The dramatic hardening of the cyber insurance market over the past two years is growing even more costly in 2022. Ever stronger data on losses keeps coming in, and all too often results in denial of coverage or dramatically increased costs. A recent Wall Street Journal article stated that direct-written cyber premiums grew by 92% year-over-year as a result of losses that dwarf other coverages. Experts suggest that many policies will not be renewed, and agencies should prepare for renewals 6 months in advance. In practice, agencies are seeing as many as 60% of cyber policies not being renewed at a time when cyber coverage and a strong risk profile is becoming as important as a strong credit report or D&B. Clients are having to demonstrate cybersecurity maturity and prove basic resilience to technology threats, or face uninsurability.
Status Quo: A Losing Strategy
Despite these painful realities, it remains common practice among the majority of insurance agents to approach renewals with the same approach year after year. Populate numerous market applications, market broadly, resubmit supplements for ransomware and more, navigate client shock and awe at the limited appetites of insurers and the astronomical prices, all while presenting your insureds with more homework to solve the problem. This approach is failing to create positive results. It puts your insureds on a course of endless back and forth with underwriters, it produces record declinations and invites astronomical premium increases with reduced terms.
What Can I Do to Change This?
There is plenty you can do, if you're willing to attack this problem from a different perspective. In a sense, the approach described above is quite simply a reactive process, which puts much of the control and power in the insurance carrier's hands. If you want to change this outcome, you must fundamentally drive the process through a more proactive approach. One that puts you and your client in a better position to determine the path forward and generates the most options.
What exactly does Proactive Cyber mean?
Flipping the script towards a proactive approach means doing this a bit differently and can sometimes require using skills differently. Here are some examples of techniques to drive a proactive process.
- Field Underwriting- this consists of finding better ways to evaluate the true nature and most likely forms of risk a client faces. This can be industry specific, or be tied directly to a business process, or both. For example, a real estate developer may have fundamental exposure to ransomware and phishing threats, as many businesses commonly do. However, due to the fact they manage many projects and have millions of dollars at a given time being exchanged through payments, wires etc, they may have a heightened exposure to EFT Fraud. Are they aware of this? What are they doing to protect themselves? Do they have a known, documented process to avoid this risk and are they using it regularly in practice? Learning about and knowing how your client runs their daily business can help identify these things. How they protect themselves will dramatically impact the insurability of your client.
- Loss Control- Many insurance agents do a thorough job with proactive loss control in many lines of coverage but fail to provide the same diligence in technology-oriented risks. Here where I live in the coastal Southeast, we have higher than normal risk of flood damages. It's fairly typical when applying for coverage for insurance agencies to send experts to inspect the property, survey areas of vulnerability to address specific risks, and make recommendations for remediation and coverage. They may order updates to maps, quote any remediation work required, orchestrate the professionals to perform it, validate its completion, update the data and market coverage. The same process needs to take place in technology-oriented risk management, and there are many partners available to agencies to help them with this.
- Stronger Submissions- marketing an account for cyber coverage without addressing some of these areas is a little like turning in homework without showing your math. It fails to inspire confidence, or the reliability required to get results. Instead, your submissions should reflect some form of risk analysis and identification. They should describe where risk remediation is in place, underway or even planned. They should communicate what form of cyber hygiene is in place and offer some form of reliable validation. This can be in the form of a cyber awareness training curriculum list, examples of phishing exercises, tools used for regular data backups and more. These submissions should also include an instructive cover letter for underwriting, specifying the coverages sought, the limits desired and should be submitted to the markets with the appetites for the particular risk being submitted. Any documentation of the cyber risk profile that may be generated by a technology firm, outsourced IT or MSP can be even more valuable.
After reviewing the above list, you may think you don't have time for all of this; there is no doubt that a greater time investment is required today to get your clients insured. However, you may be creating more work for yourself by not following these processes. This can damage your relationship with the insured and invite competitive threats.
Technology oriented risks have quickly become more burdensome for insurance professionals and have increased the work for all involved. By flipping the script and doing things proactively, you can begin to transform cyber coverage from a burden to a powerful and profitable line of business for your firm.
Bill Haber is the co-founder of TEKRiSQ, INC. He has more than 25 years of commercial and operational leadership in enterprise software, digital health, medical device and network technology startups, and has led a specialty wholesale cyber insurance business. Bill has expertise in cloud-based software platforms, data products and network infrastructure solutions.