Inconsistencies and a lack of standardisation in how insureds, underwriters, and regulators approach cyber insurance are persistent challenges that can hinder the development of a market still in its early days.
There has been a renewed focus on underwriting discipline and expanding security knowledge in 2021, with many underwriters struggling to strike the right balance of underwriting information and the commercial reasonability of obtaining it. Cyber risk often requires a non-standard approach to capturing key underwriting information, and a diverse client base with varying levels of sophistication can result in insureds unwilling or unable to provide it.
Meanwhile, many regulators and industry bodies are taking proactive measures in developing cyber security and insurance data standards, although they are moving at different speeds and have differing levels of maturity.
These insights were shared during a panel discussion of cyber risk experts on the state of the cyber insurance market, challenges around underwriting capabilities, and opportunities in tech. The discussion was part of Verisk’s Cyber Monday Series.
Here are three key takeaways:
Inconsistency in ransomware and silent cyber remain huge challenges. The size and frequency of ransomware claims are creating hesitancy around cover, with many underwriters looking at coinsurance or introducing sub-limits for ransomware. For silent cyber – where there is cyber risk exposure under non-cyber policies – regulators and industry bodies such as the Bermuda Monetary Authority, the New York State Department of Financial Services, and the Lloyd’s Market Association have launched initiatives to help insurers manage and limit their exposure, although it is not being done on a consistent basis.
Willingness to provide data often overridden by ability. Panelists suggested that it’s often not the willingness of insureds to disclose cybersecurity information that’s the issue, but rather their ability to do so. Ownership of data and the ability to share it can be difficult when third-party service providers are involved, and some customers may not be able to answer questions accurately due to inexperience. Underwriters must ask the right questions and balance what an insured is prepared to give them and what is a sensible medium. For questionnaires submitted in proposal forms, underwriters are increasingly moving beyond simple, and often misleading compliance questions such as “do you use multifactor authentication?”, towards a more contextual understanding of when and how an insured chooses to deploy multifactor authentication, for example.
Cyber insurers could engage insureds with incentives. Companies could benefit from viewing their system networks as their vital organs, with insurers offering incentives to insureds who can demonstrate they are able to protect them. Insurers could offer insureds incentives and more attractive coverage options that would be awarded upon engaging in more cybersecurity risk management activities, such as online training, having protections in place such as multi-factor authentication and firewalls, or agreeing to third-party audits.
Verisk offers a full suite of Cyber Solutions that help underwriters accurately identify their exposures and collaborate more with their insureds around proper cyber risk management.