Cyber-attacks continue unbated including the resurgence of ransomware across a platitude of industry segments, picking off the most vulnerable and exposed; threat actors continue to be successful due to continued enterprise vulnerabilities. The recent spate of cyber attacks on the Healthcare industry and the perilous quest for cybersecurity funding, particularly in the US needs no introduction; United Health and Change Healthcare dominating the headlines
We see lots of headlines around the impact to customers and in the case of healthcare, the social impact to patients; the business and in many cases, the seemingly inevitable class action that follows. But what about Cyber insurance?
Despite the dynamic risk of Cyber and resultant insurance risk profile, in many ways the fundamentals of underwriting and portfolio management is very similar to more mature classes of business such as Property, Energy, Casualty or Marine for example.
Insurers routinely use past data as a proxy for anticipating future risk and performance, actuaries will determine capital provisioning based upon years of data and in turn solvency ratios (the insurers ability to pay); capital requirements will be determined by such modelling as part of a mixed portfolio. Determining future profitability allows insurers to allocate capital, capital requirements and return on capital drive the insurers appetite to write a class of business – put simply, what’s my expected rate of return?
The challenge with a dynamic, less mature class of business like Cyber is that insurers don’t have hundreds of years or even decades of past claims data, and of course, not all cyber events are insured which in turn makes the [loss] data even more finite.
This in turn leads to assumptions, for insurers not utilizing Axio proprietary cyber risk engineering insights they have to make assumptions based on a rearview mirror approach, this in turn naturally lends itself to a more cautious approach. In the absence of hard data insights, insurers have to add an uncertainty load factor in their capital provisioning and pricing.
Chief Underwriting Officers will typically take a portfolio approach when assessing class of business performance which of course consists of the component individual risks; this can lead to a broad-brush approach to underwriting remediation strategy particularly when it comes to rectification of poorly performing risks.
When we consider US Healthcare, it’s perhaps the worst kept secret in the Cyber underwriting world that this sector is high risk and undesirable to many carriers. When we consider those insurers that are not using Axio Cyber Risk Engineering one can quickly see how poor claims performance, limited, backward looking data, coupled with nervousness of the sector (based on past performance) can quickly amplify to punitive renewal terms (if offered at all). With limited markets, clients and brokers have little choice and sometimes the insurance terms offered might simply seem too expensive.
But there is an alternative. To break away from the pack, not be lumped into a ‘high risk, poor risk-managed bunch’, Axio subscribers can demonstrate their cyber resilience, robust control mechanisms and most importantly, expected loss value through cyber risk quantification. These forward-looking insights can empower clients in a number of ways:
- Demonstrable [favorable] risk profiling – “I can demonstrate I am in the top right quartile”
- Meaningful loss quantification expectation – “My expected loss is $X as modelled through individual scenario events”
- Ongoing investment in loss control improvement programme – “I continue to invest in improving my risk as shown in my ongoing posture improvement”
- Resultant loss expectation reduction – Through my investment in engineered loss reduction my loss expectancy has/will reduced/reduce by $X”
- Ability to craft Cyber insurance program design based around individual risk profiling and loss expectancy including determining self-insured retentions and/or captive risk transfer – Despite a difficult Cyber insurance market for my sector, I have options”
Having little to no Cyber Risk Engineering data leads to limited risk transfer options (if any at all); sometimes this can feel like being held to ransom by the insurance market with nowhere to turn although in reality this is just circumstantial of the underwriting process. Another way to think about is that underwriters are assessing whether the investment is sound, should I put my capacity and capital into client A rather than client B? Which one gives me the best return for my shareholders?
Axio helps you avoid this situation and in our experience, those customers that use Axio360 proprietary SaaS platform secure better insurance outcomes. We have had clients that start as uninsurable, move to insurable by using Axio360 and then, at renewal, as a result of continued risk profile improvement as demonstrated through Axio platform, achieve improved terms and conditions.
Doesn’t it feel good to have Cyber Insurance options?……
Want to talk with an expert on what this would look like for your organization? Let’s get a conversation started.