This article summarizes our most recent panel discussion on the cyber insurance market 2023. You can find a full recording of the panel discussion here. Simply enter your details and receive a link and passcode via email.
Inconsistent evolving and progressing. Harrowing, turbulent, and transformational. Crucial, evolving and maturing. Stabilized. These are some of the words which our panelists used to describe the past 12 months in the cyber insurance industry as we opened our annual panel discussion on the state of the market.
How is cyber accumulation risk being considered by underwriters at the moment?
We kicked off by discussing the evolving issue of systemic risk, with Yosha Delong sharing her insights. She argued that the industry is not lacking data to manage accumulation risk, but rather, that a lack of structured data and a common taxonomy is a critical issue for 2023. The challenge of managing and underwriting for systemic risk is even greater for reinsurers, as they need to compile different portfolios with varying data and terminology.
Yosha detailed key considerations for building a portfolio that minimizes accumulation risk exposure:
Diversification: this is effective for reducing reliance on a single service provider, technology, supplier, or vendor. This can be achieved by diversifying the kinds of risks insured against, locations, and industries. Taking these small steps can result in a decrease in over-reliance on any one particular entity.
Implementing minimum controls: this is a crucial aspect of managing accumulation risk as it could effectively minimize the impact of an event and prevent business downtime. By layering these controls on top of a strong portfolio management strategy, the accumulation risks can be significantly reduced.
Consider regulatory exposure: The topic of accumulation risk is not limited to just malware and ransomware attacks, but also includes privacy concerns. With recent developments in regulations around privacy, there is a growing concern among industry experts about the potential for large-scale events related to privacy breaches. While the industry is still figuring out how to handle these types of risks and properly underwrite them, it is possible to mitigate them by focusing on monitoring the technology used in portfolio management and implementing various security measures, such as regular patching and robust backup systems. The shift towards an “inside-out” portfolio view is expected to help underwriters create a more sustainable and secure product for the future.
What can be done from an Incident Response (‘IR’) perspective to curb systemic risk in the cyber insurance market 2023?
Anthony Hess shared his insights on the role of IR in tackling this year’s emerging risks.
He placed emphasis on the importance of having a good incident response plan – one that is fast, high quality and accurate – for reducing the impact of a single incident by getting systems back up and running before large scale business interruption is felt, thus reducing systemic risk overall.
There are also ways to reduce the actual losses in the event of an incident. For example, by quickly identifying and closing off vulnerabilities, the impact of a supply chain breach can be minimized.
It’s also important to consider the claims aspect of incident response; having sufficient incident response provisions is just as important as preparing for any other cyber incident through freeing up capacity. He drew on the NotPetya incident to illustrate the importance of planning for large-scale events – in this incident, some insurers found that they were unable to cover a client without causing concern about the impact on other, connected clients.
What is the role of the cyber policy broker in the cyber insurance market 2023?
The focus then shifted to the central “link” in the cyber policy supply chain, with Neel Desai revealing the key challenges that brokers faced in 2022. Neel reported that, in the first half of 2022, brokers faced the daunting task of delivering bad news to clients in regards to their cyber insurance coverage. Clients were facing triple digit rate increases, coverage restrictions, and reduced benefits in the event of a claim. The broker’s role was to educate clients on the areas of their cybersecurity posture that needed improvement in order to get a better insurance product. This was particularly challenging for the middle market and small businesses with limited budgets.
Now, as the cyber insurance market enters 2023, Neel feels that the role of the broker has become more about managing client expectations. Brokers are still battling with wide discrepancies between what is considered a good risk in terms of insurance renewal (information is still lacking, for example, on assessing MFA, EDR and backup resiliency), but they also need to balance the need to make insurance markets comfortable with the risks they bring to them with the need to inform clients about the current state of the market and what is being requested. Part of this could be resolved with better standardization and communication of important information ahead of time, avoiding the need for follow-ups.
He called on brokers to aggregate the varying information floating around the cyber insurance market in 2023 and presenting it in a more unified manner. Brokers need to be careful not to over-promise and under-deliver, as one widespread systemic event could shift the market back to where it was a year ago.
What role could regulators play to bridge the communication gap along the policy value chain, without damaging healthy market competition?
Judy Selby discussed the importance of policy language standardization for underwriting consistency. However, she pointed out that there is still debate about the best approach for standardizing policy language, especially in the US, and that this task is perhaps easier said than done – the difficulties in creating a standard for war exclusion clauses in the insurance industry has served to exemplify this issue.
She highlighted the importance of considering the size and type of the business being insured when underwriting. For example, a highly regulated industry may have more control over managing a security event, while a less sophisticated company may need more support from the insurance company. This will affect the pricing of the policy and the underwriting process.
She also acknowledged the challenges of underwriting for regulatory actions and data breach claims, as the level of subjectivity can make it difficult to determine the potential exposure. There are various proposed fines and claims emerging, prompting each company to consider its own approach to these challenges. The impact on different insurance agreements and the resolution of disputes, such as business interruption, are also important and evolving considerations.
How close is the cyber insurance industry to getting a handle on systemic risk?
The insurance industry has seen a surge in efforts to understand and manage systemic risk over the past two to three years, said Yosha. This has been driven by both reinsurance companies and internal insurance company management. The need for deeper analysis and more structured data collection has resulted in increased face-to-face meetings between underwriters and insureds, leading to a wealth of information about a client’s operations and technology dependencies. With this information, the industry is now able to structure the data and understand the potential impact of large-scale events on their portfolio and the market as a whole.
What impact, if any, has the Russian-Ukrainian War had on the type, frequency and severity of incidents in 2022? Will this continue into 2023?
Anthony and Judy made the following key points:
- Primary cyber threats have remained relatively static with the two major areas of concern being ransomware and Business Email Compromise (BEC). BEC attacks, in particular, have grown in complexity and sophistication.
- Common challenges faced in cyber insurance claims include business interruption and ransom demands, which require clear and effective communication between insurers and clients.
- The decline in the financial impact of ransomware was due to various factors such as the war against Ukraine, stricter underwriting standards, and law enforcement activity.
- Cyber insurance claims have become more contentious and challenging, with some issues arising from insured parties not following policy requirements. For that reason, brokers have a responsibility to ensure their clients understand policy requirements and work with insurers to establish efficient procedures for handling claims. Insurers should reserve their rights, update clients regularly, and communicate effectively to ensure a smooth claims process for their clients.
You can watch the full, 1-hour panel discussion here, which included an engaging Q&A session which has not been summarized in this article.
