Originally appeared in Professional Security Magazine Online on 3rd June
Organisations need to look at fast, accurate, efficient pricing and risk assessment for cyber insurance policies, writes AJ Thompson, CCO of the IT and data services consultancy Northdoor plc.
In the digital economy, companies can create automated connections with partners and customers to reduce friction and costs in the supply chain. However, increased interconnectivity contributes to a major new type of commercial risk: cybercrime.
As early as 2015, Lloyd’s of London estimated the annual cost of cybercrime to be $400 billion, representing an enormous opportunity for insurers. Allianz believes that cyber insurance premiums have the potential to reach US$20 billion by 2025. Meanwhile, Accenture estimates that just four percent of information-security budget is spent on cyber insurance. This apparent under-insurance is reflected in rapid premium growth: 75 per cent of companies now buy cyber insurance, up from 35pc in 2011, with the largest year-on-year increase seen in 2017-2018.
The opportunity for insurance firms is not limited by industry or company size: all organisations are potentially at risk. In many cases, attacks are automated and therefore relatively indiscriminate. As more business processes are digitised, the potential attack surface will increase, and cybercrime is likely to become more prevalent.
Small and medium businesses (SMBs) are particularly exposed, because they tend to lack the IT security organisation and financial resources of their larger peers. Their data is by no means less valuable or sensitive: the SMB sector includes huge numbers of law firms, accounting firms, financial advisors and medical practices that are subject to the most stringent standards in data protection.
When working with large enterprises, insurers can take time to compile comprehensive information on security posture. These clients are motivated by having the right level of protection in place and are less price- and time-sensitive than their smaller counterparts. By contrast, SMBs are often motivated by the need to comply with their customers’ procurement policies – 42% of companies invest in cyber insurance primarily to meet third-party requirements. As a result, SMEs are likely to choose an insurer that can offer a low price rapidly and in return for the least information about their security systems and policies.
In a highly competitive market in which SMBs constitute 90 per cent of first-time buyers, the need to price policies at high speed creates significant challenge and risk for insurers, given the difficulty in sourcing reliable security posture information from these clients.
As companies embrace digital ways of working and become more interconnected, their risk of falling victim to cybercrime increases significantly. For the insurance industry, this raises the spectre of large network effects: cyber-attacks often exploit vulnerabilities in software or hardware that is almost universally present in companies.
Given this potential systemic risk and taking into account the relative lack of IT security expertise and resources in SMBs, insurers face significant challenges in pricing and in understanding their ongoing exposure. Currently, 30pc of brokers report inconsistency in pricing, and 75pc of brokers and underwriters believe that client organisations lack a clear view of their own exposure – such that the aggregated exposure for the insurers is even harder to measure.
Insurers that have already entered the cyber market need to keep adapting to the changing threat: unlike many conventional perils, cybercrime is continuously evolving. Many other insurers are yet to take the plunge – attracted by the prospect of a new source of premiums, but unsure of the best way to understand the new exposure they will take on as a result. In a nutshell, if you cannot underwrite risk quickly and cost-effectively, competitors may beat you to the punch. But at the same time, you need to be highly disciplined in how you assess and underwrite cyber risk, given the potential for ruinous exposure to widespread simultaneous attacks.
To address the challenge, forward-thinking underwriters are replacing manual risk-assessment processes and questionnaires with smarter automated approaches to get better and faster risk insight at the point of pricing or renewal of policies. As clients become aware that better terms and pricing can be accessed if they provide more detailed information on their security posture, they will be increasingly eager to work with underwriters to enable ongoing technology-driven risk assessment.
The questionnaires used during the quotation and underwriting process today are typically lightweight and present only a static, one-off snapshot of what is, in reality, a highly dynamic risk landscape in which new threats are constantly emerging. Completing and analysing questionnaires are laborious manual processes for both clients and underwriters, and current approaches typically do not allow for independent third-party validation. Most important, questionnaires have no ability to assess the systemic risk inherent in each client’s supply chain and across their connected partners and suppliers.
In general terms, the insurance industry has zero visibility into the complex web of third-, fourth- and fifth-party (and so on) risk. This includes both the aggregated risk from partners of partners or customers of customers, and common-party risk: when multiple insured parties all work with a single partner. For example, if a major software company or cloud provider announces a vulnerability, this is likely to impact multiple policyholders either directly or indirectly.
Without clear visibility into the constantly changing network of suppliers, partners and customers associated with each potential policyholder, it is enormously challenging for underwriters to price risk accurately. Moreover, current manual approaches to gathering information are too slow and unwieldy to meet the needs of the burgeoning SMB market, leaving traditional underwriters exposed to competitive pressure from insurance-tech start-ups.
Moving to a technology-led approach will help not only in the initial pricing process, but also in the ongoing management of risk for both the insurer and the policyholder. Prevention is always better than cure, and the ability for both parties to maintain a dynamic view of their exposure to cyber risk will pay huge dividends in terms of avoiding the need for claims. The potential for a major breach to completely halt a business in its tracks – let alone expose it to hefty regulatory fines – means that companies cannot afford simply to rely on the (necessarily limited) financial cover provided by a cyber insurance policy. As a result, insurers have the opportunity to sell not only coverage but also a service that helps policyholders to actively minimise their exposure on an ongoing basis – to the natural benefit of both parties.
As cybercrime presents a constantly evolving threat, constant monitoring of the changing security posture is vital throughout the policy lifecycle. Insurers therefore need to introduce continuous real-time risk analysis and share the results with policyholders. This is driving a new trend in the market, whereby underwriters are partnering with cyber security providers to create comprehensive offerings that combine financial protection with tools for preventing security breaches and other cybercrimes.
By investing in a solution that constantly measures the security maturity level of policy-holders, encompassing also the multi-dimensional risk across their supply chains, insurers can significantly improve their assessment of aggregate portfolio risk. In addition to helping underwriters provide rapid, accurate and consistent pricing quotations – particularly valuable in securing SMB business – detailed ongoing risk assessments allow insurers to build closer relationships with policyholders rather than only being in contact at renewal time. Intelligence on the evolving aggregate risk across the cyber book of business will also enable insurers to adjust their own risk management posture as required, for example by transferring risk through additional re-insurance.
Automating the manual, questionnaire-based approach to risk assessment will not only accelerate and simplify the process on both sides; it will also make it much easier for insurers to maintain visibility of aggregate and common-party risks across their entire book of business. If and when a new threat emerges – for example, malware that impacts a particular version of an application, or a vulnerability on a particular cloud service – insurers using a real-time risk assessment tool will immediately see which policyholders are directly or indirectly impacted. And because policyholders will also immediately be aware of the risk, whether in their own systems or those of partners and customers, the likelihood of disruption and corresponding claims should be diminished.
Organisations need to look at rolling-out an automated, centralised solution for generating and maintaining 360 degree cyber risk ratings, using powerful AI to map each enterprise’s security posture and discover connected parties in the broader ecosystem. Intuitive dashboards provide detailed information on the constantly evolving risk, and the top-level score can be supplemented with more detailed information gathered through an automated workflow and scoring for digital questionnaires, helping organisations to better tackle cyber-attacks if and when they arise.