# Opener

Dear Santa: Here’s Our Cyber and Insurance Wishlist

Published by Gavin Lillywhite

At Axio we’ve been good boys and girls, helping our clients improve their cyber resilience and achieve better insurance outcomes by determining their cyber risk posture, quantifying loss outcomes and economic loss reduction in addition to successfully graduating from the Lloyd’s Lab with our new Cyber Physical Damage (CZ) assessment and quantification platform.   So here’s what we’d like for Christmas:

1. The Cyber insurance market to rationalize – clients want greater capacity whilst the market seems to be competing for a greater share of the existing pie!

After a period of hardening terms and conditions in the cyber insurance market that started to level off in the second half of 2022, we are now reading from broker market reports that rates are falling, and in some cases by as much as forty percent for excess layers.

Rather than competing in a zero-sum game and race to the bottom, we hope to see the market focus on new capacity growth for more complex risk, providing clients with greater limits that truly meet the needs of their exposure including in complex supply chain – can we achieve $1Bn+ cyber capacity limit in the primary market?  If we’re collectively ambitious enough, particularly on a defined scenario event basis with absolute clarity of what’s covered and what’s not why would this not be possible?   We already know alternative & retro capacity is receptive to providing more capacity to a defined loss definition set.

Robust, comprehensive underwriting information will be integral to this process.

2. The cyber insurance market to increase adoption of comprehensive cyber risk engineering data to aid the deployment of increased insurance capacity.

In my days as a Senior Property Underwriter, it was normal practice to underwrite risks based on detailed risk engineering reports, it was, and still is, the market-norm giving underwriters the confidence to commit significant capacity and remain relevant to clients.   Coupled with a direct client relationship and an ongoing risk improvement program, the terms and conditions were regularly reviewed via a trusted client partnership approach.

Having had first-hand experience, the industry spends hundreds of millions of dollars supporting Property and asset underwriting with comprehensive risk inspection and improvement programs and we believe cyber should be no different; to secure more capacity we have to secure more trust, to secure more trust we have to dive deeper into the [cyber] risk engineering.

Let’s get past the ‘static’ cyber questionnaire which, for most CISO’s typically adds little to no value, increase routine client-underwriter engagement based on comprehensive cyber risk assessment, quantification, and risk improvement.  A win-win for all.

3. Directors and Officers (D&O) insurance market to routinely incorporate the inextricable link between robust cyber risk management and mitigating potential [cyber event] D&O losses in their underwriting process

After the hard market of 2021 which was accelerated by the US Opioid crisis and subsequent class actions against major pharma companies we see the D&O insurance class also witnessing significant rate reductions, recently leading Patrick Tiernan, Chief of Markets at Lloyd’s of London to call out ‘moronic underwriting’ (1)

There are numerous examples of class actions following major cyber breaches including the most recent MGM Caesars Palace example. In the US alone, by mid-2023 the number of cyber breaches leading to a class action had risen to 33 per month! (2)

4. D&O underwriters who are rightly concerned about ESG to routinely assess the role of client’s cyber governance in the G?

Having spoken to several insurance professionals, most of them are incorporating client ESG credentials into their D&O underwriting given the natural linkage but this ESG assessment does not routinely include cyber risk governance factors despite the World Economic Forum recognisng the importance of this back in 2022 – why not? (3)

Organisations are only as strong as strong as their weakest link, what happens if their manufacturing or treatment plant is maliciously breached and toxins/pollutants are released into the land/water/air causing a major environmental and/or social-impactful event?

  1. Environmental Damage emanates
  2. Social disruption/loss of lifestyle/freedom of the environment – if the release is significant enough it can disadvantage the wider community – we all remember the 2019 Brumadinho Tailing Dam disaster that resulted in the loss of 270 lives; whilst in this instance it was caused by collapse, imagine if it had been caused by the malevolent operation of sluice gates?
  3. Governance – was the governance oversight not robust enough and how will the court interpret this?

Why is this important to Axio and how do we bring all this together?

We help break down the silo’s in the risk portfolio; cyber contagion beyond cyber line of business is now evident, we already see it with Property Cyber Physical Damage and increasingly, Management Liability/D&O as documented above; we also see the increasing risk into General/Employers/Products Liabilities, Professional Liabilities like Professional Indemnity (mal-design), Marine, Engineering etc…. .

Whilst we might not yet have witnessed a catastrophic event, the increasing malevolent risk is inherent, all risk must be qualified and quantified to protect the business and investors.  For insurers this is typically shareholders who expect prudent underwriting risk management to protect their investment; this risk could be accentuated if market conditions become less favourable and overall the market softens across multiple lines of business.

With the decline of defined benefit pensions, in the UK at least, the majority of us now have part of our pension funds invested in assets and/or equities so we rightfully expect the executive teams of these organisations and/or asset managers to ensure a robust defensible cyber ERM regime is implemented even if that risk is ultimately retained on the balance sheet.  One can only determine the most appropriate risk strategy by identifying and measuring risk, otherwise one is simply shooting in the dark which is not defensible.

Insurance is in Axio’s DNA, with nearly 100 years collective team insurance industry experience and expertise; working with clients, (re)insurers and (re)insurance brokers, through our SaaS based platform we support the enterprise cyber risk qualification and quantification process in support of more sustainable risk transfer and underwriting including beyond cyber line of business.

With our clients we create the most disruptive & impactful cyber scenario event sets tailored to their business, enabling cyber ERM to become fully auditable, [regulatory] defensible and scalable which in turn supports a more targeted risk retention and transfer process whether through a captive and/or into the primary insurance market to maximise balance sheet protection and insurance efficacy   We help avoid surprises and ensure all cyber risk decisions are conscious ones.

What does our destination look like – are we there yet?

References 

  1. https://www.postonline.co.uk/lloydslondon/7954240/lloyds-tiernan-takes-aim-at-moronic-do-underwriting
  2. Law.com
  3. https://www.weforum.org/agenda/2022/03/three-reasons-why-cybersecurity-is-a-critical-component-of-esg/

 


Want to learn more about how Axio is thinking about cyber risk? Check out our latest webinar hosted by members of our professional services team.

Pragmatic Cyber Risk Management in the Post-SEC Environment