Common mistakes to avoid on cyber insurance applications
The cyber insurance market has become increasingly difficult for independent agents to navigate as carriers beef up their coverage applications to limit exposure from soaring losses.
Cyber claims were up 16% overall in 2021 while cyber insurance rates increased 25% during each quarter of the year, according to a recent market segment report from AM Best.
Ransomware events have carriers particularly spooked thanks to a 100% increase in claims annually over the last three years, Fitch Ratings said in a recent U.S. Cyber Insurance Market Update.
Insurance carriers are responding accordingly, meaning the days of one-size-fits-all cyber policies available at cheap rates are long gone. Carrier underwriting requirements are now significantly more stringent, and applications are more cumbersome.
“Short questionnaires and high-level underwriting meetings have been replaced by comprehensive applications and supplemental ransomware applications, whose questions are informed by loss analysis, external scanning and threat intelligence,” Marsh’s Q1 2022 Cyber Market Update states.
Additionally, “insurers are increasingly scrutinizing not only the scope of coverage but also the construction of the contract,” Marsh said.
This isn’t expected to change any time soon, Marsh noted in its Q2 cyber market update, saying “market conditions are expected to remain challenging for the foreseeable future given ongoing accumulation and systemic risk concerns.”
For agents, wading through the myriad of different cyber-policy questions, endorsements and client cybersecurity requirements is no easy task. But with carriers looking more closely at every application, it’s up to agents to do their due diligence to ensure their clients get the right coverage or that a claim isn’t denied because of incorrect information on the application.
Here are five common cyber application mistakes that agents can easily avoid to better serve their clients in this unpredictable market:
No. 1: Not knowing client cyber exposure/current threats
Though the insurance industry’s understanding of cyber risk has evolved exponentially over the last five to 10 years and there are certainly a greater number of cyber specialists in the industry today, most independent agents are not cyber experts.
Given the amount of information agents are expected to know about their clients and their business needs, this is understandable; but it isn’t an excuse anymore.
In today’s climate, agents should have some knowledge of current cyber exposures and what — if any — cybersecurity protocols clients have in place to mitigate those exposures. For example, those clients who have employees who work remotely may not understand that a virtual private network (VPN) absolutely should be used when working out of a local coffee shop.
If a client isn’t properly protecting themselves against cyberattacks, they are exposing their business and customers to risk. It’s up to agents to help them identify and solve the issue.
No. 2: Not knowing market/carrier appetite
As important as it is to know your client’s cyber risk, it’s equally as important to know the cyber market’s appetite for your client. Agents should be familiar with the various cyber carriers and what their policies cover, as well as how much capacity they offer.
Agents that don’t do their homework before going to market will have to spend more time and resources broadly marketing their accounts. The last thing an agent wants to do is waste a carrier’s or client’s time by submitting applications that will be denied or ignored. Being familiar with the market can help agents find the right carrier for their clients’ needs.
Agents should also understand exactly what information carriers want to know about their client, including:
- cybersecurity protocols and how they are managed and deployed
- any past cyber incidents or claims
- anyone in the company who may be excepted from security requirements
- other potential vulnerabilities such as third parties storing or managing data.
Agents must make sure that clients understand what information the carrier needs to evaluate the risk and ask follow-up questions as needed.
No. 3: Assuming clients understand cyber insurance applications
Clients may think they understand the questions on an application, but often they lack the expertise to answer them. For example, the client may respond incorrectly to questions about having multi-factor authentication (MFA) if the client hasn’t made MFA mandatory for all users in the organization. Or clients may not understand they are responsible for personally identifiable information and payment card data even if it’s completely outsourced.
Unfortunately, we often see agents not digging deep enough with their clients when it comes to answering cyber application questions. Agents may market the account before the client is “camera ready,” which can lead to a lot of back and forth between the carrier, agent and client. Even worse, if the application turns out to be inaccurate, it could result in a denial of claim.
No. 4: Not allowing enough time to complete the application process
Because applications are more comprehensive than they used to be and there are not enough underwriters specializing in the risk, it can take a considerable amount of time for cyber applications to be evaluated and approved. Currently, it takes about 60 to 90 days on average for a policy to be issued.
Several factors can lead to policy delays, including failure to provide enough information about the client, or failure to respond to a carrier’s request for supplemental information or a cybersecurity assessment. In some cases, carriers may require the client to implement security protocols before issuing a policy.
Delays can create a real problem for clients if they are on a time frame to secure coverage, such as for a job contract or business financing.
Agents must allow plenty of time to thoroughly button up application submissions and ensure the best policy options for their client.
No. 5: Not enlisting cyber expertise
Knowing what you don’t know about cyber risk is critical so you can bring in outside expertise and assistance to fill in the gaps and answer insurance application questions accurately.
There are many cyber-risk assessment firms today that work with agents to identify and mitigate clients’ cyber exposures so they can become insurable. These firms also know the cyber market and can connect agents with carriers that are a good fit for each client, as well as leverage their expertise with underwriters to find coverage at the right cost and within the needed timeframe.
These services are invaluable to small business clients that do not have internal IT resources.
Learning cybersecurity isn’t easy and certainly won’t happen overnight, but by avoiding a few simple mistakes agents can ensure their clients are protected against this evolving risk.
Dean Mechlowitz is co-founder and head of Business Strategy at Florida-based TEKRiSQ. He can be reached at dm@tekrisq.com. TEKRiSQ works with carrier and agent partners to identify true technology risk through risk assessment services, including data collection, reporting and recommendations to drive fundamental security defenses.
See also: