Cyber insurance challenges: Meeting your business needs
While there is little doubt that cyber insurance presents a historic opportunity, it comes with significant challenges.
Cyber insurance presents a once-in-a-century opportunity for the insurance industry to expand into a totally new product line. Demand for cyber coverage will only increase as the world becomes increasingly digital, creating more opportunities for cyber breaches. As the Organization for Economic Co-operation and Development concluded: “increasing digitalization will ensure that this [cyber] risk will remain top-of-the-agenda for the foreseeable future.”
Though cyber risk is becoming a greater concern for businesses, the protection gap, and therefore the market opportunity, is still large. Lloyd’s researched the effects of a three-day disruption to a cloud service provider and concluded that this type of massive single event could impact 12.5 million businesses and cause $19 billion in losses; it also revealed a massive protection gap since insured losses from that event would range from $3-3.5 billion.
Cyber policies are profitable — at least for now. Outside of a few headline-making events, significant growth is taking place while loss ratios remain low. NAIC data for 2018 showed the average loss ratio for standalone cyber policies was 35.9% and the average combined ratio was 65.3%, with average annual premium growth over the past years averaging 25-30%.
While there is little doubt that cyber insurance presents a historic opportunity, it comes with significant challenges. What stands in the way of significant cyber growth is the very nature of cyberattacks — current threats adapt and evolve while all-new hacks present themselves without warning. Further, cyber is a relatively young product line lacking the data and actuarial methodology to model risk as compared to much more established and more static insurance products such as auto and homeowners. Finally, since the potential damage and scope of a cyber event are relatively unknown, accumulation presents greater potential exposure especially as market share grows.
So how can you grow your cyber book while accounting for these obstacles? Outlined below are concrete steps for insurers to enable growth, improve profitability and mitigate risk.
Find usable data
Relative to other insurance lines, cyber is new. It lacks the historical depth and breadth of claims and external data compared to other classic insurance products. Historical data, in particular, is less useful given the evolving nature of threats and technology.
So, what can be done? Dig deep in the claims data you already have, bring in outside cyber data as relevant and adapt your underwriting to build a foundation of actuarial data that can be used to model risk.
As much as possible, know the damage caused by cyber breaches to your portfolio post facto while incorporating outside cyber knowledge into assessing and underwriting risk. Then adapt your underwriting processes to best understand the cyber posture of an insured and ultimately how it can affect your book. Repeat this process to keep up with new threat entrants and adaptations.
Consider these steps for collecting new, thorough and reliable cyber data:
- First, use external data as an initial proxy for cyber claims. As an initial benchmark, cyber incident data, breach data, and in some cases loss data can be collected from cybersecurity and other external providers. These can serve as initial proxies for cyber claims.
- Second, understand your claims. Get detailed claims data to know what triggered a cyber event, what was the damage and impact on ROI. Identify the main factors that lead to the loss (outdated antivirus, unaware/untrained employees, high-risk business, etc.) and what possible steps could have prevented it. Once gathered, review your portfolio. What would you do differently to minimize losses? What adjustments need to be made going forward?
- Third, adapt the top-of-funnel. Based on the first two steps, adapt your underwriting process to identify riskier clients. Employ third-party risk assessment tools to understand an insured’s cyber posture and add the results to your datasets. Many assessments provide recommendations to strengthen cyber posture. Create incentives for clients to take action based on your findings and assessment guidance.
Identify and understand the problem
Cybercriminals are constantly looking for new ways to penetrate businesses. According to the Ponemon Institute, 67% of small- and medium-sized businesses (SMBs) experienced a cyberattack and 58% experienced a data breach in 2018. As solution providers adapt to new threats, hackers respond with new, evolved versions of cyberattacks — and the cycle continues. Further, cyberattackers are constantly developing entirely new methods to circumvent current cyber defenses as well as exploit the latest technological developments.
These changes should be reflected in the insurance offering and underwriting process. The first step is to stay educated. Here’s how:
- Engage with cybersecurity experts to stay informed of the latest new threats, current iterations of known attacks and evolving/new technological developments. Beyond being “in the know,” encourage actions to mitigate risks. For example, usage of multi-factor authentication for user access.
- Keep abreast of the changing regulatory landscape and adapt early. Cyber threats are triggering new legislation requiring businesses to be compliant with a host of new data protection requirements. The European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are prime examples.
- Know your corner of the world – your portfolio (claims, types of business, etc) and how to understand the impact of evolving risk on your clients.
Plan for cyber peril
For the most part, when a natural disaster strikes insurance providers have an actuarial tool kit that can help gauge and prepare. Multiple historical and current factors approximate risk and potential damage. Meteorological, geographical, historical, and portfolio data help calculate PML of incident scenarios over a given period of time, even stretching into decades.
However, the damage of a potential cyber catastrophe is nearly impossible to predict. There is very limited data to determine the frequency or severity of a cyber catastrophe, not just because cyber insurance hasn’t been around long enough, but also due to a host of factors that could impact a portfolio. Technologies employed by the insured (cloud provider, DNS server, PDF viewer, etc.), their type of business, seasonality and even geography can individually or collectively feed the impact of a major cyber event.
Despite the raw unpredictability of a cyber event, there are real steps to take to mitigate risk and continue to grow market share.
- As mentioned above, creating a data loop where improved information about breach causes and portfolio weaknesses can steer your growth towards safer clients. Look for weaknesses across your portfolio (potential accumulation) and adapt by adjusting premiums as well as being proactive in helping insureds improve their cyber defenses.
- Though it may be obvious, be prudent with reserves. It is too early to tell how volatile cyber insurance is long-term, nor how many good years it will take to balance a large-scale cyber event that could trigger mass claims.
Execute your growth plan
Cyber insurance represents a tremendous opportunity but it’s a race for market share.
Now that you have a backbone methodology for understanding cyber risk, apply your knowledge to a streamlined method of acquiring business.
- Keep applications effective. Prioritize questions based on their cost/benefit since every question gives some value but also adds friction to the process. Good questions are easy to answer while helping differentiate the risk level of insureds.
- Streamline the process. Automate the application, quote and binding process as much as possible. If your company has an existing portal, ensure a minimum manual process — especially for insureds that fall within the underwriting box. Where possible, pre-populate and use educated assumptions to facilitate fast indicating and quoting.
- Partner with your clients. Forty-seven percent of SMBs have a limited understanding of how to protect against cyberattacks. SMB/SMEs don’t have the same resources of large firms for understanding cyber threats nor the ability to gauge their exposure. Risk is balanced by customers who invest in security defenses that can prevent most attacks and respond promptly to breaches to mitigate the damage caused. Help them get there. Partner with incident response teams and security providers to get better deals for insureds. As mentioned, provide risk assessments for fast analysis and understanding of their cyber posture. This doesn’t just minimize risk to you, it makes you a trusted partner in cyber protection and gives clients a direct contact to turn to in case of a cyber breach.
Cyber insurance is a huge opportunity. To take full advantage, swift and detailed efforts must be made to understand and mitigate risk. This involves creating a data feedback loop that drives understanding of cyber events, allowing you to adapt the application-to-binding process with better-focused applications, empower more aware clients and create a lower risk portfolio that can scale. To further refine and define potential threat impacts, stay knowledgeable about the latest cyber perils, laws and security protocols while being prepared for an accumulation event.
In the dynamic, rapidly growing market of cyber insurance, the companies quick enough to adapt to the challenges will reap the rewards.
Asaf Lifshitz (asaf@sayatalabs.com) is CEO of Sayata Labs, a cyber InsurTech company dedicated to streamlining cyber risk placement. The views expressed here are the author’s own.
Related: