How to futureproof clients for successful cyber insurance
In the insurance sector, we have come to accept that there are several givens: people or companies exposed to more risk will find their premiums more expensive than those with much lower exposure; without making a claim, the insured can expect to renew in 12 months without too much difficulty; and, if their circumstances appear largely unchanged, that renewal premium will remain mainly in the same ballpark as last year’s.
Not so with cyber. Cyber risk is such a rapidly evolving marketplace that the usual rules don’t apply. Brokers are finding that their previously insured clients are facing mountains of admin to gain a renewal, and that those renewal premiums are dramatically higher than expected. In some worst-case scenarios, companies—even those with no previous claims activity—are being refused coverage altogether.
In an upcoming webinar on Tuesday 21st June at 3pm BST, titled “Hackers don’t have a renewal date”, KYND will be joined by leading carriers and brokers to discuss how to futureproof clients for successful cyber insurance in 2023. KYND’s chief executive, Andy Thomas, will be exploring insights on how to make sure clients are prepared to face emerging cyber threats, and discussing how underwriters and brokers can help their clients develop a year-round, best practice approach to cyber health.
Intelligent Insurer spoke to Thomas in advance of the webinar, to find out what attendees could expect to hear and get a flavour of some of the insights he will be sharing.
“Look at continuous risk management during the whole lifecycle, from having multifactor authentication to putting business continuity plans in place.” Andy Thomas, KYND
Why is now the time to be talking about futureproofing?
Everyone’s aware the cyber market has been through quite a big correction over the last 12 to 18 months. Because of increased claim severity and frequency, rates have been growing quite significantly. The reality is that it is not going to go away. A new level of scrutiny is being applied to organisations who want to secure or renew cyber insurance.
Now is the time to start thinking: how do I futureproof my clients for this “new normal” world? How do carriers and brokers genuinely help them improve their risk position and the processes and procedures they’ve put in place to make sure that, when they come to renew in 2023, it’s a lot easier than it’s been in 2022?
What regulations are on the horizon and what could that mean for carriers?
We deal with everyone in the insurance value chain and the level of regulatory scrutiny and change going on in the market is quite unprecedented. In the UK and Europe, for example, the implementation of data regulation is a lot more muscular than it has been in the past. In March 2022, a criminal defence firm was fined £98,000 for failing to secure sensitive court bundles that were published on the dark web in a ransomware attack.
It’s often not simply the fact that you’ve had a breach that is attracting the regulators’ attention. It’s the fact that companies are being scrutinised and found to be weak in certain areas. If you have particularly poor standards of cyber hygiene or practice, that’s what’s going to get the regulators very animated.
The picture is similar in the US where the Securities and Exchange Commission and the US government are both being a lot more prescriptive in what they’re asking companies to disclose. I called the approach “muscular”, but we should be thinking about it in terms of a front-foot, forward-thinking defensive approach.
The risk environment is changing rapidly. The standards expected of businesses are transformed from where they were two or three years ago.
Why is the current process no longer fit for purpose?
The challenges in gaining cyber insurance aren’t experienced only by certain sectors or sizes of organisation—it’s a widespread problem. A lot of the issues that companies face are the result of the hardening market. Not only are quotes becoming more expensive, they’re also increasingly difficult to obtain.
This has come as a bit of a shock, as previously quotes were easier to work out—the UK Financial Conduct Authority had its own calculations on how much it would cost for an organisation to recover from a cyber attack, allowing insurers to quickly generate a quote based on these numbers. Now the exact impact and damage of an attack is very complex to estimate and securing coverage can be challenging as a result.
Couple this complexity with the additional action required from the insureds themselves and you have the perfect storm brewing. Particularly you have the insured’s IT teams—who are very aware of the levels of security they should be implementing and the processes or governance that needs to be in place with staff, but who often say they simply haven’t had the time to make these changes because of the demands of everyday work.
Often there are complaints about the amount of information they are being asked to submit on cyber application forms—perhaps because they’re not as clear as they could be—but those questions are there for a reason. One of the benefits of coming through a cyber renewal or proposal process is that it should improve the client’s risk resilience.
What have been the renewal challenges so far?
Changes such as the 230 percent increase in ransomware attacks reported by Howden have led to an increase in the severity and amount of claims that insurers are having to deal with. It’s not surprising therefore that underwriters are now asking a greater number of questions, and a growing number report that they’re performing full risk analysis on organisations as part of the insurance assessment.
We’re seeing this full risk analysis predominantly take place 30 days or so from the policy expiry date—that’s too late. We must prepare clients far further ahead of renewal day so that if changes must be made, the customer has time to implement them to meet the standards required to be insurable.
What tips will attendees hear about in this webinar?
One of the tips is exactly that: start thinking about renewal now, not 30 days from policy expiry. Look at continuous risk management during the whole lifecycle, from having multifactor authentication to putting business continuity plans in place. This is a real value-add that brokers can offer their insureds. This should make the whole process a lot less painful.
The way things operate in the cyber market today is not sustainable. There’s so much friction in the process. As more companies want cyber cover, they can’t afford it to be a transactional, once-a-year thought. If you’re a better risk, you may pay less for it in the future.
What do you hope attendees will take away from this session?
We want everyone in the value chain to realise that the insurers’ clients need to be prepared now for the next renewal cycle. The way to do that is to engage proactively with clients to help them improve their risk profiles and readiness throughout the whole life of the policy. By doing that, you’re futureproofing them for the next renewal, and the one after that.
What can get lost in all of this is the needs of the end customer. Brokers and underwriters could discuss almost endlessly the implications of their clients not managing their cyber exposures properly, but ultimately what matters is engaging the client. That’s what solves this for everyone. By helping them improve, underwriting and brokerage both become faster, simpler tasks. It’s a real opportunity.
In a webinar at Tuesday 21st June at 3pm BST, titled “Hackers don’t have a renewal date”, KYND’s chief executive, Andy Thomas, will be joined by leading carriers and brokers to discuss how to futureproof clients for successful cyber insurance in 2023.
Register for the webinar here.
