Don’t Get Too Comfortable — The Cyber Rollercoaster Ride Isn’t Over: PLUS Conference
Jeremy Gittler, practice leader and head of Cyber Americas at AXA XL, thinks of the cyber insurance industry as a rollercoaster. He says that after several years of turbulence with the advent of more sophisticated ransomware, the market is slowly inching back up, but that doesn’t mean insurers should let their guards down.
“It’s kind of been a wild ride or a swingy pendulum. So, if you think of it as a ride, I kind of think of a rollercoaster,” he said. “Everyone’s started feeling more comfortable with [cyber], and so at this point, now you have this huge influx into the market of capacity … Everyone’s kind of getting happy about it again. What I’ve seen though recently — and I find this a little concerning — is perhaps a little cockiness involved in that everyone wants to grow their book, but are they underwriting the way they were a year-and-a-half ago?”
He urged underwriters to remain bullish on cyber but to move forward with caution.
“We can’t be in a situation where we’re literally assuming everything is going to be fine,” he said. “This is not over with. It’s not.”
Gittler was speaking on a panel of experts at the 2023 PLUS Cyber Symposium held in New York City. Experts agreed that one reason cyber risk has been so difficult for insurers to manage is the amount of uncertainty in the space.
“The widespread events are definitely real … but the extent to which they can happen and the extent of damage that they might cause is really an unknown,” said Jason Glasgow, cyber lead at Allied World, noting that this uncertainty is more pronounced in cyber than any other line. “And it’s really hard to price your capacity based on that uncertainty.”
Although it’s likely impossible to eliminate all uncertainty from the cyber market, if underwriters focus on becoming experts in the field, they can arm themselves with as much data and knowledge as possible to continue covering and pricing for exposures rather than eliminating coverage, he said.
“I think that you cover what you should cover, and you price for that exposure the way you know how rather than taking coverage out because you’re uncertain about it,” he said. “I think we need more data in terms of modeling, and more expertise. You want the decision-makers on this to be true experts in the field.”
Partnerships and Risk Mitigation
Liz Geary, president of insurance solutions at Liberty Mutual, said much of this learning can come from better partnerships between insurers and their insureds.
“There is truly a partnership to work on risk mitigation together, and I think that does make the risk better,” she said. “And it makes us more comfortable with the risk.”
She added that the client and insurer relationship is changing as client requests continue to expand, moving beyond risk transfer to requiring much more of insurers.
“I think that the amount of work that we do for them has really increased pretty considerably,” she said. “It’s a very dynamic risk environment, so you’re only as good as your current intel, and you have to constantly change and constantly have this feedback with your clients to ensure that they are taking on a lot of your suggestions.”
Glasgow agreed, adding that a continuous dialogue between insurers and insureds is imperative in a changing risk environment.
“There needs to be that back and forth because, particularly in the SME (small and medium enterprise) space, maybe in the middle market …applicants want that relationship with their insurer,” he said. “They really need that relationship.”
He said this means carriers will need to partner with insureds on all parts of the insurance contract, from risk management services to servicing claims, as well as suggesting vendors or tools to get them up to speed on their cybersecurity.
“Of course, you have the insurance contract itself helping to pay for issues that arise,” he said. “Companies need to see that’s the partnership that you’re looking for, so it’s not just about, ‘Am I buying an insurance policy for $30,000?’ It’s, ‘Am I getting a partner for $30,000?'”
Gittler said all of this will help with remediation and recovery as cyber attacks become more frequent, especially in light of the growing severity of ransomware.
“We know companies are going to get hit. The question is how quickly are you back up and running,” he said. “And that’s the reason why ransomware was so problematic, because even if you paid the ransom, it could still be a week or two before you’re back up and running, or more.”
If ransoms go unpaid, the recovery time could be even longer and add to the cost of business interruption, as well as data recovery, forensics, legal and, ultimately, the ransom payment itself. The solution, he said, is for both insurers and insureds to stay vigilant with underwriting and cybersecurity controls.
“As long as companies continue to do that, and there’s a marrying of solid underwriting and solid controls by our insureds, I think we’re in a great spot,” he said.
Asking the Right Questions
Geary said that to sustain this partnership, it’s important for underwriters to ask even more specific questions of their insureds. This will allow insurers to gain a sense of clients’ business interruption impact if an incident does occur.
“I foresee a situation where underwriters could ask the clients, ‘Okay, who are those providers that you’re most reliant on? And what would the business interruption impact be if there were an incident?'” she said. “We don’t ask those kind of questions now, and I think that if we were to do that, then we would be better able to understand the implication of a disruption.”
Geary added that it’s not enough to ask clients who their cybersecurity providers are, but underwriters will need to dig into the specific impact to a client’s business, including to third-party vendors, in the event of a cyber incident.
“I think we ask a lot of the modeling companies with not a lot of information, and so I think that’s another way to think about it. Let’s be really specific with what types of providers you need coverage for,” she said. “I think that underwriting could be there. It’s not right now.”
Despite some needed cyber underwriting improvements, according to panelists, the market is attracting new buyers. Glasgow said some of this can be attributed to the increased insurer and client partnerships that are already occurring. “Even in the hardest part of the cyber market during the last few years, there was still demand for new buyers, and there will be more new buyers coming into the market,” he said. “There is a limit as to what people will pay [for cyber coverage], and we’ve seen some of that on the upper scale, but I think that partnership and providing the services that we continue to do will add new buyers in the market.”