Axio’s VP of Insurance, Peter Hawley, shares the latest trends and insights on cyber insurance. With 20 years in the market and a focus on cyber insurance for the better part of the past decade, Hawley has seen the industry and threat landscape change dramatically. Here, he covers some cyber insurance basics for anyone who is exploring purchasing a policy for their organization.
Occasionally in life, we all fall into the trap of forgetting that the rest of the world doesn’t necessarily share our viewpoint or obsess quite so intensely over the things we do ourselves. Proof of this has been found regularly in my own LinkedIn feed, where rarely a week goes by without some clickbait-filled headline (often from publications who should know better) implying that “insurance” has got “cyber” all wrong. Two words, encompassing many different things to so very many more people, and launched onto the internet often without even putting a fact-checking call into the organizations they are referencing… what could go wrong?
Cyber-attacks from 2021 and 2022 have caused cyber insurers to rethink and restructure how they operate. Increased claims from ransomware attacks have made the insurance business less profitable. We’ve already seen a direct response— increased premiums, more stringent application requirements, certain clients not getting renewed, and even some insurers leaving the marketplace altogether. Yet the demand for cyber policies remains high, as they often complete an organization’s risk management strategy to help reduce exposure to business-crippling cyber-attacks.
“But, Hawley,” cry the captains of industry, the CFOs, and the risk managers from around the globe (possibly, no citation currently available), “accepting the position that court cases around insurance policies and cyber incidents related to property insurance policies and not cyber insurance policies, and putting the War Exclusion chat and the apparent existence of something you have casually mentioned called an Infrastructure Exclusion – what’s to be done?” Well, yes, the lawsuits brought by Merck and Mondelēz are regularly referenced as “failings” of cyber insurance without noting that neither dispute related to a cyber insurance policy – and whilst those of us heavily imbedded in the cyber insurance world are very aware of this we occasionally forget that, to many of our fellow humans, the concept of insurance extends as far as the brief moments each year we give consideration to purchasing cover for our homes, vehicles, health, and lives. Insurance: a product you buy with the express desire to never actually use – no wonder people often spend as little time as possible thinking about it.
Naturally, following the rate rises of the past few years (driven partly by the efficacy of cyber insurance policies paying out on claims) and the current economic environment the world finds itself in, the hunt is on for the best pricing. But as we know, cheaper doesn’t always mean better. Therefore, quantifying an entity’s cyber risk is key, as without this, it’s impossible to be certain that the insurance is sufficiently aligned with the needs of the business. Having a full understanding of the exposures and the existing tolerances already within the business will greatly assist in establishing where an organization needs support and to what level.
At Axio, we work with our partners to help establish this by assessing with alignment to numerous cybersecurity frameworks and identifying which threats will potentially cause the greatest issues. From here, we work to identify solutions and map how various steps can directly improve an organization’s specific risk posture.
This is an important factor when comparing rates, as it helps a business understand any potential trade-offs between rates and coverage. Nobody wants to pay for something they don’t need, but equally being equipped to engage an insurer with useful information to illustrate good risk awareness and maturity is important in gaining the confidence of the underwriter that your business is one they want to support and help grow (a core reason insurance exists in the first place).
From niche, to challenger, to everywhere
Cyber insurance is “the” business insurance for anyone conducting business where connectivity is a key part of success. Any organization that depends on IT infrastructure to create cash flow or conduct business should look to cyber insurance as a key part of a risk management strategy that, should the worst happen, will help the entity deal with the incident at the time and recover to still be operational into the future.
Buyers should ensure they review any cyber coverages within general insurance policies and be certain they are getting the covers they think they are. By their nature of being dedicated to cyber risk, standalone cyber insurance products tend to be more comprehensive in this regard. Therefore, decision-makers should look for certainty in advance of calling on the product in the event of an incident. At Axio, we work with our partners to identify where coverages exist, and equally importantly where they don’t, across their insurance purchases as a whole and thereby can help extract the available insurance no matter which individual policy it resides within – helping demonstrate true value in each dollar spent.
Shopping for cyber insurance
There’s no single “best” way to shop for cyber insurance. If an organization’s decision-makers are confident of the terms and coverages contained within the insurance policies on offer, then going directly to an insurer may be the best option. However, the language in cyber insurance policies is not common across the market, and therefore having a full overview of what is available can be difficult without an investment of time and energy to investigate what is available from the many different providers now operating in the space.
This is where working with specialist cyber insurance brokers can be very useful, as they should have already put in the legwork to be able to advise on which carriers are offering the coverages requested by the business. The cyber insurance market is fast-paced, which is vital given the constantly emerging threats faced by businesses, and so the specialists that insurance brokers and carriers can bring to the table in providing that insight can be vital when purchasing appropriate coverage.
It is important to keep in mind the brokers are not necessarily cyber security experts but insurance experts, so they will align the business needs presented to them with products available in the market – meaning it is crucial for businesses to convey this to their broker to ensure alignment.
It’s in the details
It’s important that the coverages meet the business requirements of the entity. For example, if an organization gathers sensitive data on many individuals, then a sizable exposure may exist from a privacy liability perspective. Alternatively, perhaps the organization is operating a just-in-time (JIT) model or within a 24/7 retail environment where downtime directly impacts the bottom line of their finances, and therefore more attention to business interruption coverages, limits, and retentions may be appropriate.
Many current cyber insurance products offer a wealth of other coverages, for example, for reputation impact risks, social engineering, and ransomware losses, as well as legal support and crisis management specialists as part of incident response services. Access to high-quality services such as these can have a major impact on the quality of response should the insurance policy be called upon. Many leading providers will include pre-incident risk management services to help an insured avoid even having a loss in the first place.
Avoiding the pitfalls
Simply put, for many organizations, not having full oversight of their cyber risk and not taking steps to put relevant preventative measures in place before starting to shop around for cyber insurance can make a big difference in the terms offered. Following the past few years of significant losses from cyber incidents, insurers are looking for customers who can demonstrate this risk maturity and are not seeking insurance as a means to replace good cyber risk hygiene.
The good news is that the ability to demonstrate this to insurance carriers can be achieved by communication between internal stakeholders, with IT security teams liaising with legal and risk departments, and articulating this in ways that help insurers find comfort in the steps taken. Even for businesses that don’t have dedicated teams for many of these processes, demonstrating how they address risk throughout the entity from top to bottom and back up again is a powerful message to be able to convey. Scenario-based stress testing and insurance portfolio management are two key measures that we at Axio work with our partners on, not only to help risk managers evidence the work they have done but to also communicate this to the C-suite or board and ultimately to the insurance market to help make insurance purchasing as smooth as possible.
Dynamic risks lead to dynamic marketplaces, and none is more active than cyber insurance. Questions posed to, and expectations of businesses by insurance carriers will move with the threat vectors, and engaging at the same speed of these various factors is vital to presenting the best image of your organization’s risk maturity. Insurance policies are focused on making a policyholder whole again, and being able to communicate your risk to your insurer is a core component of this – and Axio is here to help businesses lead those conversations.
For anyone looking to learn more about how cybersecurity insurance fits into their cybersecurity strategy, we welcome you to schedule a brief conversation with one of our insurance experts. The Axio360 platform helps you rapidly pinpoint your critical risks and determine if you have enough coverage in your insurance portfolio. See how you can make cybersecurity insurance an integral part of your cyber protection strategy.