Demystifying cyber insurance & the required data to insure at-scale
Carriers need cybersecurity services firms for active engagement and collaboration to develop and support a dynamic product.
Cyber insurance is designed to protect individuals and businesses from internet-based risks, such as cyberattacks, data breaches and other cyber-related incidents. Once thought of as a specialized product provided by excess and surplus (E&S) or specialized carriers, cyber insurance is emerging as more mainstream as attacks have surged over the last five years. COVID-19 and open-source accelerated this trajectory.
Businesses must focus on how to develop a comparable product for the market, how cyber security services firms can support carriers through partnership and how carriers can leverage this relationship to rapidly scale.
Cyber products
Cyber insurance policies typically cover a range of expenses, including legal fees, data recovery costs and notification expenses (associated with informing customers or employees that their personal data may have been compromised). This coverage spans from individual identity theft to business-grade cyber threats like data breaches to losses from attacks, ransomware and business interruption.
The construct of the cyber product
Carriers that manufacture and distribute these products understand the construct of how to effectively deliver value to the market while minimizing risk and retaining underwriting profit. To underwrite cyber exposures, a risk profile is established and an assessment of the digital footprint is performed. For businesses, the underwriter is also required to understand the type of business, the size of the business and their inherent risks.
Based on the trends and preponderance of specific hacking techniques, carriers should draft or maintain competitive product coverages while providing additional coverage to meet the needs of clients and ensure proper protection. Today, underwriters conduct a detailed assessment by evaluating the cybersecurity posture, IT infrastructure, data management practices and security protocols. These assessments can span from questionnaires to interviews, scans and on-site comprehensive reporting. The challenge with this approach is that hackers change tactics in milliseconds, but the carrier’s evaluation doesn’t. So how do carriers minimize risk while staying current on tactics?
Cyber security alliances
Carriers need cyber security services firms for active engagement and collaboration to develop and support a dynamic product. Carriers benefit from gaining insight into the latest methods of attacks to create more dynamic product boundaries while maintaining relevancy and effectively managing the ever-changing risk environment. Taking this proactive approach ensures the underwriting processes hold strong to demand and market shifts (hacking techniques).
Once bound, policies would require quarterly assessments by cyber security firms to maintain coverage. Those businesses that do not assess will find themselves without appropriate coverage when and if an attack happens. Carriers that establish alliances with cyber security services firms maintain a pulse on the ever-changing methods that hackers are using. Carriers will need a services or security firm that can provide assessments and intel on the known vulnerabilities across the ecosystem from three major areas, offensive, defensive, and policy and procedures. By evaluating each of these three key areas, carrier underwriting teams are more prepared to provide a proper scoring and pricing model to protect the client and the carrier.
Offensive
Maintaining a proper defense means continual evaluation of potential offensive attacks. Cyber security services firms apply penetration testing to test the strength of a business’ defense. This evaluates the enterprise risk from a hybrid workforce, identifies and prioritizes all systems that generate vulnerabilities and applies creative thinking over older SOC compliance processes. Carriers can then use these details to adjust their underwriting guidelines based on a business’ vulnerability.
Defensive
As insurance has innovated and transformed, so do prospects and policyholders. The ability to ensure that vulnerabilities are not introduced by third-party solution providers, legacy debt and new application development, cyber security services firms can continually assess the strength of the prospect’s defenses. With API endpoints becoming the norm, businesses must also protect their transactional fabric through the remediation of cloud security and customer identity access management. The need to stand up for intrusion detection and monitoring based on comprehensive defense strategies for data production is a must.
Policies & procedures
The ability to protect against offensive attacks and maintain a proper defensive strategy holds value for the businesses and carriers that protect them; however, lacking policies and procedures within the potential policyholder is where the house of cards falls. Knowledge of and tactics taken to maintain protection while also providing remediation upon an attack completes the triangle of protection necessary for carriers to hold confidence in delivering a risk-averse product.
With the economic shift from brick and mortar to digital commerce, the source for all goods is online. As more individuals and businesses alike gain revenue streams through digital means, the need for digital protection lies in one’s ability to hold the risk or transfer to those carriers willing to embark on a cyber product at scale. Carriers need to step forward and recognize that this is a lucrative market, assuming they apply the necessary assessments through alliances with cyber security services firms. As we look forward, how will the market evolve? Two words: Embedded insurance.
Eric Fenton serves as principal, business consulting, insurance at EPAM Systems, Inc.