely recover from a major cyber breach or security event. Can the same be said for small and medium-sized enterprises?
Data that divides
An essential element to underwriting—whether property, liability, or cyber—is the collection of exposure information to clearly define and segment types of risk. There are three key areas of information needed to support underwriting decision-making: culture, exposure, and protection.
A common theme among many businesses that have overhauled their cybersecurity practices is culture change. And that transformation often starts at the top, with C-level executives integrating secure cyber practices within the workforce and bringing cyber risk to the forefront of operational strategies. A resilient culture may be difficult to define, but it`s arguably one of the best measures to help prevent a cyber loss event or mitigate losses from incidents. More than half of all cyber attacks in 2013 were reportedly the result of employee negligence. That number has declined, in part due to other forms of attack but also because of stringent corporate policies and training instituted within many large companies.
Analyzing the exposure of a commercial business introduces challenges not necessarily present in more traditional commercial lines. First and foremost is sourcing the data. Although IT departments usually aren`t involved in the insurance purchasing process, they`re often the first—and possibly only—line of defense when it comes to cybersecurity. And many companies outsource much of those services to vendors. Understanding the value of the data and assets that employees collect, store, and analyze is also highly important.
Capturing the data
The last piece of the puzzle involves data related to types of protection, or security, used by an operation. This information includes security protocols and employee access to records, types of software, freeware, and levels of security within cloud platforms accessed by operations. This data is usually the most difficult to capture and evaluate. It`s crucial to remember that purchasing cyber insurance does not equate to practicing cyber risk management. Insurers able to gather the most information, evaluate and categorize it appropriately, and devise a product to serve the segments will likely position themselves for success. This means that traditional segmentation, by geography or NAICS code, will likely not suffice; and primary segmentation categories may turn out to be e-business revenues, cloud-computing vendors, or even web-facing devices.
In addition to the challenges presented in gathering data, the insurance industry in general also currently struggles with sharing and communicating intelligence among peers. The hacker space is rife with knowledge and communications, exposing vulnerabilities and strategies to attack systems and improve attacks through phishing, malware, and ransomware. At present, the insurance industry lacks a trusted aggregated source of claims and loss-related information to help the ratemaking process, with implications for the entire risk chain.
One potential solution involves regularly disclosing cyber insurance data as part of statistical reporting. An opportunity exists for many insurers to work directly with their policyholders to educate, gather operational data, and build product solutions that match the risk variations presented in different industries. Sharing data among peers, using third-party data experts, and devising new ways to serve customers can foster a cyber insurance market that helps meet the needs of businesses large and small.