Improving cyber insurance doesn't have to be hard
Cyber policies have become a sort of Frankenstein monster, with coverages pieced together to address a growing set of property and liability risks.
As brokers and buyers know well, insurance historically has cycles of hard markets, soft markets and conditions in between.
Since 2019 or so, the property & casualty insurance market has ranged from firm to hard. One line of insurance, however, should behave differently: cyber.
Cyber insurance is unlike standard property and liability lines because the nature of cyber risk itself is different. Traditionally, insurance underwriters react to loss events. Something happens that causes an adverse outcome, so underwriters respond by raising rates, tightening terms and conditions, increasing deductibles and retentions, and if losses are worrisome, even reducing capacity. Terms such as “hard market” and “soft market” shouldn’t really apply to cyber because the risk is constant. Sure, there are notable large losses from individual cyberattacks, but generally, cyber insurance market conditions should be more risk-driven than event-driven.
In property insurance, rates, terms and conditions often change based on singular events such as a massive hurricane that strikes a densely populated area or a wildfire that destroys thousands of structures. Cyber is also unlike casualty insurance, which tends to contract following periods of loss frequency and severity. Liability exposure is driven in part by events — litigation following an act or omission, nuclear verdicts, adverse court rulings, and so on.
At the moment, many insurers are treating cyber like a traditional line: They’ve raised rates, tightened terms, and some have even slashed the amount of capacity they offer for cyber risks. Here’s how that looks for some buyers: One organization with a large exposure but with a good loss history previously could buy a $30 million tower of cyber limits, but in 2021 it could only get $15 million — and the cost for that amount of coverage was a lot more than the organization paid before.
This, unfortunately, sends a message that insurers are more worried about the risk to their balance sheets than about helping solve their customers’ risks. It also makes small and midsize organizations skeptical of the value of cyber coverage. Buyers that wait on the sidelines because they see cyber insurance as too expensive are, in fact, increasing their exposure to cyber losses. That’s not just bad news for brokers and insureds; it also makes cyber insurance unsustainable. However, the industry can change.
Stop the tug-of-war
If a hard insurance market seems to resemble a tug-of-war, that’s because it is. It’s a power struggle between two sides, and each side tries to move the other as much as it can. But step back and look at this battle through a different lens. It’s a struggle of inches, without either side going anywhere that looks like progress.
Cyber insurance shouldn’t be this way. Imagine if brokers and third-party service providers held a third rope. Now imagine if, instead of a tug-of-war, everyone pulled each other closer together, and in a direction that benefited everyone. Interests would align in a place where enhanced cybersecurity mitigates the risk — it doesn’t just put a policy in place — and insurance provides peace of mind because it aligns with the actual exposure. Everyone benefits.
Align coverage to cyber risk
Cyber insurance has evolved significantly over the past 15 years. What began as a specialty professional liability coverage for technology organizations has broadened to address data breaches and network disruptions for virtually every industry. As a result, cyber policies have become a sort of Frankenstein monster, with coverages pieced together to address a growing set of property and liability risks.
Even as the cyber insurance premium volume has skyrocketed, many insurers still struggle to adequately assess cyber exposures and, even worse, to provide effective mitigation. Cyber insurers, by and large, focus on reacting to cyber losses. They can improve in multiple areas, including:
- Cyber risk assessment. Questionnaires and supplemental underwriting applications provide point-in-time snapshots of an organization’s perceived cyber exposure. Insurers need a clearer, ongoing view into an insured’s cyber exposures.
- Aligning coverage to actual exposures. Once an underwriter sees the full, high-resolution picture of cyber exposure, they can align coverage accordingly. This can eliminate coverage gaps, make specific coverage clearer, and reduce losses for the insurer and insured. It also builds trust because the buyer and broker can have confidence that the policy will respond.
- Loss prevention and mitigation. The most challenging, yet also valuable, part of a cyber insurance relationship is preventing cyber losses in the first place. Cybersecurity is a highly specialized field that is constantly innovating to keep pace with the sophistication and complexities of cybercrime. Most insurers rely on third parties to provide cybersecurity services because those are not a core competency for the insurer. However, combining cybersecurity and cyber insurance is a powerful way to mitigate cyber risk and make coverage better.
A secure approach is simply a better way to underwrite cyber risks. It avoids the cyclicality that makes brokers’ and insurance buyers’ lives more challenging, and it’s a path to sustainability and coverage certainty. Integrating the appropriate cybersecurity resources into the underwriting process is a natural next step.
Charles “CJ” Pruzinsky (cj@resilienceinsurance.com) is executive vice president and chief underwriting officer for North America at Resilience. Before joining Resilience, CJ led the Northeastern operations of cyber insurer Beazley Group, based in New York. Prior to Beazley, he held senior underwriting positions at American International Group, where his responsibilities included building out AIG’s Midwestern U.S. regional capabilities.
These opinions are the author’s own.
See also: